Envars listing addition + Macos process filtering enhanced.#7
Envars listing addition + Macos process filtering enhanced.#7forensicxlab wants to merge 4 commits intomemflow:mainfrom
Conversation
forensicxlab
changed the title
ko1N
left a comment
ko1N
left a comment
There was a problem hiding this comment.
Thanks for the PR! I'm not too sure about the newly introduced dependency. I think using raw OS apis gives us more control over how we handle things.
| }) | ||
| } | ||
|
|
||
| fn process_exists(&self) -> bool { |
There was a problem hiding this comment.
I don't think we should introduce a new crate here. using NtQueryInformationProcess is totally fine and does not require a new dependency.
|
|
||
| fn collect_envars(&self) -> Result<Vec<EnvVarInfo>> { | ||
| let pid = Pid::from_u32(self.info.pid); | ||
| let mut system = System::new_with_specifics( |
There was a problem hiding this comment.
I think we should be able to do this with plain windows apis as well? This would give us much more control here.
| memflow::os::util::module_section_list_callback(&mut self.virt_mem, info, callback) | ||
| } | ||
|
|
||
| fn envar_list_callback( |
There was a problem hiding this comment.
I think it should be possible that we emit a feature flag based on the memflow plugin abi version. This we could check at compile time via #cfg[...] and allow the plugin to work (without this feature) with the current stable plugin abi version.
|
I added 8b2a617 to main. With this change you should be able to use cfg attrs to gate the new functions behind specific features, so we can build the plugin for multiple memflow versions. You should be able to use it like so: |
2 participants
This PR implements the process environment APIs (
envar_list_callback,environment_block_address,envar_list_from_address) across all native backends and aligns behavior between platforms.Windows: Envars are collected via
sysinfo(Process::environ()) and parsed.Linux: Envars are collected from
/proc/<pid>/environand parsed.MacOs: Envars are collected by calling
sysctl(KERN_PROCARGS2)and parsed.It is linked to memflow PR and memflow-rawmem PR and memflow-win32
To build this PR for testing (Linux/MacOs/Windows)
Uncomment the following lines in
Cargo.tomlTesting on MacOs/Linux
Module listing (Now working on latest MacOS)
cd /TEST/PATH/memflow MEMFLOW_PLUGIN_PATH=/TEST/PATH/memflow-native/target/debug \ cargo run --example module_list -- --os native --process module_listEnvars
cd /TEST/PATH/memflow MEMFLOW_PLUGIN_PATH=FULL/PATH/TO/memflow-native/target/debug \ cargo run --example envars_list -- --os native --process envars_list --envar PATHTesting on windows 11 latest (PowerShell)
Envars
Fixes / enhancements
pidinfocall to use the target PID correctly (pidinfo(pid, 0)), instead of mixing caller/target args.read_procargs2/parse_procargs2) and used that for consistentpath/command_lineextraction.MacOs; buffer size now followsKERN_ARGMAX.MacProcess::try_newno longer hard-fails iftask_for_pidis denied; it creates a process with deferred port acquisition.For module enumeration I added a small improvement to get more results: kept dyld-based module enumeration as primary path which is working well. But we can also perform a fallback to region-based enumeration (
PROC_PIDREGIONPATHINFO) when dyld/task-port path fails. This worked well for process protected like GUI processes (Finder, Dock, loginwindow), where dyld/task-port path is unavailable.First contribution to this project, happy to follow your guidance on the implementation / things to correct.