memflow-kcore 0.2.0

coredump (/proc/kcore focused) connector for memflow physical memory introspection framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

use goblin::Object;
use memflow::connector::fileio::{CloneFile, FileIoMemory};
use memflow::mem::MemoryMap;
use memflow::prelude::v1::*;
use std::fs::File;
use std::io::Read;

#[cfg_attr(feature = "plugins", connector(name = "kcore"))]
pub fn create_connector(args: &ConnectorArgs) -> Result<FileIoMemory<CloneFile>> {
    let mut mem = File::open(
        args.target
            .as_ref()
            .map(|v| v.as_ref())
            .unwrap_or("/proc/kcore"),
    )
    .map_err(|_| Error(ErrorOrigin::Connector, ErrorKind::UnableToReadFile))?;

    let mut head = vec![0; size::mb(2)];
    mem.read(&mut head).ok();

    let mut map = MemoryMap::new();

    if let Ok(Object::Elf(elf)) = Object::parse(&head) {
        for (b, s, r) in elf
            .program_headers
            .iter()
            .filter(|h| h.p_paddr != u64::MAX)
            .filter(|h| h.p_vaddr != 0)
            .map(|h| {
                (
                    Address::from(h.p_paddr),
                    h.p_filesz as umem,
                    Address::from(h.p_offset),
                )
            })
        {
            map.push_remap(b, s, r);
        }

        FileIoMemory::with_mem_map(mem.into(), map)
    } else {
        Err(Error(ErrorOrigin::Connector, ErrorKind::InvalidExeFile))
    }
}