Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add memparse sub-command #95

Merged
merged 4 commits into from
Aug 9, 2023
Merged

feat: add memparse sub-command #95

merged 4 commits into from
Aug 9, 2023

Conversation

behouba
Copy link
Collaborator

@behouba behouba commented Jul 29, 2023
edited
Loading

This PR introduces a new sub-command memparse , which allows analyzing processes memory pages.
This new feature was discussed here #69.

When used without any arguments, the command displays a table showing the memory sizes of processes. Here's an example:

$ checkpointctl memparse /path/to/checkpoints/jira.tar.gz 

Displaying processes memory sizes from /home/behouba/checkpoints/jira.tar.gz

+-----+--------------+-------------+
| PID | PROCESS NAME | MEMORY SIZE |
+-----+--------------+-------------+
|   1 | tini         | 100.0 KiB   |
+-----+--------------+-------------+
|   2 | java         | 553.5 MiB   |
+-----+--------------+-------------+

If a process ID (pid) is provided, the command prints the memory pages of that specific process in a hexdump-like format. For instance:

$ checkpointctl memparse /path/to/checkpoints/jira.tar.gz  --pid=1 | less

Displaying memory pages content for Process ID 1 from checkpoint: /home/behouba/checkpoints/jira.tar.gz

Address           Hexadecimal                                       ASCII            
-------------------------------------------------------------------------------------
00005633bb080000  f3 0f 1e fa 48 83 ec 08 48 8b 05 d1 4f 00 00 48  |....H...H...O..H|
00005633bb080010  85 c0 74 02 ff d0 48 83 c4 08 c3 00 00 00 00 00  |..t...H.........|
00005633bb080020  ff 35 b2 4e 00 00 f2 ff 25 b3 4e 00 00 0f 1f 00  |.5.N....%.N.....|
00005633bb080030  f3 0f 1e fa 68 00 00 00 00 f2 e9 e1 ff ff ff 90  |....h...........|
*
00005633bb0800a0  f3 0f 1e fa 68 07 00 00 00 f2 e9 71 ff ff ff 90  |....h......q....|
00005633bb0800b0  f3 0f 1e fa 68 08 00 00 00 f2 e9 61 ff ff ff 90  |....h......a....|
00005633bb0800c0  f3 0f 1e fa 68 09 00 00 00 f2 e9 51 ff ff ff 90  |....h......Q....|
00005633bb0800d0  f3 0f 1e fa 68 0a 00 00 00 f2 e9 41 ff ff ff 90  |....h......A....|
00005633bb0800e0  f3 0f 1e fa 68 0b 00 00 00 f2 e9 31 ff ff ff 90  |....h......1....|

This output can be written to a file instead of stdout using the --output flag.

@rst0git, @adrianreber, could you please take a look?

@codecov-commenter
Copy link

codecov-commenter commented Jul 29, 2023
edited
Loading

Codecov Report

Patch coverage: 85.38% and project coverage change: +0.55% 🎉

Comparison is base (8e4f577) 82.78% compared to head (7e107e2) 83.33%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #95      +/-   ##
==========================================
+ Coverage   82.78%   83.33%   +0.55%     
==========================================
  Files           4        5       +1     
  Lines         633      804     +171     
==========================================
+ Hits          524      670     +146     
- Misses         80       99      +19     
- Partials       29       35       +6
Files Changed Coverage Δ
memparse.go 81.96% <81.96%> (ø)
checkpointctl.go 93.22% <93.87%> (+0.15%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link

github-actions bot commented Jul 29, 2023
edited
Loading

Test Results

46 tests  +4   46 ✔️ +4   1s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ±0 

Results for commit d9e5742. ± Comparison against base commit 23dc8ac.

♻️ This comment has been updated with latest results.

snprajwal
snprajwal reviewed Jul 31, 2023
View reviewed changes
checkpointctl.go Outdated Show resolved Hide resolved
checkpointctl.go Outdated Show resolved Hide resolved
memparse.go Outdated Show resolved Hide resolved
memparse.go Outdated Show resolved Hide resolved
memparse.go Outdated Show resolved Hide resolved
memparse.go Outdated Show resolved Hide resolved
memparse.go Show resolved Hide resolved
@behouba behouba force-pushed the memparse branch 3 times, most recently from 7fe3a5b to 58821e1 Compare July 31, 2023 23:06
@rst0git
Copy link
Member

rst0git commented Aug 1, 2023
edited
Loading

Great work @behouba!
It might be useful to extend memparse with support for shared memory in a subsequent pull request. For example, it could be an additional column in the table generated with checkpointctl memparse <checkpoint>.tar and perhaps a new option that shows only the content of pagemap-shmem-{}.img when --pid is used.

@behouba behouba force-pushed the memparse branch 7 times, most recently from 7e107e2 to 4f69b2a Compare August 2, 2023 17:39
@behouba behouba marked this pull request as ready for review August 2, 2023 17:44
snprajwal
snprajwal reviewed Aug 2, 2023
View reviewed changes
test/checkpointctl.bats Outdated Show resolved Hide resolved
memparse.go Outdated Show resolved Hide resolved
container.go Outdated Show resolved Hide resolved
container.go Outdated Show resolved Hide resolved
@behouba behouba force-pushed the memparse branch 2 times, most recently from 73464e8 to 58b52c1 Compare August 3, 2023 22:36
rst0git
rst0git reviewed Aug 4, 2023
View reviewed changes
tree.go Show resolved Hide resolved
snprajwal
snprajwal approved these changes Aug 4, 2023
View reviewed changes
Copy link
Member

@snprajwal snprajwal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rst0git
Copy link
Member

rst0git commented Aug 7, 2023

@behouba Would it be possible to update go-criu in a separate pull request?

@behouba behouba mentioned this pull request Aug 7, 2023
Merged
@behouba
feat: add memparse sub-command
d034741 
This commit introduces a new sub-command `memparse` for analyzing
memory pages of processes. Using `memparse` without parameters will
display an overview of memory size of each process inside a container
checkpoint.

Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
@behouba
feat: display content of process memory pages
632acf2 
This commit extends `memparse` sub-command with the ability to display
the content of process memory pages content in a hexdump-like format when
the `--pid` flag is provided. Additionally, the output can be written to a
file using the `--output` flag.

Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
@behouba
test: add tests for memparse sub-command
770e424 
Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
@rst0git
Copy link
Member

rst0git commented Aug 8, 2023
edited
Loading

@behouba Could you add a section about memory analysis to the README file?
It might be good to describe how users can use checkpointctl memparse with an example:

$ sudo podman run --name postgres -e POSTGRES_PASSWORD=mysecret -d postgres
$ sudo podman container checkpoint -l --export=/tmp/postgres.tar.gz
$ sudo checkpointctl memparse --pid 1 /tmp/postgres.tar.gz | grep mysecret
000055f9deed8e70  44 3d 6d 79 73 65 63 72 65 74 00 00 00 00 00 00  |D=mysecret......|
# Start vulnerable web application
$ sudo podman run --name dsvw -p 1234:8000 -d quay.io/rst0git/dsvw

# Perform arbitrary code execution attack: $(echo secret)
$ curl "http://localhost:1234/?domain=www.google.com%3B%20echo%20secret"
nslookup: can't resolve '(null)': Name does not resolve

Name:      www.google.com
Address 1: 142.250.187.228 lhr25s34-in-f4.1e100.net
Address 2: 2a00:1450:4009:820::2004 lhr25s34-in-x04.1e100.net
secret
(reverse-i-search)`': ^C

# Create a checkpoint for forensic analysis and leave the container running
$ sudo podman container checkpoint --leave-running -l -e /tmp/dsvw.tar

# Analyse checkpoint memory to identify the attacker's injected code
$ sudo checkpointctl memparse --pid 1 /tmp/dsvw.tar | grep 'echo secret'
00007faac5711f60  6f 6d 3b 20 65 63 68 6f 20 73 65 63 72 65 74 00  |om; echo secret.|

@behouba
Copy link
Collaborator Author

behouba commented Aug 8, 2023

@behouba Could you add a section about memory analysis to the README file?

@rst0git PTAL, and thank you for providing such good examples.

rst0git
rst0git reviewed Aug 9, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
rst0git
rst0git reviewed Aug 9, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
@behouba behouba force-pushed the memparse branch 3 times, most recently from 8621936 to 1f58a50 Compare August 9, 2023 12:48
@behouba
readme: add examples for memparse usage
d9e5742 
This commit adds a new section to the README.md file that provides
an example of how to use the memparse sub-command.

Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
rst0git
rst0git approved these changes Aug 9, 2023
View reviewed changes
Copy link
Member

@rst0git rst0git left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rst0git rst0git merged commit bd9d1a9 into checkpoint-restore:main Aug 9, 2023
10 checks passed
@rst0git rst0git mentioned this pull request Aug 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rst0git rst0git rst0git approved these changes

@snprajwal snprajwal snprajwal approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@behouba @codecov-commenter @rst0git @snprajwal