Skip to content

Instantly share code, notes, and snippets.

@struct
Created August 7, 2016 20:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save struct/96ab884f0f3108d0dabf4161762f0cfb to your computer and use it in GitHub Desktop.
Save struct/96ab884f0f3108d0dabf4161762f0cfb to your computer and use it in GitHub Desktop.
Patches OSQuery with support for parsing smaps
diff --git a/osquery/tables/system/linux/processes.cpp b/osquery/tables/system/linux/processes.cpp
index c507b59..3005340 100644
--- a/osquery/tables/system/linux/processes.cpp
+++ b/osquery/tables/system/linux/processes.cpp
@@ -134,6 +134,63 @@ void genProcessEnvironment(const std::string& pid, QueryData& results) {
}
}
+// This constant may change between kernels
+#define SMAPS_FIELDS 19
+
+void genProcessSMap(const std::string& pid, QueryData& results) {
+ auto map = getProcAttr("smaps", pid);
+
+ std::string content;
+ readFile(map, content);
+
+ int count = 0;
+
+ for (auto& line : osquery::split(content, "\n") {
+ Row r;
+ r["pid"] = pid;
+
+ if ((count % SMAPS_FIELDS) == 0) {
+ auto fields = osquery::split(line, " ");
+
+ auto addresses = osquery::split(fields[0], "-");
+ if (addresses.size() >= 2) {
+ r["start"] = "0x" + addresses[0];
+ r["end"] = "0x" + addresses[1];
+ }
+
+ r["permissions"] = fields[1];
+
+ try {
+ auto offset = std::stoll(fields[2], nullptr, 16);
+ r["offset"] = (offset != 0) ? BIGINT(offset) : r["start"];
+
+ } catch (const std::exception& e) {
+ // Value was out of range or could not be interpreted as a hex long long.
+ r["offset"] = "-1";
+ }
+ r["device"] = fields[3];
+ r["inode"] = fields[4];
+
+ // Path name must be trimmed.
+ if (fields.size() > 5) {
+ boost::trim(fields[5]);
+ r["path"] = fields[5];
+ }
+
+ // BSS with name in pathname.
+ r["pseudo"] = (fields[4] == "0" && !r["path"].empty()) ? "1" : "0";
+ results.push_back(std::move(r));
+ }
+ } else {
+ auto fields = osquery::split(line, ":");
+ r[fields[0]] = fields[1];
+ }
+
+ results.push(r);
+ count++;
+ }
+}
+
void genProcessMap(const std::string& pid, QueryData& results) {
auto map = getProcAttr("maps", pid);
@@ -381,6 +438,7 @@ QueryData genProcessMemoryMap(QueryContext& context) {
auto pidlist = getProcList(context);
for (const auto& pid : pidlist) {
genProcessMap(pid, results);
+ genProcessSMap(pid, results);
}
return results;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment