Documentation ¶
Index ¶
- type Module
- type PS
- func (ps *PS) AddHandle(handle htypes.Handle)
- func (ps *PS) AddModule(mod Module)
- func (ps *PS) AddThread(thread Thread)
- func (ps *PS) FindModule(name string) *Module
- func (ps *PS) Marshal() []byte
- func (ps *PS) RLock()
- func (ps *PS) RUnlock()
- func (ps *PS) RemoveHandle(num hndl.Handle)
- func (ps *PS) RemoveModule(name string)
- func (ps *PS) RemoveThread(tid uint32)
- func (ps *PS) String() string
- func (ps *PS) Unmarshal(b []byte) error
- type Thread
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Module ¶
type Module struct { // Size designates the size in bytes of the image file. Size uint32 // Checksum is the checksum of the image file. Checksum uint32 // Name represents the full path of this image. Name string // BaseAddress is the base address of process in which the image is loaded. BaseAddress kparams.Hex // DefaultBaseAddress is the default base address. DefaultBaseAddress kparams.Hex }
Module represents the data for all dynamic libraries/executables that reside in the process' address space.
func ImageFromKevent ¶
func ImageFromKevent(size, checksum uint32, name string, baseAddress, defaultBaseAddress kparams.Hex) Module
ImageFromKevent constructs a module info from the corresponding kernel event.
func (*Module) Marshal ¶
Marshal produces a module byte stream state suitable for writing to capture files.
type PS ¶
type PS struct { // PID is the identifier of this process. This value is valid from the time a process is created until it is terminated. PID uint32 `json:"pid"` // Ppipd represents the parent of this process. Process identifier numbers are reused, so they only identify a process // for the lifetime of that process. It is possible that the process identified by `Ppid` is terminated, // so `Ppid` may not refer to a running process. It is also possible that `Ppid` incorrectly refers // to a process that reuses a process identifier. Ppid uint32 `json:"ppid"` // Name is the process' image name including file extension (e.g. cmd.exe) Name string `json:"name"` // Comm is the full process' command line (e.g. C:\Windows\system32\cmd.exe /cdir /-C /W) Comm string `json:"comm"` // Exe is the full name of the process' executable (e.g. C:\Windows\system32\cmd.exe) Exe string `json:"exe"` // Cwd designates the current working directory of the process. Cwd string `json:"cwd"` // SID is the security identifier under which this process is run. SID string `json:"sid"` // Args contains process' command line arguments (e.g. /cdir, /-C, /W) Args []string `json:"args"` // SessionID is the unique identifier for the current session. SessionID uint8 `json:"session"` // Envs contains process' environment variables indexed by env variable name. Envs map[string]string `json:"envs"` // Threads contains all the threads running in the address space of this process. Threads map[uint32]Thread `json:"-"` // Modules contains all the modules loaded by the process. Modules []Module `json:"modules"` // Handles represents the collection of handles allocated by the process. Handles htypes.Handles `json:"handles"` // PE stores the PE (Portable Executable) metadata. PE *pe.PE `json:"pe"` // contains filtered or unexported fields }
PS encapsulates process' state such as allocated resources and other metadata.
func FromKevent ¶
FromKevent produces a new process state from kernel event.
func NewFromKcap ¶
NewFromKcap reconstructs the state of the process from kcap file.
func (*PS) FindModule ¶
FindModule finds the module by name.
func (*PS) Marshal ¶
Marshal produces a byte stream of the process state for writing to the capture file.
func (*PS) RemoveHandle ¶
RemoveHandle removes a handle with specified identifier from the list of allocated handles.
func (*PS) RemoveModule ¶
RemoveModule removes a module with specified full-path from this process state.
func (*PS) RemoveThread ¶
RemoveThread eliminates a thread from the process's state.
type Thread ¶
type Thread struct { // Tid is the unique identifier of thread inside the process. Tid uint32 // Pid is the identifier of the process to which this thread pertains. Pid uint32 // IOPrio represents an I/O priority hint for scheduling I/O operations generated by the thread. IOPrio uint8 // BasePrio is the scheduler priority of the thread. BasePrio uint8 // PagePrio is a memory page priority hint for memory pages accessed by the thread. PagePrio uint8 // UstackBase is the base address of the thread's user space stack. UstackBase kparams.Hex // UstackLimit is the limit of the thread's user space stack. UstackLimit kparams.Hex // KStackBase is the base address of the thread's kernel space stack. KstackBase kparams.Hex // KstackLimit is the limit of the thread's kernel space stack. KstackLimit kparams.Hex // Entrypoint is the starting address of the function to be executed by the thread. Entrypoint kparams.Hex }
Thread stores several metadata about a thread that's executing in process's address space.
func ThreadFromKevent ¶
func ThreadFromKevent(pid, tid uint32, ustackBase, ustackLimit, kstackBase, kstackLimit kparams.Hex, ioPrio, basePrio, pagePrio uint8, entrypoint kparams.Hex) Thread
ThreadFromKevent builds a thread info from kernel event.
func (*Thread) Marshal ¶
Marshal transforms the thread state to byte stream for persisting to capture files.