Documentation
¶
Overview ¶
Package ps contains process's state snapshotter implementation.
Index ¶
- type PEB
- type Snapshotter
- type SnapshotterMock
- func (s *SnapshotterMock) Close() error
- func (s *SnapshotterMock) Find(pid uint32) *pstypes.PS
- func (s *SnapshotterMock) GetSnapshot() []*pstypes.PS
- func (s *SnapshotterMock) Remove(kevt *kevent.Kevent) error
- func (s *SnapshotterMock) Size() uint32
- func (s *SnapshotterMock) Write(kevt *kevent.Kevent) error
- func (s *SnapshotterMock) WriteFromKcap(kevt *kevent.Kevent) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type PEB ¶
type PEB struct {
// contains filtered or unexported fields
}
PEB contains various process's metadata from the Process Environment Block (PEB). PEB is an opaque data structure that contains information that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures. Although it is not encouraged to access this structure due to its unstable nature, some process's information like command line or environments strings are only available through Process Environment Block fields.
func ReadPEB ¶
ReadPEB queries the process's basic information class structures and copies the PEB into the current process's address space. Returns the reference to the PEB of the process that is being queried.
func (PEB) GetCommandLine ¶
GetCommandLine inspects the process command line arguments by reading the memory buffer in the PEB.
func (PEB) GetCurrentWorkingDirectory ¶
GetCurrentWorkingDirectory reads the current working directory from the PEB.
type Snapshotter ¶
type Snapshotter interface {
// Write appends a new process state to the snapshotter. It takes as an input the inbound kernel event to fetch
// the basic data, but also enriches the process' state with extra metadata such as process' env variables, PE
// metadata and so on.
Write(kevt *kevent.Kevent) error
// WriteFromKcap appends a new process state to the snapshotter from the captured kernel event.
WriteFromKcap(kevt *kevent.Kevent) error
// Remove deletes process's state from the snapshotter.
Remove(kevt *kevent.Kevent) error
// Find attempts to retrieve process' state for the specified process identifier.
Find(pid uint32) *pstypes.PS
// Size returns the total number of process state items.
Size() uint32
// Close closes process snapshotter and disposes all allocated resources.
Close() error
}
Snapshotter is the interface that exposes a set of methods all process snapshotters have to satisfy. It stores the state of all running processes in the system including its threads, dynamically referenced libraries, handles and other metadata.
func NewSnapshotter ¶
func NewSnapshotter(handleSnap handle.Snapshotter, config *config.Config) Snapshotter
NewSnapshotter returns a new instance of the process snapshotter.
func NewSnapshotterFromKcap ¶
func NewSnapshotterFromKcap(handleSnap handle.Snapshotter, config *config.Config) Snapshotter
NewSnapshotterFromKcap restores the snapshotter state from the kcap file.
type SnapshotterMock ¶
SnapshotterMock is the process snapshotter mock used in tests.
func (*SnapshotterMock) GetSnapshot ¶
func (s *SnapshotterMock) GetSnapshot() []*pstypes.PS
GetSnapshot method
func (*SnapshotterMock) Remove ¶
func (s *SnapshotterMock) Remove(kevt *kevent.Kevent) error
Remove method
func (*SnapshotterMock) Write ¶
func (s *SnapshotterMock) Write(kevt *kevent.Kevent) error
Write method
func (*SnapshotterMock) WriteFromKcap ¶
func (s *SnapshotterMock) WriteFromKcap(kevt *kevent.Kevent) error
WriteFromKcap method
Source Files
Directories