-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add memparse
sub-command
#95
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #95 +/- ##
==========================================
+ Coverage 82.78% 83.33% +0.55%
==========================================
Files 4 5 +1
Lines 633 804 +171
==========================================
+ Hits 524 670 +146
- Misses 80 99 +19
- Partials 29 35 +6
☔ View full report in Codecov by Sentry. |
7fe3a5b
to
58821e1
Compare
Great work @behouba! |
7e107e2
to
4f69b2a
Compare
73464e8
to
58b52c1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@behouba Would it be possible to update go-criu in a separate pull request? |
This commit introduces a new sub-command `memparse` for analyzing memory pages of processes. Using `memparse` without parameters will display an overview of memory size of each process inside a container checkpoint. Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
This commit extends `memparse` sub-command with the ability to display the content of process memory pages content in a hexdump-like format when the `--pid` flag is provided. Additionally, the output can be written to a file using the `--output` flag. Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
@behouba Could you add a section about memory analysis to the README file? $ sudo podman run --name postgres -e POSTGRES_PASSWORD=mysecret -d postgres
$ sudo podman container checkpoint -l --export=/tmp/postgres.tar.gz
$ sudo checkpointctl memparse --pid 1 /tmp/postgres.tar.gz | grep mysecret
000055f9deed8e70 44 3d 6d 79 73 65 63 72 65 74 00 00 00 00 00 00 |D=mysecret......| # Start vulnerable web application
$ sudo podman run --name dsvw -p 1234:8000 -d quay.io/rst0git/dsvw
# Perform arbitrary code execution attack: $(echo secret)
$ curl "http://localhost:1234/?domain=www.google.com%3B%20echo%20secret"
nslookup: can't resolve '(null)': Name does not resolve
Name: www.google.com
Address 1: 142.250.187.228 lhr25s34-in-f4.1e100.net
Address 2: 2a00:1450:4009:820::2004 lhr25s34-in-x04.1e100.net
secret
(reverse-i-search)`': ^C
# Create a checkpoint for forensic analysis and leave the container running
$ sudo podman container checkpoint --leave-running -l -e /tmp/dsvw.tar
# Analyse checkpoint memory to identify the attacker's injected code
$ sudo checkpointctl memparse --pid 1 /tmp/dsvw.tar | grep 'echo secret'
00007faac5711f60 6f 6d 3b 20 65 63 68 6f 20 73 65 63 72 65 74 00 |om; echo secret.| |
8621936
to
1f58a50
Compare
This commit adds a new section to the README.md file that provides an example of how to use the memparse sub-command. Signed-off-by: Kouame Behouba Manasse <behouba@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR introduces a new sub-command
memparse
, which allows analyzing processes memory pages.This new feature was discussed here #69.
When used without any arguments, the command displays a table showing the memory sizes of processes. Here's an example:
If a process ID (pid) is provided, the command prints the memory pages of that specific process in a hexdump-like format. For instance:
This output can be written to a file instead of stdout using the
--output
flag.@rst0git, @adrianreber, could you please take a look?