Closed behouba closed 10 months ago
Patch coverage: 85.38%
and project coverage change: +0.55%
:tada:
Comparison is base (
8e4f577
) 82.78% compared to head (7e107e2
) 83.33%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
46 tests +4 46 :heavy_check_mark: +4 1s :stopwatch: ±0s 1 suites ±0 0 :zzz: ±0 1 files ±0 0 :x: ±0
Results for commit d9e57423. ± Comparison against base commit 23dc8ace.
:recycle: This comment has been updated with latest results.
Great work @behouba!
It might be useful to extend memparse
with support for shared memory in a subsequent pull request. For example, it could be an additional column in the table generated with checkpointctl memparse <checkpoint>.tar
and perhaps a new option that shows only the content of pagemap-shmem-{}.img
when --pid
is used.
@behouba Would it be possible to update go-criu in a separate pull request?
@behouba Could you add a section about memory analysis to the README file?
It might be good to describe how users can use checkpointctl memparse
with an example:
$ sudo podman run --name postgres -e POSTGRES_PASSWORD=mysecret -d postgres
$ sudo podman container checkpoint -l --export=/tmp/postgres.tar.gz
$ sudo checkpointctl memparse --pid 1 /tmp/postgres.tar.gz | grep mysecret
000055f9deed8e70 44 3d 6d 79 73 65 63 72 65 74 00 00 00 00 00 00 |D=mysecret......|
# Start vulnerable web application
$ sudo podman run --name dsvw -p 1234:8000 -d quay.io/rst0git/dsvw
# Perform arbitrary code execution attack: $(echo secret)
$ curl "http://localhost:1234/?domain=www.google.com%3B%20echo%20secret"
nslookup: can't resolve '(null)': Name does not resolve
Name: www.google.com
Address 1: 142.250.187.228 lhr25s34-in-f4.1e100.net
Address 2: 2a00:1450:4009:820::2004 lhr25s34-in-x04.1e100.net
secret
(reverse-i-search)`': ^C
# Create a checkpoint for forensic analysis and leave the container running
$ sudo podman container checkpoint --leave-running -l -e /tmp/dsvw.tar
# Analyse checkpoint memory to identify the attacker's injected code
$ sudo checkpointctl memparse --pid 1 /tmp/dsvw.tar | grep 'echo secret'
00007faac5711f60 6f 6d 3b 20 65 63 68 6f 20 73 65 63 72 65 74 00 |om; echo secret.|
@behouba Could you add a section about memory analysis to the README file?
@rst0git PTAL, and thank you for providing such good examples.
This PR introduces a new sub-command
memparse
, which allows analyzing processes memory pages. This new feature was discussed here #69.When used without any arguments, the command displays a table showing the memory sizes of processes. Here's an example:
If a process ID (pid) is provided, the command prints the memory pages of that specific process in a hexdump-like format. For instance:
This output can be written to a file instead of stdout using the
--output
flag.@rst0git, @adrianreber, could you please take a look?