STRLCPY/dismember

Add a process tree view
Liam Galvin committed 2 years ago

eb27ccc5

1 parent e25c39aa

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

README.md

		skipped 5 lines
6	6
7	7		Dismember can be used to search memory of all processes it has access to, so running it as root is the most effective method.
8	8
	9	+	Commands are also included to list processes, explore process status and related information, draw process trees, and more...
	10	+
9	11		## Installation
10	12
11	13		Grab a binary from the [latest release](https://github.com/liamg/dismember/releases/latest) and add it to your path.
		skipped 2 lines
14	16
15	17		### Search for a pattern in a process by PID
16	18		```bash
	19	+	# search memory owned by process 1234
17	20		dismember grep -p 1234 'the password is .*'
18	21		```
19	22
20	23		### Search for a pattern in a process by name
21	24		```bash
22		-	dismember grep -n apache 'username=liamg&password=.*'
	25	+	# search memory owned by processes named "nginx" for a login form submission
	26	+	dismember grep -n nginx 'username=liamg&password=.*'
23	27		```
24	28
25	29		### Search for a pattern across all processes
26	30		```bash
27		-	# find a github api token
	31	+	# find a github api token across all processes
28	32		dismember grep 'gh[pousr]_[0-9a-zA-Z]{36}'
29	33		```
30	34
	35	+	### Render a complete process tree
	36	+	```bash
	37	+	# defaults to pid=1 to show all (accessible) processes
	38	+	dismember tree
	39	+	```
	40	+

■ ■ ■ ■ ■ ■

internal/cmd/grep.go

		skipped 13 lines
14	14		var flagProcessName string
15	15		var flagIncludeSelf bool
16	16		var flagDumpRadius int
	17	+	var flagFast bool
17	18
18	19		func init() {
19	20
		skipped 9 lines
29	30		grepCmd.Flags().StringVarP(&flagProcessName, "pname", "n", "", "Grep memory of all processes whose name contains this string.")
30	31		grepCmd.Flags().IntVarP(&flagDumpRadius, "dump-radius", "r", 2, "The number of lines of memory to dump both above and below each match.")
31	32		grepCmd.Flags().BoolVarP(&flagIncludeSelf, "self", "s", false, "Include results that are matched against the current process, or an ancestor of that process.")
	33	+	grepCmd.Flags().BoolVarP(&flagFast, "fast", "f", false, "Skip mapped files in order to run faster.")
32	34		rootCmd.AddCommand(grepCmd)
33	35		}
34	36
		skipped 66 lines
101	103		ansiReset = "\x1b[0m"
102	104		ansiBold = "\x1b[1m"
103	105		ansiDim = "\x1b[2m"
104		-	ansiUnderline = "\x1b[4m"
105	106		ansiItalic = "\x1b[3m"
	107	+	ansiUnderline = "\x1b[4m"
106	108		ansiRed = "\x1b[31m"
107	109		ansiGreen = "\x1b[32m"
108	110		)
		skipped 28 lines
137	139
138	140		data, err := g.Process.ReadMemory(g.Map, start, size)
139	141		if err != nil {
140		-	return fmt.Sprintf("dump not available: %s", err)
	142	+	return fmt.Sprintf(" dump not available: %s", err)
141	143		}
142	144
143	145		literalStartAddr := g.Map.Address + start
		skipped 75 lines

■ ■ ■ ■ ■ ■

internal/cmd/list.go

		skipped 12 lines
13	13		Short: "List all processes currently available on the system",
14	14		Long: ``,
15	15		RunE: listHandler,
	16	+	Args: cobra.ExactArgs(0),
16	17		})
17	18		}
18	19
19		-	func listHandler(cmd *cobra.Command, args []string) error {
	20	+	func listHandler(cmd *cobra.Command, _ []string) error {
20	21
21	22		processes, err := proc.List(true)
22	23		if err != nil {
		skipped 18 lines

■ ■ ■ ■ ■ ■

internal/cmd/tree.go

1	+	package cmd
2	+
3	+	import (
4	+	"fmt"
5	+	"github.com/liamg/dismember/pkg/proc"
6	+	"github.com/spf13/cobra"
7	+	"io"
8	+	)
9	+
10	+	func init() {
11	+	treeCmd := &cobra.Command{
12	+	Use: "tree",
13	+	Short: "Show a tree diagram of a process and all children (defaults to PID 1).",
14	+	Long: ``,
15	+	RunE: treeHandler,
16	+	Args: cobra.ExactArgs(0),
17	+	}
18	+	treeCmd.Flags().IntVarP(&flagPID, "pid", "p", 1, "PID of the process to analyse")
19	+	rootCmd.AddCommand(treeCmd)
20	+
21	+	}
22	+
23	+	type procWithStatus struct {
24	+	process proc.Process
25	+	status proc.Status
26	+	}
27	+
28	+	func treeHandler(cmd *cobra.Command, _ []string) error {
29	+
30	+	processes, err := proc.List(true)
31	+	if err != nil {
32	+	return err
33	+	}
34	+
35	+	root := proc.Process(flagPID)
36	+	status, err := root.Status()
37	+	if err != nil {
38	+	return err
39	+	}
40	+	rootWithStatus := procWithStatus{
41	+	process: root,
42	+	status: *status,
43	+	}
44	+
45	+	var all []procWithStatus
46	+	for _, process := range processes {
47	+	status, err := process.Status()
48	+	if err != nil {
49	+	continue
50	+	}
51	+	all = append(all, procWithStatus{
52	+	process: process,
53	+	status: *status,
54	+	})
55	+	}
56	+
57	+	drawBranch(cmd.OutOrStdout(), rootWithStatus, nil, all)
58	+	return nil
59	+	}
60	+
61	+	func drawBranch(w io.Writer, parent procWithStatus, lasts []bool, all []procWithStatus) {
62	+
63	+	var children []procWithStatus
64	+	for _, process := range all {
65	+	if process.status.Parent != parent.process {
66	+	continue
67	+	}
68	+	children = append(children, process)
69	+	}
70	+
71	+	var done bool
72	+	_, _ = fmt.Fprint(w, ansiDim)
73	+	if len(lasts) > 1 {
74	+	for _, last := range lasts[1:] {
75	+	if !last {
76	+	_, _ = fmt.Fprint(w, " │ ")
77	+	} else if !done {
78	+	done = true
79	+	_, _ = fmt.Fprint(w, " │ ")
80	+	} else {
81	+	_, _ = fmt.Fprint(w, " ")
82	+	}
83	+	}
84	+	}
85	+
86	+	if len(lasts) > 0 {
87	+	symbol := '├'
88	+	if lasts[len(lasts)-1] {
89	+	symbol = '└'
90	+	}
91	+	_, _ = fmt.Fprintf(w, " %c─ ", symbol)
92	+	}
93	+
94	+	_, _ = fmt.Fprint(w, ansiReset)
95	+	_, _ = fmt.Fprintf(w, "%s %s(%s%d%s)%s\n", parent.status.Name, ansiDim, ansiReset, parent.process, ansiDim, ansiReset)
96	+
97	+	for i, child := range children {
98	+	drawBranch(w, child, append(lasts, i == len(children)-1), all)
99	+	}
100	+	}
101	+

Add a process tree view