Hi folks,
This plugin is a proof of concept. It should be a new way to discover processes
in Linux memory dumps. This is possible by leveraging the thread_info data
structure on the kernel stack.
As you can read from the source code:
kstack walks the kernel pages to discover task_struct data structures. We are interested in kernel stack pages and we leverage the thread_info data structure, the first field is a pointer to the task_struct owning the current kernel stack (see the references).
At the moment it supports only x86-32 systems. If the community is interested in this plugin I may add the x86-64 and Android support.
Hi folks, This plugin is a proof of concept. It should be a new way to discover processes in Linux memory dumps. This is possible by leveraging the
thread_infodata structure on the kernel stack.As you can read from the source code:
kstack walks the kernel pages to discover
task_structdata structures. We are interested in kernel stack pages and we leverage thethread_infodata structure, the first field is a pointer to thetask_structowning the current kernel stack (see the references).At the moment it supports only x86-32 systems. If the community is interested in this plugin I may add the x86-64 and Android support.
Any feedback is really appreciated.
Mariano