Created
August 7, 2016 20:16
-
-
Save struct/96ab884f0f3108d0dabf4161762f0cfb to your computer and use it in GitHub Desktop.
Patches OSQuery with support for parsing smaps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/osquery/tables/system/linux/processes.cpp b/osquery/tables/system/linux/processes.cpp | |
index c507b59..3005340 100644 | |
--- a/osquery/tables/system/linux/processes.cpp | |
+++ b/osquery/tables/system/linux/processes.cpp | |
@@ -134,6 +134,63 @@ void genProcessEnvironment(const std::string& pid, QueryData& results) { | |
} | |
} | |
+// This constant may change between kernels | |
+#define SMAPS_FIELDS 19 | |
+ | |
+void genProcessSMap(const std::string& pid, QueryData& results) { | |
+ auto map = getProcAttr("smaps", pid); | |
+ | |
+ std::string content; | |
+ readFile(map, content); | |
+ | |
+ int count = 0; | |
+ | |
+ for (auto& line : osquery::split(content, "\n") { | |
+ Row r; | |
+ r["pid"] = pid; | |
+ | |
+ if ((count % SMAPS_FIELDS) == 0) { | |
+ auto fields = osquery::split(line, " "); | |
+ | |
+ auto addresses = osquery::split(fields[0], "-"); | |
+ if (addresses.size() >= 2) { | |
+ r["start"] = "0x" + addresses[0]; | |
+ r["end"] = "0x" + addresses[1]; | |
+ } | |
+ | |
+ r["permissions"] = fields[1]; | |
+ | |
+ try { | |
+ auto offset = std::stoll(fields[2], nullptr, 16); | |
+ r["offset"] = (offset != 0) ? BIGINT(offset) : r["start"]; | |
+ | |
+ } catch (const std::exception& e) { | |
+ // Value was out of range or could not be interpreted as a hex long long. | |
+ r["offset"] = "-1"; | |
+ } | |
+ r["device"] = fields[3]; | |
+ r["inode"] = fields[4]; | |
+ | |
+ // Path name must be trimmed. | |
+ if (fields.size() > 5) { | |
+ boost::trim(fields[5]); | |
+ r["path"] = fields[5]; | |
+ } | |
+ | |
+ // BSS with name in pathname. | |
+ r["pseudo"] = (fields[4] == "0" && !r["path"].empty()) ? "1" : "0"; | |
+ results.push_back(std::move(r)); | |
+ } | |
+ } else { | |
+ auto fields = osquery::split(line, ":"); | |
+ r[fields[0]] = fields[1]; | |
+ } | |
+ | |
+ results.push(r); | |
+ count++; | |
+ } | |
+} | |
+ | |
void genProcessMap(const std::string& pid, QueryData& results) { | |
auto map = getProcAttr("maps", pid); | |
@@ -381,6 +438,7 @@ QueryData genProcessMemoryMap(QueryContext& context) { | |
auto pidlist = getProcList(context); | |
for (const auto& pid : pidlist) { | |
genProcessMap(pid, results); | |
+ genProcessSMap(pid, results); | |
} | |
return results; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment