mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 16:44:46 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/procmon/details.go

577 lines
15 KiB
Go
Raw Normal View History

added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
package procmon
import (
"bufio"
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
"bytes"
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
"crypto/md5"
"crypto/sha1"
"encoding/hex"
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
"fmt"
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
"hash"
"io"
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
"io/ioutil"
"os"
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
"regexp"
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
"strconv"
"strings"
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
"time"
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/core"
"github.com/evilsocket/opensnitch/daemon/dns"
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
"github.com/evilsocket/opensnitch/daemon/log"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/netlink"
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
)
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
var socketsRegex, _ = regexp.Compile(`socket:\[([0-9]+)\]`)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
// GetParent obtains the information of this process' parent.
func (p *Process) GetParent() {
if p.Parent != nil {
log.Debug("%d already with parent: %v", p.ID, p.Parent)
return
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
// ReadFile + parse = ~40us
data, err := ioutil.ReadFile(p.pathStat)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if err != nil {
return
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
var ppid int
var state string
// https://lore.kernel.org/lkml/tog7cb$105a$1@ciao.gmane.io/T/
parts := bytes.Split(data, []byte(")"))
data = parts[len(parts)-1]
_, err = fmt.Sscanf(string(data), "%s %d", &state, &ppid)
if err != nil || ppid == 0 {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
if item, found := EventsCache.IsInStoreByPID(ppid); found {
p.mu.Lock()
p.Parent = item.Proc
p.mu.Unlock()
EventsCache.UpdateItem(p)
} else {
p.Parent = NewProcessEmpty(ppid, "")
p.Parent.ReadPath()
EventsCache.Add(p.Parent)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
}
// get process tree
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.Parent.GetParent()
}
// GetTree returns all the parents of this process.
func (p *Process) GetTree() {
if len(p.Tree) > 0 {
fmt.Println("GetTree not empty:", p.Tree)
}
p.mu.Lock()
p.Tree = make([]*protocol.StringInt, 0)
for pp := p.Parent; pp != nil; pp = pp.Parent {
// add the parents in reverse order, so when we iterate over them with the rules
// the first item is the most direct parent of the process.
p.Tree = append(p.Tree,
&protocol.StringInt{
Key: pp.Path, Value: uint32(pp.ID),
},
)
}
p.mu.Unlock()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
}
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
// GetInfo collects information of a process.
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
func (p *Process) GetDetails() error {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
if os.Getpid() == p.ID {
return nil
}
// if the PID dir doesn't exist, the process may have exited or be a kernel connection
// XXX: can a kernel connection exist without an entry in ProcFS?
ebpf: increased ring buffer size, hook execveat Increased perf map buffer size to avoid lose events under heavy loads. Hook execveat to intercept executions from memory.
2022-10-13 01:44:23 +02:00
if p.Path == "" && p.IsAlive() == false {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
log.Debug("PID can't be read /proc/ %d %s", p.ID, p.Comm)
// The Comm field shouldn't be empty if the proc monitor method is ebpf or audit.
// If it's proc and the corresponding entry doesn't exist, there's nothing we can
// do to inform the user about this process.
if p.Comm == "" {
return fmt.Errorf("Unable to get process information")
}
}
if err := p.ReadPath(); err != nil {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
log.Debug("GetInfo() path can't be read: %s", p.Path)
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
return err
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.ReadCmdline()
p.ReadComm()
p.ReadCwd()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
// we need to load the env variables now, in order to be used with the rules.
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
p.ReadEnv()
return nil
}
// GetExtraInfo collects information of a process.
func (p *Process) GetExtraInfo() error {
p.ReadEnv()
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.readDescriptors()
p.readIOStats()
p.readStatus()
return nil
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// ReadComm reads the comm name from ProcFS /proc/<pid>/comm
func (p *Process) ReadComm() error {
if p.Comm != "" {
return nil
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
data, err := ioutil.ReadFile(p.pathComm)
Allow to intercept more kernel connections (#513) * Allow to intercept some kernel connections Some connections are initiated from kernel space, like WireGuard VPNs (#454), NFS or SMB connections (#502) and ip tunnels (#500). Note: This feature is complete for x86_64, WIP for aarch64, and not supported for armhf and i386 https://github.com/evilsocket/opensnitch/pull/513#issuecomment-924400824 More information regarding this change: #493
2021-09-23 01:44:12 +02:00
if err != nil {
return err
}
p.Comm = core.Trim(string(data))
return nil
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// ReadCwd reads the current working directory name from ProcFS /proc/<pid>/cwd
func (p *Process) ReadCwd() error {
if p.CWD != "" {
return nil
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
link, err := os.Readlink(p.pathCwd)
added unit tests for process parsing and rules
2020-12-19 19:31:09 +01:00
if err != nil {
return err
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.mu.Lock()
added unit tests for process parsing and rules
2020-12-19 19:31:09 +01:00
p.CWD = link
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.mu.Unlock()
added unit tests for process parsing and rules
2020-12-19 19:31:09 +01:00
return nil
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// ReadEnv reads and parses the environment variables of a process.
func (p *Process) ReadEnv() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
data, err := ioutil.ReadFile(p.pathEnviron)
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
if err != nil {
return
}
for _, s := range strings.Split(string(data), "\x00") {
parts := strings.SplitN(core.Trim(s), "=", 2)
if parts != nil && len(parts) == 2 {
key := core.Trim(parts[0])
val := core.Trim(parts[1])
p.Env[key] = val
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
}
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// ReadPath reads the symbolic link that /proc/<pid>/exe points to.
// Note 1: this link might not exist on the root filesystem, it might
// have been executed from a container, so the real path would be:
// /proc/<pid>/root/<path that 'exe' points to>
//
// Note 2:
// There're at least 3 things that a (regular) kernel connection meets
// from userspace POV:
// - /proc/<pid>/cmdline and /proc/<pid>/maps empty
// - /proc/<pid>/exe can't be read
func (p *Process) ReadPath() error {
// avoid rereading the path
resolve absolute path of a process if it's relative We may receive relative paths from kernel (eBPF), so we need to resolve the absolute path of the process in order to create valid rules.
2022-10-01 22:27:07 +02:00
if p.Path != "" && core.IsAbsPath(p.Path) {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
return nil
}
defer func() {
if p.Path == "" {
// determine if this process might be of a kernel task.
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if data, err := ioutil.ReadFile(p.pathMaps); err == nil && len(data) == 0 {
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.Path = KernelConnection
improved process detection latest changes to detect short-lived processes caused undesired behaviour (#694) Closes #685
2022-07-08 17:15:57 +02:00
p.Args = append(p.Args, p.Comm)
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
return
}
p.Path = p.Comm
}
}()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if _, err := os.Lstat(p.pathExe); err != nil {
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
return err
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// FIXME: this reading can give error: file name too long
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
link, err := os.Readlink(p.pathExe)
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
if err != nil {
return err
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
clean path of a process if it's needed Sometimes the path of a path has " (deleted)" added or the path is reported as "/proc/self/exe" which is a link and needs to be resolved. -> #694
2022-07-08 21:59:11 +02:00
p.SetPath(link)
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
return nil
}
clean path of a process if it's needed Sometimes the path of a path has " (deleted)" added or the path is reported as "/proc/self/exe" which is a link and needs to be resolved. -> #694
2022-07-08 21:59:11 +02:00
// SetPath sets the path of the process, and fixes it if it's needed.
func (p *Process) SetPath(path string) {
p.Path = path
p.CleanPath()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
p.RealPath = fmt.Sprint(p.pathRoot, "/", p.Path)
if core.Exists(p.RealPath) == false {
p.RealPath = p.Path
// p.CleanPath() ?
}
clean path of a process if it's needed Sometimes the path of a path has " (deleted)" added or the path is reported as "/proc/self/exe" which is a link and needs to be resolved. -> #694
2022-07-08 21:59:11 +02:00
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// ReadCmdline reads the cmdline of the process from ProcFS /proc/<pid>/cmdline
// This file may be empty if the process is of a kernel task.
// It can also be empty for short-lived processes.
func (p *Process) ReadCmdline() {
if len(p.Args) > 0 {
return
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
data, err := ioutil.ReadFile(p.pathCmdline)
if err != nil || len(data) == 0 {
return
}
// XXX: remove this loop, and split by "\x00"
for i, b := range data {
if b == 0x00 {
data[i] = byte(' ')
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
}
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
args := strings.Split(string(data), " ")
for _, arg := range args {
arg = core.Trim(arg)
if arg != "" {
p.Args = append(p.Args, arg)
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
ebpf: get cmdline arguments from kernel - Get cmdline arguments from kernel along with the absolute path to the binary. If the cmdline has more than 20 arguments, or one of the arguments is longer than 256 bytes, get it from ProcFS. - Improved stopping ebpf monitor method.
2022-07-12 15:40:01 +02:00
}
p.CleanArgs()
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
ebpf: get cmdline arguments from kernel - Get cmdline arguments from kernel along with the absolute path to the binary. If the cmdline has more than 20 arguments, or one of the arguments is longer than 256 bytes, get it from ProcFS. - Improved stopping ebpf monitor method.
2022-07-12 15:40:01 +02:00
// CleanArgs applies fixes on the cmdline arguments.
// - AppImages cmdline reports the execuable launched as /proc/self/exe,
// instead of the actual path to the binary.
func (p *Process) CleanArgs() {
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
if len(p.Args) > 0 && p.Args[0] == ProcSelfExe {
ebpf: get cmdline arguments from kernel - Get cmdline arguments from kernel along with the absolute path to the binary. If the cmdline has more than 20 arguments, or one of the arguments is longer than 256 bytes, get it from ProcFS. - Improved stopping ebpf monitor method.
2022-07-12 15:40:01 +02:00
p.Args[0] = p.Path
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
}
func (p *Process) readDescriptors() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
f, err := os.Open(p.pathFd)
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
if err != nil {
return
}
fDesc, err := f.Readdir(-1)
f.Close()
p.Descriptors = nil
for _, fd := range fDesc {
tempFd := &procDescriptors{
Name: fd.Name(),
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
link, err := os.Readlink(fmt.Sprint(p.pathFd, fd.Name()))
if err != nil {
continue
}
tempFd.SymLink = link
socket := socketsRegex.FindStringSubmatch(link)
if len(socket) > 0 {
socketInfo, err := netlink.GetSocketInfoByInode(socket[1])
if err == nil {
tempFd.SymLink = fmt.Sprintf("socket:[%s] - %d:%s -> %s:%d, state: %s", fd.Name(),
socketInfo.ID.SourcePort,
socketInfo.ID.Source.String(),
dns.HostOr(socketInfo.ID.Destination, socketInfo.ID.Destination.String()),
socketInfo.ID.DestinationPort,
netlink.TCPStatesMap[socketInfo.State])
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
}
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if linkInfo, err := os.Lstat(link); err == nil {
tempFd.Size = linkInfo.Size()
tempFd.ModTime = linkInfo.ModTime()
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.Descriptors = append(p.Descriptors, tempFd)
}
}
func (p *Process) readIOStats() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
f, err := os.Open(p.pathIO)
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
if err != nil {
return
}
defer f.Close()
p.IOStats = &procIOstats{}
scanner := bufio.NewScanner(f)
for scanner.Scan() {
s := strings.Split(scanner.Text(), " ")
switch s[0] {
case "rchar:":
p.IOStats.RChar, _ = strconv.ParseInt(s[1], 10, 64)
case "wchar:":
p.IOStats.WChar, _ = strconv.ParseInt(s[1], 10, 64)
case "syscr:":
p.IOStats.SyscallRead, _ = strconv.ParseInt(s[1], 10, 64)
case "syscw:":
p.IOStats.SyscallWrite, _ = strconv.ParseInt(s[1], 10, 64)
case "read_bytes:":
p.IOStats.ReadBytes, _ = strconv.ParseInt(s[1], 10, 64)
case "write_bytes:":
p.IOStats.WriteBytes, _ = strconv.ParseInt(s[1], 10, 64)
}
}
}
func (p *Process) readStatus() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if data, err := ioutil.ReadFile(p.pathStatus); err == nil {
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.Status = string(data)
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if data, err := ioutil.ReadFile(p.pathStat); err == nil {
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.Stat = string(data)
}
if data, err := ioutil.ReadFile(fmt.Sprint("/proc/", p.ID, "/stack")); err == nil {
p.Stack = string(data)
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if data, err := ioutil.ReadFile(p.pathMaps); err == nil {
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.Maps = string(data)
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if data, err := ioutil.ReadFile(p.pathStatm); err == nil {
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
p.Statm = &procStatm{}
fmt.Sscanf(string(data), "%d %d %d %d %d %d %d", &p.Statm.Size, &p.Statm.Resident, &p.Statm.Shared, &p.Statm.Text, &p.Statm.Lib, &p.Statm.Data, &p.Statm.Dt)
}
}
ebpf: get cmdline arguments from kernel - Get cmdline arguments from kernel along with the absolute path to the binary. If the cmdline has more than 20 arguments, or one of the arguments is longer than 256 bytes, get it from ProcFS. - Improved stopping ebpf monitor method.
2022-07-12 15:40:01 +02:00
// CleanPath applies fixes on the path to the binary:
// - Remove extra characters from the link that it points to.
// When a running process is deleted, the symlink has the bytes " (deleted")
// appended to the link.
// - If the path is /proc/self/exe, resolve the symlink that it points to.
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
func (p *Process) CleanPath() {
// Sometimes the path to the binary reported is the symbolic link of the process itself.
// This is not useful to the user, and besides it's a generic path that can represent
// to any process.
// Therefore we cannot use /proc/self/exe directly, because it resolves to our own process.
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
if p.Path == ProcSelfExe {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if link, err := os.Readlink(p.pathExe); err == nil {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
p.Path = link
return
}
prevent crash resolving /proc/self/exe
2022-07-09 22:17:17 +02:00
if len(p.Args) > 0 && p.Args[0] != "" {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
p.Path = p.Args[0]
return
}
p.Path = p.Comm
}
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
pathLen := len(p.Path)
if pathLen >= 10 && p.Path[pathLen-10:] == " (deleted)" {
p.Path = p.Path[:len(p.Path)-10]
}
resolve absolute path of a process if it's relative We may receive relative paths from kernel (eBPF), so we need to resolve the absolute path of the process in order to create valid rules.
2022-10-01 22:27:07 +02:00
// We may receive relative paths from kernel, but the path of a process must be absolute
if core.IsAbsPath(p.Path) == false {
if err := p.ReadPath(); err != nil {
log.Debug("ClenPath() error reading process path%s", err)
return
}
}
added dialog to inspect details of a process in realtime (procfs) New dialog added to display details of a process in realtime, gathered from ProcFS. Process tab -> double click on an app -> click on the button with the search icon. We have also improved the discovery of apps icons and names. It should work better on systems where the DE is not properly configured. Tested, but not bulletproof, still in beta.
2020-11-16 17:09:52 +01:00
}
ebpf: increased ring buffer size, hook execveat Increased perf map buffer size to avoid lose events under heavy loads. Hook execveat to intercept executions from memory.
2022-10-13 01:44:23 +02:00
// IsAlive checks if the process is still running
func (p *Process) IsAlive() bool {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return core.Exists(p.pathProc)
}
// IsChild determines if this process is child of its parent
func (p *Process) IsChild() bool {
return p.Parent != nil && p.Parent.Path == p.Path && p.Parent.IsAlive() //&& proc.Starttime != proc.Parent.Starttime
}
// ComputeChecksums calculates the checksums of a the process path to the binary.
// Users may want to use different hashing alogrithms.
func (p *Process) ComputeChecksums(hashes map[string]uint) {
for hash := range hashes {
p.ComputeChecksum(hash)
}
}
// ComputeChecksum calculates the checksum of a the process path to the binary
func (p *Process) ComputeChecksum(algo string) {
if p.Path == "" || p.Path == KernelConnection {
return
}
if p.Checksums[algo] != "" {
log.Debug("[hashing] %d already hasshed [%s]: %s\n", p.ID, algo, p.Checksums[algo])
return
}
// - hash first the exe link. That's the process that is currently running.
// If the binary has been updated while it's running, the checksum on disk
// will change and it won't match the one defined in the rules.
// However the exe link will match the one defined in the rules.
// So keep it valid until the user restarts the process.
//
// - If it can't be read, hash the RealPath, because containerized binaries'
// path usually won't exist on the host.
// Path cannot be trusted, because multiple processes with the same path
// can coexist in different namespaces.
// The real path is /proc/<pid>/root/<path-to-the-binary>
paths := []string{p.pathExe, p.RealPath, p.Path}
var h hash.Hash
if algo == HashMD5 {
h = md5.New()
} else if algo == HashSHA1 {
h = sha1.New()
} else {
log.Debug("Unknown hashing algorithm: %s", algo)
return
}
i := uint8(0)
for i = 0; i < 2; i++ {
log.Debug("[hashing %s], path %d: %s", algo, i, paths[i])
start := time.Now()
h.Reset()
// can this be instantiate outside of the loop?
f, err := os.Open(paths[i])
if err != nil {
log.Debug("[hashing %s] Unable to open path: %s", algo, paths[i])
// one of the reasons to end here is when hashing AppImages
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
code, err := p.DumpImage()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if err != nil {
log.Debug("[hashing] Unable to dump process memory: %s", err)
continue
}
p.Checksums[algo] = hex.EncodeToString(h.Sum(code))
log.Debug("[hashing] memory region hashed, elapsed: %v ,Hash: %s, %s\n", time.Since(start), p.Checksums[algo], paths[i])
code = nil
break
}
defer f.Close()
if _, err = io.Copy(h, f); err != nil {
log.Debug("[hashing %s] Error copying data: %s", algo, err)
continue
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.mu.Lock()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
p.Checksums[algo] = hex.EncodeToString(h.Sum(nil))
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
p.mu.Unlock()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
log.Debug("[hashing] elapsed: %v ,Hash: %s, %s\n", time.Since(start), p.Checksums[algo], paths[i])
break
}
return
}
// MemoryMapping represents a memory mapping region
type MemoryMapping struct {
StartAddr uint64
EndAddr uint64
}
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
// DumpImage reads the memory of the current process, and returns it
// as byte array.
func (p *Process) DumpImage() ([]byte, error) {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return p.dumpFileImage(p.Path)
}
// dumpFileImage will dump the memory region of a file mapped by this process.
// By default it'll dump the current image of this process.
func (p *Process) dumpFileImage(filePath string) ([]byte, error) {
var mappings []MemoryMapping
// read memory mappings
mapsFile, err := os.Open(p.pathMaps)
if err != nil {
return nil, err
}
defer mapsFile.Close()
if filePath == "" {
filePath = p.Path
}
size := 0
mapsScanner := bufio.NewScanner(mapsFile)
for mapsScanner.Scan() {
addrMap := mapsScanner.Text()
// filter by process path
// TODO: make it configurable
if !strings.Contains(addrMap, filePath) {
log.Debug("dumpFileImage() addr doesn't contain %s", filePath)
continue
}
fields := strings.Fields(addrMap)
if len(fields) < 6 {
log.Debug("dumpFileImage() line less than 6: %v", fields)
continue
}
// TODO: make it configurable
/*permissions := fields[1]
if !strings.Contains(permissions, "r-xp") {
continue
}
*/
addrRange := strings.Split(fields[0], "-")
addrStart, err := strconv.ParseUint(addrRange[0], 16, 64)
if err != nil {
//log.Debug("dumpFileImage() invalid addrStart: %v", addrRange)
continue
}
addrEnd, err := strconv.ParseUint(addrRange[1], 16, 64)
if err != nil {
log.Debug("dumpFileImage() invalid addrEnd: %v", addrRange)
continue
}
size += int(addrEnd - addrStart)
mappings = append(mappings, MemoryMapping{StartAddr: addrStart, EndAddr: addrEnd})
}
// read process memory
elfCode, err := p.readMem(mappings)
mappings = nil
//fmt.Printf(">>> READ MEM, regions size: %d, elfCode: %d\n", size, len(elfCode))
//if fInfo, err := os.Stat(filePath); err == nil {
// fmt.Printf("\t>>> on disk: %d\n", fInfo.Size())
//}
if err != nil {
return nil, err
}
return elfCode, nil
}
// given a range of addrs, read it from mem and return the content
func (p *Process) readMem(mappings []MemoryMapping) ([]byte, error) {
var elfCode []byte
memFile, err := os.Open(p.pathMem)
if err != nil {
return nil, err
}
defer memFile.Close()
for _, mapping := range mappings {
memFile.Seek(int64(mapping.StartAddr), io.SeekStart)
code := make([]byte, mapping.EndAddr-mapping.StartAddr)
_, err = memFile.Read(code)
if err != nil {
return nil, err
}
}
return elfCode, nil
ebpf: increased ring buffer size, hook execveat Increased perf map buffer size to avoid lose events under heavy loads. Hook execveat to intercept executions from memory.
2022-10-13 01:44:23 +02:00
}
Reference in a new issue Copy permalink