45 lines
1.8 KiB
Markdown
45 lines
1.8 KiB
Markdown
# TODO
|
|
|
|
From map proc(5):
|
|
|
|
```
|
|
/proc/[pid]/maps
|
|
A file containing the currently mapped memory regions and their access permissions. See mmap(2) for some further information about memory
|
|
mappings.
|
|
|
|
Permission to access this file is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
|
|
|
|
The format of the file is:
|
|
|
|
address perms offset dev inode pathname
|
|
00400000-00452000 r-xp 00000000 08:02 173521 /usr/bin/dbus-daemon
|
|
00651000-00652000 r--p 00051000 08:02 173521 /usr/bin/dbus-daemon
|
|
00652000-00655000 rw-p 00052000 08:02 173521 /usr/bin/dbus-daemon
|
|
00e03000-00e24000 rw-p 00000000 00:00 0 [heap]
|
|
00e24000-011f7000 rw-p 00000000 00:00 0 [heap]
|
|
...
|
|
35b1800000-35b1820000 r-xp 00000000 08:02 135522 /usr/lib64/ld-2.15.so
|
|
35b1a1f000-35b1a20000 r--p 0001f000 08:02 135522 /usr/lib64/ld-2.15.so
|
|
35b1a20000-35b1a21000 rw-p 00020000 08:02 135522 /usr/lib64/ld-2.15.so
|
|
35b1a21000-35b1a22000 rw-p 00000000 00:00 0
|
|
35b1c00000-35b1dac000 r-xp 00000000 08:02 135870 /usr/lib64/libc-2.15.so
|
|
35b1dac000-35b1fac000 ---p 001ac000 08:02 135870 /usr/lib64/libc-2.15.so
|
|
35b1fac000-35b1fb0000 r--p 001ac000 08:02 135870 /usr/lib64/libc-2.15.so
|
|
35b1fb0000-35b1fb2000 rw-p 001b0000 08:02 135870 /usr/lib64/libc-2.15.so
|
|
...
|
|
f2c6ff8c000-7f2c7078c000 rw-p 00000000 00:00 0 [stack:986]
|
|
...
|
|
7fffb2c0d000-7fffb2c2e000 rw-p 00000000 00:00 0 [stack]
|
|
7fffb2d48000-7fffb2d49000 r-xp 00000000 00:00 0 [vdso]
|
|
|
|
```
|
|
|
|
1. read file(s) as elf
|
|
2. extract offset(s) of symbol(s)
|
|
3. find procs with mappings of those files
|
|
4. check if symbol-offset falls into any (address-range, offset) of such a mapping
|
|
5. if so, populate the ebpf map
|
|
|
|
Optional:
|
|
6. trigger, if file is read/mapped?
|