Tracing memory address for an image loaded into memory on linux

Question

I am trying to trace information everytime an image on linux is loaded into memory. Ideally, I would need

• the pid of the process,
• the timestamp of the event,
• path from where the image is being loaded,
• and also the location in memory where the image gets loaded.

I have managed to get the pid, timestamp and path using the open_exec tracepoint available on linux, but I'm having problems tracing the memory location where the image is loaded. Any suggestions (tracepoints,markers, syscalls, etc) how I could trace this ?

Answer 1

One idea could be to trace all mmap(2) calls, in a manner similar to how strace(1) traces calls (srace uses ptrace(2) APIs). You can try yourself by checking out what strace seen by using strace (some command) 2> FOO and then grep mmap FOO :

mmap2(NULL, 40654, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb80e5000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb80e4000
mmap2(0x724000, 37456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x724000
mmap2(0x72c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7) = 0x72c000
mmap2(0x27e000, 117704, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x27e000
mmap2(0x299000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a) = 0x299000
mmap2(0x697000, 17008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x697000
mmap2(0x69b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0x69b000

You have the corresponding file name of each descriptor (from open(2)), and the return value of mmap(2) will be the address where the image is mapped in memory.

Depending on how you can intercept the process, you can also inject a hook on dlopen, though the above should be enough