memf-linux 0.2.1

Linux kernel memory forensic walkers (processes, connections, modules)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351

//! Linux hidden process detection via cross-view analysis.
//!
//! Compares process visibility across multiple kernel data structures:
//! the `task_struct` linked list and the PID hash table (`pid_hash` or
//! `pidhash`). Processes missing from one view but present in another
//! may have been hidden via Direct Kernel Object Manipulation (DKOM).

use memf_core::object_reader::ObjectReader;
use memf_format::PhysicalMemoryProvider;

use crate::{Error, PsxViewInfo, Result};

/// Cross-reference process visibility across kernel data structures.
pub fn walk_psxview<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Result<Vec<PsxViewInfo>> {
    let init_task_addr = reader
        .symbols()
        .symbol_address("init_task")
        .ok_or_else(|| Error::MissingKernelSymbol {
            name: "init_task".into(),
        })?;

    let tasks_offset = reader
        .symbols()
        .field_offset("task_struct", "tasks")
        .ok_or_else(|| Error::MissingField {
            struct_name: "task_struct".into(),
            field_name: "tasks".into(),
        })?;

    let head_vaddr = init_task_addr + tasks_offset;
    let task_addrs = reader.walk_list(head_vaddr, "task_struct", "tasks")?;

    // Build set of PIDs found in the PID hash table.
    // If the hash table is unavailable (no symbol, unreadable memory, missing ISF
    // fields, or completely empty — which is impossible on a live system), we fall
    // back to assuming all PIDs are present (in_pid_hash = true).
    let pid_hash_pids = collect_pid_hash_pids(reader).filter(|s| !s.is_empty());

    let mut results = Vec::new();

    if let Ok(info) = read_task_info(reader, init_task_addr) {
        let in_pid_hash = pid_hash_pids
            .as_ref()
            .map_or(true, |set| set.contains(&info.0));
        results.push(PsxViewInfo {
            pid: info.0,
            comm: info.1,
            in_task_list: true,
            in_pid_hash,
        });
    }

    for &task_addr in &task_addrs {
        if let Ok(info) = read_task_info(reader, task_addr) {
            let in_pid_hash = pid_hash_pids
                .as_ref()
                .map_or(true, |set| set.contains(&info.0));
            results.push(PsxViewInfo {
                pid: info.0,
                comm: info.1,
                in_task_list: true,
                in_pid_hash,
            });
        }
    }

    Ok(results)
}

/// Walk the PID hash table and collect every PID found there.
///
/// Linux maintains a hash table (`pid_hash`) indexed by PID value. Each bucket
/// is an `hlist_head` — a pointer to the first `hlist_node`. Each `task_struct`
/// embeds an `hlist_node` in its `pid_links` field. By walking every non-empty
/// bucket and following `hlist_node.next` chains we get the set of PIDs visible
/// in the hash. A process absent from this set but present in the task list has
/// been hidden via DKOM (Direct Kernel Object Manipulation).
///
/// Returns `None` when the symbol or required ISF fields are unavailable (the
/// caller should fall back to `in_pid_hash = true`).
fn collect_pid_hash_pids<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Option<std::collections::HashSet<u64>> {
    // Require the pid_hash symbol and hlist_node/pid_links field offsets.
    let pid_hash_addr = reader.symbols().symbol_address("pid_hash")?;
    let pid_links_offset = reader.symbols().field_offset("task_struct", "pid_links")?;
    let hlist_next_offset = reader.symbols().field_offset("hlist_node", "next")?;

    let mut found_pids = std::collections::HashSet::new();

    // pid_hash is an array of hlist_head structs (each is a single pointer).
    // We scan until we hit an unreadable address; bucket count is not in ISF
    // so we probe until the first read failure.
    let mut bucket_offset: u64 = 0;
    loop {
        let bucket_head_addr = pid_hash_addr.wrapping_add(bucket_offset);
        // Each hlist_head is a single pointer to the first hlist_node (or NULL).
        let first_node_ptr: u64 = match reader
            .read_bytes(bucket_head_addr, 8)
            .ok()
            .and_then(|b| b.try_into().ok())
            .map(u64::from_le_bytes)
        {
            Some(v) => v,
            None => break,
        };

        // Walk the hlist_node chain for this bucket.
        let mut node_ptr = first_node_ptr;
        let mut depth = 0usize;
        while node_ptr != 0 && depth < 10_000 {
            // task_struct base = hlist_node address − pid_links_offset
            let task_addr = node_ptr.wrapping_sub(pid_links_offset);
            if let Ok(pid) = reader.read_field::<u32>(task_addr, "task_struct", "pid") {
                found_pids.insert(u64::from(pid));
            }
            // Advance to hlist_node.next
            let next_ptr: u64 = match reader
                .read_bytes(node_ptr.wrapping_add(hlist_next_offset), 8)
                .ok()
                .and_then(|b| b.try_into().ok())
                .map(u64::from_le_bytes)
            {
                Some(v) => v,
                None => break,
            };
            node_ptr = next_ptr;
            depth += 1;
        }

        bucket_offset = bucket_offset.wrapping_add(8);
        // Stop after scanning a reasonable upper bound of buckets (typically
        // pid_hash has 4096 buckets on a 64-bit system). We stop early on
        // read failure so this cap just prevents runaway on synthetic memory.
        if bucket_offset >= 8 * 4096 {
            break;
        }
    }

    Some(found_pids)
}

fn read_task_info<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
    task_addr: u64,
) -> Result<(u64, String)> {
    let pid: u32 = reader.read_field(task_addr, "task_struct", "pid")?;
    let comm = reader.read_field_string(task_addr, "task_struct", "comm", 16)?;
    Ok((u64::from(pid), comm))
}

#[cfg(test)]
mod tests {
    use super::*;
    use memf_core::test_builders::{flags as ptflags, PageTableBuilder, SyntheticPhysMem};
    use memf_core::vas::{TranslationMode, VirtualAddressSpace};
    use memf_symbols::isf::IsfResolver;
    use memf_symbols::test_builders::IsfBuilder;

    fn make_test_reader(
        data: &[u8],
        vaddr: u64,
        paddr: u64,
        extra_mappings: &[(u64, u64, &[u8])],
    ) -> ObjectReader<SyntheticPhysMem> {
        let isf = IsfBuilder::new()
            .add_struct("task_struct", 128)
            .add_field("task_struct", "pid", 0, "int")
            .add_field("task_struct", "state", 4, "long")
            .add_field("task_struct", "tasks", 16, "list_head")
            .add_field("task_struct", "comm", 32, "char")
            .add_field("task_struct", "mm", 48, "pointer")
            .add_field("task_struct", "pid_links", 56, "hlist_node")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_struct("hlist_node", 16)
            .add_field("hlist_node", "next", 0, "pointer")
            .add_field("hlist_node", "pprev", 8, "pointer")
            .add_struct("pid", 32)
            .add_field("pid", "nr", 0, "unsigned int")
            .add_symbol("init_task", vaddr)
            .add_symbol("pid_hash", vaddr + 0x800)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let mut builder = PageTableBuilder::new()
            .map_4k(vaddr, paddr, ptflags::WRITABLE)
            .write_phys(paddr, data);

        for &(ev, ep, edata) in extra_mappings {
            builder = builder
                .map_4k(ev, ep, ptflags::WRITABLE)
                .write_phys(ep, edata);
        }

        let (cr3, mem) = builder.build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        ObjectReader::new(vas, Box::new(resolver))
    }

    #[test]
    fn all_processes_visible_in_both_views() {
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let mut data = vec![0u8; 4096];

        data[0..4].copy_from_slice(&1u32.to_le_bytes());
        let tasks_addr = vaddr + 16;
        data[16..24].copy_from_slice(&tasks_addr.to_le_bytes());
        data[24..32].copy_from_slice(&tasks_addr.to_le_bytes());
        data[32..36].copy_from_slice(b"init");

        let reader = make_test_reader(&data, vaddr, paddr, &[]);
        let results = walk_psxview(&reader).unwrap();

        assert!(!results.is_empty());
        assert!(results[0].in_task_list);
    }

    #[test]
    fn missing_init_task_symbol() {
        let isf = IsfBuilder::new()
            .add_struct("task_struct", 64)
            .add_field("task_struct", "pid", 0, "int")
            .add_field("task_struct", "tasks", 8, "list_head")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new().build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_psxview(&reader);
        assert!(
            matches!(result, Err(crate::Error::MissingKernelSymbol { ref name }) if name == "init_task"),
            "expected MissingKernelSymbol {{name: \"init_task\"}}, got {result:?}"
        );
    }

    #[test]
    fn missing_tasks_field_returns_missing_field() {
        let isf = IsfBuilder::new()
            .add_struct("task_struct", 128)
            .add_field("task_struct", "pid", 0, "int")
            .add_field("task_struct", "comm", 32, "char")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_symbol("init_task", 0xFFFF_8000_0010_0000)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new().build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let result = walk_psxview(&reader);
        assert!(
            matches!(result, Err(crate::Error::MissingField { ref struct_name, ref field_name }) if struct_name == "task_struct" && field_name == "tasks"),
            "expected MissingField task_struct.tasks, got {result:?}"
        );
    }

    #[test]
    fn walk_psxview_multiple_tasks_in_list() {
        let init_vaddr: u64 = 0xFFFF_8000_0020_0000;
        let init_paddr: u64 = 0x0090_0000;
        let task2_vaddr: u64 = 0xFFFF_8000_0021_0000;
        let task2_paddr: u64 = 0x0091_0000;

        let mut init_data = vec![0u8; 4096];
        init_data[0..4].copy_from_slice(&1u32.to_le_bytes());
        let task2_tasks = task2_vaddr + 16;
        init_data[16..24].copy_from_slice(&task2_tasks.to_le_bytes());
        init_data[24..32].copy_from_slice(&task2_tasks.to_le_bytes());
        init_data[32..38].copy_from_slice(b"init\0\0");

        let mut task2_data = vec![0u8; 4096];
        task2_data[0..4].copy_from_slice(&2u32.to_le_bytes());
        let init_tasks = init_vaddr + 16;
        task2_data[16..24].copy_from_slice(&init_tasks.to_le_bytes());
        task2_data[24..32].copy_from_slice(&init_tasks.to_le_bytes());
        task2_data[32..36].copy_from_slice(b"sh\0\0");

        let isf = IsfBuilder::new()
            .add_struct("task_struct", 128)
            .add_field("task_struct", "pid", 0, "int")
            .add_field("task_struct", "state", 4, "long")
            .add_field("task_struct", "tasks", 16, "list_head")
            .add_field("task_struct", "comm", 32, "char")
            .add_struct("list_head", 16)
            .add_field("list_head", "next", 0, "pointer")
            .add_field("list_head", "prev", 8, "pointer")
            .add_symbol("init_task", init_vaddr)
            .build_json();

        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new()
            .map_4k(init_vaddr, init_paddr, ptflags::WRITABLE)
            .write_phys(init_paddr, &init_data)
            .map_4k(task2_vaddr, task2_paddr, ptflags::WRITABLE)
            .write_phys(task2_paddr, &task2_data)
            .build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        let reader = ObjectReader::new(vas, Box::new(resolver));

        let results = walk_psxview(&reader).unwrap();

        assert_eq!(results.len(), 2, "expected two tasks: init + task2");

        let init_entry = results
            .iter()
            .find(|r| r.pid == 1)
            .expect("init_task missing");
        assert!(init_entry.in_task_list);
        assert!(init_entry.in_pid_hash);

        let task2_entry = results.iter().find(|r| r.pid == 2).expect("task2 missing");
        assert!(task2_entry.in_task_list);
        assert!(task2_entry.in_pid_hash);
        assert_eq!(task2_entry.comm, "sh");
    }

    #[test]
    fn psxview_entries_have_correct_visibility_flags() {
        let vaddr: u64 = 0xFFFF_8000_0010_0000;
        let paddr: u64 = 0x0080_0000;
        let mut data = vec![0u8; 4096];

        data[0..4].copy_from_slice(&1u32.to_le_bytes());
        let tasks_addr = vaddr + 16;
        data[16..24].copy_from_slice(&tasks_addr.to_le_bytes());
        data[24..32].copy_from_slice(&tasks_addr.to_le_bytes());
        data[32..39].copy_from_slice(b"swapper");

        let reader = make_test_reader(&data, vaddr, paddr, &[]);
        let results = walk_psxview(&reader).unwrap();

        assert!(!results.is_empty(), "should find at least init_task");
        let init = &results[0];
        assert!(init.in_task_list, "init_task must be in_task_list");
        assert!(init.in_pid_hash, "init_task must be in_pid_hash");
        assert_eq!(init.pid, 1);
    }
}