MCPcopy
hub / github.com/evilsocket/opensnitch / dumpFileImage

Method dumpFileImage

daemon/procmon/details.go:600–662  ·  view source on GitHub ↗

dumpFileImage will dump the memory region of a file mapped by this process. By default it'll dump the current image of this process.

(filePath string)

Source from the content-addressed store, hash-verified

598// dumpFileImage will dump the memory region of a file mapped by this process.
599// By default it'll dump the current image of this process.
600func (p *Process) dumpFileImage(filePath string) ([]byte, error) {
601 var mappings []MemoryMapping
602
603 // read memory mappings
604 mapsFile, err := os.Open(p.pathMaps)
605 if err != nil {
606 return nil, err
607 }
608 defer mapsFile.Close()
609
610 if filePath == "" {
611 filePath = p.Path
612 }
613
614 size := 0
615 mapsScanner := bufio.NewScanner(mapsFile)
616 for mapsScanner.Scan() {
617 addrMap := mapsScanner.Text()
618 // filter by process path
619 // TODO: make it configurable
620 if !strings.Contains(addrMap, filePath) {
621 log.Debug("dumpFileImage() addr doesn't contain %s", filePath)
622 continue
623 }
624 fields := strings.Fields(addrMap)
625 if len(fields) < 6 {
626 log.Debug("dumpFileImage() line less than 6: %v", fields)
627 continue
628 }
629
630 // TODO: make it configurable
631 /*permissions := fields[1]
632 if !strings.Contains(permissions, "r-xp") {
633 continue
634 }
635 */
636
637 addrRange := strings.Split(fields[0], "-")
638 addrStart, err := strconv.ParseUint(addrRange[0], 16, 64)
639 if err != nil {
640 //log.Debug("dumpFileImage() invalid addrStart: %v", addrRange)
641 continue
642 }
643 addrEnd, err := strconv.ParseUint(addrRange[1], 16, 64)
644 if err != nil {
645 log.Debug("dumpFileImage() invalid addrEnd: %v", addrRange)
646 continue
647 }
648 size += int(addrEnd - addrStart)
649 mappings = append(mappings, MemoryMapping{StartAddr: addrStart, EndAddr: addrEnd})
650 }
651
652 // read process memory
653 elfCode, err := p.readMem(mappings)
654 mappings = nil
655 //fmt.Printf(">>> READ MEM, regions size: %d, elfCode: %d\n", size, len(elfCode))
656
657 if err != nil {

Callers 1

DumpImageMethod · 0.95

Calls 3

readMemMethod · 0.95
CloseMethod · 0.65
OpenMethod · 0.45

Tested by

no test coverage detected