Documentation ¶
Index ¶
- Constants
- type CoredumpFile
- type CoredumpMapping
- type CoredumpProcess
- func (cd *CoredumpProcess) CalculateMappingFileID(m *Mapping) (libpf.FileID, error)
- func (cd *CoredumpProcess) GetMachineData() MachineData
- func (cd *CoredumpProcess) GetMappingFile(_ *Mapping) string
- func (cd *CoredumpProcess) GetMappings() ([]Mapping, error)
- func (cd *CoredumpProcess) GetThreads() ([]ThreadInfo, error)
- func (cd *CoredumpProcess) MainExecutable() string
- func (cd *CoredumpProcess) OpenELF(path string) (*pfelf.File, error)
- func (cd *CoredumpProcess) OpenMappingFile(_ *Mapping) (ReadAtCloser, error)
- func (cd *CoredumpProcess) PID() libpf.PID
- type FileMappingEntry64
- type FileMappingHeader64
- type MachineData
- type Mapping
- type Note64
- type Process
- type PrpsInfo64
- type ReadAtCloser
- type ThreadInfo
Constants ¶
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CoredumpFile ¶
type CoredumpFile struct { // Name is the mapped file's name Name string // Mappings contains mappings regarding this file Mappings []CoredumpMapping // Base is the virtual address where this file is loaded Base uint64 // contains filtered or unexported fields }
CoredumpFile contains information about a file mapped into a coredump
type CoredumpMapping ¶
type CoredumpMapping struct { // Corresponding PT_LOAD segment Prog *pfelf.Prog // File is the backing file for this mapping File *CoredumpFile // FileOffset is the offset in the original backing file FileOffset uint64 }
CoredumpMapping describes a file backed mapping in a coredump
type CoredumpProcess ¶
CoredumpProcess implements Process interface to ELF coredumps
func OpenCoredump ¶
func OpenCoredump(name string) (*CoredumpProcess, error)
OpenCoredump opens the named file as a coredump.
func OpenCoredumpFile ¶
func OpenCoredumpFile(f *pfelf.File) (*CoredumpProcess, error)
OpenCoredumpFile opens the given `pfelf.File` as a coredump.
Ownership of the file is transferred. Closing the coredump closes the underlying file as well.
func (*CoredumpProcess) CalculateMappingFileID ¶
func (cd *CoredumpProcess) CalculateMappingFileID(m *Mapping) (libpf.FileID, error)
CalculateMappingFileID implements the Process interface
func (*CoredumpProcess) GetMachineData ¶
func (cd *CoredumpProcess) GetMachineData() MachineData
GetMachineData implements the Process interface
func (*CoredumpProcess) GetMappingFile ¶
func (cd *CoredumpProcess) GetMappingFile(_ *Mapping) string
GetMappingFile implements the Process interface
func (*CoredumpProcess) GetMappings ¶
func (cd *CoredumpProcess) GetMappings() ([]Mapping, error)
GetMappings implements the Process interface
func (*CoredumpProcess) GetThreads ¶
func (cd *CoredumpProcess) GetThreads() ([]ThreadInfo, error)
GetThreadInfo implements the Process interface
func (*CoredumpProcess) MainExecutable ¶
func (cd *CoredumpProcess) MainExecutable() string
MainExecutable gets the file path from the mappings of the main executable.
func (*CoredumpProcess) OpenELF ¶
func (cd *CoredumpProcess) OpenELF(path string) (*pfelf.File, error)
OpenELF implements the ELFOpener and Process interfaces
func (*CoredumpProcess) OpenMappingFile ¶
func (cd *CoredumpProcess) OpenMappingFile(_ *Mapping) (ReadAtCloser, error)
OpenMappingFile implements the Process interface
func (*CoredumpProcess) PID ¶
func (cd *CoredumpProcess) PID() libpf.PID
PID implements the Process interface
type FileMappingEntry64 ¶
type FileMappingEntry64 struct {
Start, End, FileOffset uint64
}
FileMappingEntry64 is the per-mapping data header in CORE/NT_FILE note
type FileMappingHeader64 ¶
FileMappingHeader64 is the header for CORE/NT_FILE note
type MachineData ¶
type MachineData struct { // Machine is the Process Machine type Machine elf.Machine // CodePACMask contains the PAC mask for code pointers. ARM64 specific, otherwise 0. CodePACMask uint64 // DataPACMask contains the PAC mask for data pointers. ARM64 specific, otherwise 0. DataPACMask uint64 }
MachineData contains machine specific information about the process
type Mapping ¶
type Mapping struct { // Vaddr is the virtual memory start for this mapping Vaddr uint64 // Length is the length of the mapping Length uint64 // Flags contains the mapping flags and permissions Flags elf.ProgFlag // FileOffset contains for file backed mappings the offset from the file start FileOffset uint64 // Device holds the device ID where the file is located Device uint64 // Inode holds the mapped file's inode number Inode uint64 // Path contains the file name for file backed mappings Path string }
Mapping contains information about a memory mapping
func (*Mapping) GetOnDiskFileIdentifier ¶
func (m *Mapping) GetOnDiskFileIdentifier() libpf.OnDiskFileIdentifier
func (*Mapping) IsAnonymous ¶
func (*Mapping) IsExecutable ¶
type Process ¶
type Process interface { // PID returns the process identifier PID() libpf.PID // GetMachineData reads machine specific data from the target process GetMachineData() MachineData // GetMapping reads and parses process memory mappings GetMappings() ([]Mapping, error) // GetThread reads the process thread states GetThreads() ([]ThreadInfo, error) // GetRemoteMemory returns a remote memory reader accessing the target process GetRemoteMemory() remotememory.RemoteMemory // OpenMappingFile returns ReadAtCloser accessing the backing file of the mapping OpenMappingFile(*Mapping) (ReadAtCloser, error) // GetMappingFile returns the openable file name for the mapping if available. // Empty string is returned if the mapping file is not accessible via filesystem. GetMappingFile(*Mapping) string // CalculateMappingFileID calculates FileID of the backing file CalculateMappingFileID(*Mapping) (libpf.FileID, error) io.Closer pfelf.ELFOpener }
Process is the interface to inspect ELF coredump/process. The current implementations do not allow concurrent access to this interface from different goroutines. As an exception the ELFOpener and the returned GetRemoteMemory object are safe for concurrent use.
func NewPtrace ¶
NewPtrace attaches the calling goroutine to the target PID using unix PTrace API. The goroutine is locked to a system thread due to the PTrace API requirements. WARNING: All usage of Process interface to this implementation should be from one goroutine. If this is not sufficient in future, the implementation should be refactored to pass all requests via a proxy goroutine through channels so that the kernel requirements are fulfilled.
type PrpsInfo64 ¶
type PrpsInfo64 struct { State uint8 Sname uint8 Zombie uint8 Nice uint8 Gap uint32 Flags uint64 UID uint32 GID uint32 PID uint32 PPID uint32 PGRP uint32 SID uint32 FName [16]byte Args [80]byte }
PrpsInfo64 is the 64-bit NT_PRPSINFO note header
type ReadAtCloser ¶
ReadAtCloser interfaces implements io.ReaderAt and io.Closer
type ThreadInfo ¶
type ThreadInfo struct { // TPBase contains the Thread Pointer Base value TPBase uint64 // GPRegs contains the CPU state (registers) for the thread GPRegs []byte // LWP is the Light Weight Process ID (thread ID) LWP uint32 }
ThreadInfo contains the information about a thread CPU state needed for unwinding