search

mozilla / mig

Distributed & real time digital forensics at the speed of the cloud
http://mig.mozilla.org/
Mozilla Public License 2.0
1.21k stars 234 forks source link

[mig modules] Detect processes that use deleted libraries (Bugzilla #1167354) #125

Open jvehent opened 9 years ago

jvehent commented 9 years ago

Migrated from https://bugzilla.mozilla.org/show_bug.cgi?id=1167354 Assigned to: Julien Vehent [:ulfr]

On 2015-05-21 13:06:41 -0700, Julien Vehent [:ulfr] wrote:

I often happens during vulnerability patching that libraries are upgraded but processes are not restarted. When that happens, the process is marked as linked to a deleted library. MIG should have a facility to detect this, probably in the memory module. -deleted could be a boolean added to the -lib parameter to return processes that link to a given library that has been deleted on disk.

jvehent commented 9 years ago

Probably an improvement to the memory or file modules.

mvanotti commented 9 years ago

Do you have an easy way to "reproduce" this case so I can see how the Memory module can understand this?

jhmartin commented 8 years ago

Run perl -e "sleep(900);" &, identify the pid of the process, then lsof PERLPID. You'll see something like:

perl     96 root  cwd    DIR  253,1     4096 131073 /
perl     96 root  rtd    DIR  253,1     4096 131073 /
perl     96 root  txt    REG  253,1    11400 138558 /usr/bin/perl
perl     96 root  mem    REG  253,1    11376 132717 /usr/lib64/libfreebl3.so
perl     96 root  mem    REG  253,1  2107760 132678 /usr/lib64/libc-2.17.so
perl     96 root  mem    REG  253,1   141616 132874 /usr/lib64/libpthread-2.17.so
perl     96 root  mem    REG  253,1    14608 132946 /usr/lib64/libutil-2.17.so
perl     96 root  mem    REG  253,1    40816 132692 /usr/lib64/libcrypt-2.17.so
perl     96 root  mem    REG  253,1  1141552 132793 /usr/lib64/libm-2.17.so
perl     96 root  mem    REG  253,1    19512 132702 /usr/lib64/libdl-2.17.so
perl     96 root  mem    REG  253,1   113320 132818 /usr/lib64/libnsl-2.17.so
perl     96 root  mem    REG  253,1   110808 132881 /usr/lib64/libresolv-2.17.so
perl     96 root  mem    REG  253,1  1643224 262880 /usr/lib64/perl5/CORE/libperl.so
perl     96 root  mem    REG  253,1   164336 132654 /usr/lib64/ld-2.17.so
perl     96 root    0u   CHR  136,1      0t0      4 /1
perl     96 root    1u   CHR  136,1      0t0      4 /1
perl     96 root    2u   CHR  136,1      0t0      4 /1

Copy /usr/lib64/perl5/CORE/libperl.so to a temporary location, rm it, then copy it back. lsof will show:

perl     96 root  DEL    REG  253,1          262880 /usr/lib64/perl5/CORE/libperl.so

Notice the DEL.

mvanotti commented 8 years ago

If you move the file, it will appear in both lsof and masche with the new path. If you delete the file it will appear in masche with (deleted) after its name, for example:

00400000-005a5000 r-xp 00000000 08:12 3019538 /tmp/perl2 (deleted)

So you can run for example:

listlibs -r="^.* (deleted)$" to see all the processes that have a deleted file mapped to memory, or -r="^.*.so (deleted)$" to limit it to .so files

jvehent commented 8 years ago

@mvanotti: Would you mind adding a section on how to search for deleted libraries to the cheatsheet and the memory module doc ?