I am trying to trace information everytime an image on linux is loaded into memory. Ideally, I would need
I have managed to get the pid, timestamp and path using the open_exec
tracepoint available on linux, but I'm having problems tracing the memory location where the image is loaded. Any suggestions (tracepoints,markers, syscalls, etc) how I could trace this ?
One idea could be to trace all mmap(2) calls, in a manner similar to how strace(1) traces calls (srace uses ptrace(2) APIs). You can try yourself by checking out what strace seen by using strace (some command) 2> FOO
and then grep mmap FOO
:
mmap2(NULL, 40654, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb80e5000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb80e4000
mmap2(0x724000, 37456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x724000
mmap2(0x72c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7) = 0x72c000
mmap2(0x27e000, 117704, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x27e000
mmap2(0x299000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a) = 0x299000
mmap2(0x697000, 17008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x697000
mmap2(0x69b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0x69b000
You have the corresponding file name of each descriptor (from open(2)), and the return value of mmap(2) will be the address where the image is mapped in memory.
Depending on how you can intercept the process, you can also inject a hook on dlopen, though the above should be enough
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.