Documentation
¶
Index ¶
- type Module
- type PS
- func (ps *PS) AddHandle(handle htypes.Handle)
- func (ps *PS) AddModule(mod Module)
- func (ps *PS) AddThread(thread Thread)
- func (ps *PS) FindModule(name string) *Module
- func (ps *PS) Marshal() []byte
- func (ps *PS) RLock()
- func (ps *PS) RUnlock()
- func (ps *PS) RemoveHandle(num hndl.Handle)
- func (ps *PS) RemoveModule(name string)
- func (ps *PS) RemoveThread(tid uint32)
- func (ps *PS) String() string
- func (ps *PS) Unmarshal(b []byte) error
- type Thread
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Module ¶
type Module struct {
// Size designates the size in bytes of the image file.
Size uint32
// Checksum is the checksum of the image file.
Checksum uint32
// Name represents the full path of this image.
Name string
// BaseAddress is the base address of process in which the image is loaded.
BaseAddress kparams.Hex
// DefaultBaseAddress is the default base address.
DefaultBaseAddress kparams.Hex
}
Module represents the data for all dynamic libraries/executables that reside in the process' address space.
func ImageFromKevent ¶
func ImageFromKevent(size, checksum uint32, name string, baseAddress, defaultBaseAddress kparams.Hex) Module
ImageFromKevent constructs a module info from the corresponding kernel event.
func (*Module) Marshal ¶
Marshal produces a module byte stream state suitable for writing to capture files.
type PS ¶
type PS struct {
// PID is the identifier of this process. This value is valid from the time a process is created until it is terminated.
PID uint32 `json:"pid"`
// Ppipd represents the parent of this process. Process identifier numbers are reused, so they only identify a process
// for the lifetime of that process. It is possible that the process identified by `Ppid` is terminated,
// so `Ppid` may not refer to a running process. It is also possible that `Ppid` incorrectly refers
// to a process that reuses a process identifier.
Ppid uint32 `json:"ppid"`
// Name is the process' image name including file extension (e.g. cmd.exe)
Name string `json:"name"`
// Comm is the full process' command line (e.g. C:\Windows\system32\cmd.exe /cdir /-C /W)
Comm string `json:"comm"`
// Exe is the full name of the process' executable (e.g. C:\Windows\system32\cmd.exe)
Exe string `json:"exe"`
// Cwd designates the current working directory of the process.
Cwd string `json:"cwd"`
// SID is the security identifier under which this process is run.
SID string `json:"sid"`
// Args contains process' command line arguments (e.g. /cdir, /-C, /W)
Args []string `json:"args"`
// SessionID is the unique identifier for the current session.
SessionID uint8 `json:"session"`
// Envs contains process' environment variables indexed by env variable name.
Envs map[string]string `json:"envs"`
// Threads contains all the threads running in the address space of this process.
Threads map[uint32]Thread `json:"-"`
// Modules contains all the modules loaded by the process.
Modules []Module `json:"modules"`
// Handles represents the collection of handles allocated by the process.
Handles htypes.Handles `json:"handles"`
// PE stores the PE (Portable Executable) metadata.
PE *pe.PE `json:"pe"`
// contains filtered or unexported fields
}
PS encapsulates process' state such as allocated resources and other metadata.
func FromKevent ¶
FromKevent produces a new process state from kernel event.
func NewFromKcap ¶
NewFromKcap reconstructs the state of the process from kcap file.
func (*PS) FindModule ¶
FindModule finds the module by name.
func (*PS) Marshal ¶
Marshal produces a byte stream of the process state for writing to the capture file.
func (*PS) RemoveHandle ¶
RemoveHandle removes a handle with specified identifier from the list of allocated handles.
func (*PS) RemoveModule ¶
RemoveModule removes a module with specified full-path from this process state.
func (*PS) RemoveThread ¶
RemoveThread eliminates a thread from the process's state.
type Thread ¶
type Thread struct {
// Tid is the unique identifier of thread inside the process.
Tid uint32
// Pid is the identifier of the process to which this thread pertains.
Pid uint32
// IOPrio represents an I/O priority hint for scheduling I/O operations generated by the thread.
IOPrio uint8
// BasePrio is the scheduler priority of the thread.
BasePrio uint8
// PagePrio is a memory page priority hint for memory pages accessed by the thread.
PagePrio uint8
// UstackBase is the base address of the thread's user space stack.
UstackBase kparams.Hex
// UstackLimit is the limit of the thread's user space stack.
UstackLimit kparams.Hex
// KStackBase is the base address of the thread's kernel space stack.
KstackBase kparams.Hex
// KstackLimit is the limit of the thread's kernel space stack.
KstackLimit kparams.Hex
// Entrypoint is the starting address of the function to be executed by the thread.
Entrypoint kparams.Hex
}
Thread stores several metadata about a thread that's executing in process's address space.
func ThreadFromKevent ¶
func ThreadFromKevent(pid, tid uint32, ustackBase, ustackLimit, kstackBase, kstackLimit kparams.Hex, ioPrio, basePrio, pagePrio uint8, entrypoint kparams.Hex) Thread
ThreadFromKevent builds a thread info from kernel event.
func (*Thread) Marshal ¶
Marshal transforms the thread state to byte stream for persisting to capture files.
Source Files