mozilla
/
mig
зеркало из https://github.com/mozilla/mig.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
mig/doc/module_memory.html

304 строки
12 KiB
HTML
Исходник Ответственный История

Этот файл содержит невидимые символы Юникода!

Этот файл содержит невидимые символы Юникода, которые могут быть отображены не так, как показано ниже. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы показать скрытые символы.

<!DOCTYPE html><html><head><meta charset="utf-8"><title></title><style type="text/css">body {
width: 95%;
max-width: 70%;
margin: 20px;
padding: 0;
background: #151515 url("../images/bkg.png") 0 0;
color: #eaeaea;
font: 16px;
line-height: 1.5em;
font-family: Monaco, "Bitstream Vera Sans Mono", "Lucida Console", Terminal, monospace;
}
#table-of-contents ul {
line-height: 1;
}
/* General & 'Reset' Stuff */
.container {
width: 95%;
max-width: 1000px;
margin: 0 auto;
}
section {
display: block;
margin: 0 0 20px 0;
}
h1, h2, h3, h4, h5, h6 {
/*margin: 0 0 20px;*/
/*margin: 0;*/
}
/* Header, <header>
* header - container
* h1 - project name
* h2 - project description
* */
header {
background: rgba(0, 0, 0, 0.1);
width: 100%;
/*border-bottom: 1px dashed #b5e853;*/
/*padding: 20px 0;
* margin: 0 0 40px 0;*/
padding: 5px 0;
margin: 0 0 10px 0;
}
header h1 {
font-size: 30px;
line-height: 1.5;
margin: 0 0 0 -40px;
font-weight: bold;
font-family: Monaco, "Bitstream Vera Sans Mono", "Lucida Console", Terminal, monospace;
/*color: #b5e853;*/
color: #089d00;
text-shadow: 0 1px 1px rgba(0, 0, 0, 0.1),
0 0 5px rgba(181, 232, 83, 0.1),
0 0 10px rgba(181, 232, 83, 0.1);
letter-spacing: -1px;
-webkit-font-smoothing: antialiased;
}
header h1:before {
content: "./ ";
font-size: 24px;
}
header h2 {
font-size: 18px;
font-weight: 300;
}
/* Main Content
* */
body {
width: 100%;
margin-left: auto;
margin-right: auto;
-webkit-font-smoothing: antialiased;
}
section img {
max-width: 100%
}
h2 a {
font-weight: bold;
color: #8AB638;
line-height: 1.4em;
font-size: 1.4em;
}
h3 a, h4 a, h5 a, h6 a {
font-weight: bold;
color: #934500;
line-height: 1.4em;
}
h1 {
font-size: 30px;
}
h2 {
font-size: 28px;
border-bottom: 1px dashed #b5e853;
}
h3 {
font-size: 18px;
}
h4 {
font-size: 14px;
}
h5 {
font-size: 12px;
text-transform: uppercase;
margin: 0 0 5px 0;
}
h6 {
font-size: 12px;
text-transform: uppercase;
color: #999;
margin: 0 0 5px 0;
}
dt {
font-style: italic;
font-weight: bold;
}
/*
ul li {
list-style: none;
}
*/
/*
ul li:before {
content: ">>";
font-family: Monaco, "Bitstream Vera Sans Mono", "Lucida Console", Terminal, monospace;
font-size: 13px;
color: #b5e853;
margin-left: -37px;
margin-right: 21px;
line-height: 16px;
}
*/
blockquote {
color: #aaa;
padding-left: 10px;
border-left: 1px dotted #666;
}
pre {
background: rgba(0, 0, 0, 0.9);
border: 1px solid rgba(255, 255, 255, 0.15);
padding: 10px;
font-size: 14px;
//color: #b5e853;
border-radius: 2px;
-moz-border-radius: 2px;
-webkit-border-radius: 2px;
text-wrap: normal;
overflow: auto;
overflow-y: hidden;
}
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font: inherit }
pre.literal-block, pre.doctest-block, pre.math, pre.code {
margin-left: 2em ;
margin-right: 2em }
code .ln { color: grey; } /* line numbers */
/*code, code { background-color: #eeeeee }*/
code .comment, code .comment, code .c1 { color: #999; }
code .keyword, code .keyword, code .kd, code .kn, code .k, code .o { color: #FC8F3F; font-weight: bold;}
code .nb { color: #c45918;}
code .s {color: #0a77c4;}
code .punctuation, code .p { color: white;}
code .literal.string, code .literal.string { color: #40BF32; }
code .name, code .name.builtin, code .nx { color: white; }
code .deleted, code .deleted { background-color: #DEB0A1}
code .inserted, code .inserted { background-color: #A3D289}
table {
width: 100%;
margin: 0 0 20px 0;
}
th {
text-align: left;
border-bottom: 1px dashed #b5e853;
padding: 5px 10px;
}
td {
padding: 5px 10px;
}
hr {
height: 0;
border: 0;
border-bottom: 1px dashed #b5e853;
color: #b5e853;
}
/* Links
* a, a:hover, a:visited
* */
a {
color: #63c0f5;
/*text-shadow: 0 0 5px rgba(104, 182, 255, 0.5);*/
text-decoration: none;
}
cite {
color: #00FF4A;
}
strong {
color: #C64216;
}
</style></head><body><h1>Mozilla InvestiGator: Memory module</h1><table><tr><td class="field-label">Author</td><td>Julien Vehent &lt;<a class="reference external" href="mailto:jvehent@mozilla.com">jvehent@mozilla.com</a>&gt;</td></tr></table><div class="contents" id="table-of-contents"><h2>Table of Contents</h2><ul class="auto-toc"><li><p><a class="reference internal" href="#usage" id="id1">1   Usage</a></p><ul class="auto-toc"><li><p><a class="reference internal" href="#filters" id="id2">1.1   Filters</a></p></li><li><p><a class="reference internal" href="#options" id="id3">1.2   Options</a></p></li></ul></li><li><p><a class="reference internal" href="#memory-scanning-algorithm" id="id4">2   Memory scanning algorithm</a></p></li></ul></div><p>The memory module (MM) allows an investigator to inspect the content of the
memory of running processes without impacting the stability of a system. MM
implements the <a class="reference external" href="https://github.com/mozilla/masche">Masche</a> cross-platform
memory scanning library.</p><section id="usage"><header><h2><a href="#id1">1   Usage</a></h2></header><p>MM implements searches that are defined by a search label. A search can have a
number of search parameters and options, defined below. There is no maximum
number of searches that can be performed by a single invocation of MM. The
module optimize searches to only scan the memory of each process once, and for
each buffer scanned, runs all needed checks on it.</p><p>MM can filter processes on their name or their linked libraries. A standard way
to use the module is to set the <cite>MatchAll</cite> option to <cite>true</cite> and specify a name
and a content or byte string to search for. MM will first filter the processes
that match the name, a cheap check to perform, and because <cite>MatchAll</cite> is true,
will only peek inside the memory of selected processes.</p><p>Without <cite>MatchAll</cite>, all checks are ran on all processes, which can be very
costly on a system that has a large memory usage.</p><p>In JSON format, searches are defined as a json object where each search has a
label (key) and search parameters (value).</p><p>A search label is a string between 1 and 64 characters, composed of letter
[a-zA-z], numbers [0-9], underscore [_] or dashes [-].</p><pre><code class="code json"> <span class="punctuation">{</span>
<span class="name tag">"searches"</span><span class="punctuation">:</span> <span class="punctuation">{</span>
<span class="name tag">"somesearchlabel"</span><span class="punctuation">:</span> <span class="punctuation">{</span>
<span class="name tag">"names"</span><span class="punctuation">:</span> <span class="punctuation">[</span>
<span class="literal string double">"firefox"</span>
<span class="punctuation">],</span>
<span class="name tag">"contents"</span><span class="punctuation">:</span> <span class="punctuation">[</span>
<span class="literal string double">"some bogus content"</span>
<span class="punctuation">]</span>
<span class="punctuation">},</span>
<span class="name tag">"another_search"</span><span class="punctuation">:</span> <span class="punctuation">{</span>
<span class="name tag">"libraries"</span><span class="punctuation">:</span> <span class="punctuation">[</span>
<span class="literal string double">"libssl"</span>
<span class="punctuation">],</span>
<span class="name tag">"bytes"</span><span class="punctuation">:</span> <span class="punctuation">[</span>
<span class="literal string double">"afd37df8b18462"</span>
<span class="punctuation">],</span>
<span class="name tag">"options"</span><span class="punctuation">:</span> <span class="punctuation">{</span>
<span class="name tag">"matchall"</span><span class="punctuation">:</span> <span class="keyword constant">true</span><span class="punctuation">,</span>
<span class="name tag">"maxlength"</span><span class="punctuation">:</span> <span class="literal number integer">50000</span>
<span class="punctuation">}</span>
<span class="punctuation">}</span>
<span class="punctuation">}</span>
<span class="punctuation">}</span></code></pre><section id="filters"><header><h3><a href="#id2">1.1   Filters</a></h3></header><p>Search filters can be used to locate a process on its name, libraries or
content. Filters can be applied in two ways: either <cite>matchall</cite> is set and all
filters must match on a given process to include it in the results, or <cite>matchall</cite>
is not set and filters are treated individually.</p><p>Note: all regular expressions used in search filters use the regexp syntax
provided by the Go language, which is very similar to Posix. A full description
of the syntax is available at <a class="reference external" href="http://golang.org/pkg/regexp/syntax/">http://golang.org/pkg/regexp/syntax/</a>.</p><ul><li><p><strong>names</strong>: an array of regular expressions that are applied to the full
executable path of a process</p></li><li><p><strong>libraries</strong>: an array of regular expressions that are applied to the linked
libraries of a process. This filter does not match on static binaries.</p></li><li><p><strong>contents</strong>: an array of regular expressions that are applied to the memory
content of a process. Beware that the regexes are utf-8 and some processes may
use non-utf8 encoding internally (java does that). Consider using a byte
string to match unusual encoding.</p></li><li><p><strong>bytes</strong>: an array of hexadecimal bytes strings that are search for in the
memory content of a process.</p></li></ul></section><section id="options"><header><h3><a href="#id3">1.2   Options</a></h3></header><p>Several options can be applied to a search:</p><ul><li><p><strong>matchall</strong> indicates that within a given search, all search filters must
match on one process for it to be included in the results. Being a boolean,
<cite>matchall</cite> is not set by default. The MIG command line sets it automatically,
the console does not.</p></li><li><p><strong>offset</strong> can be used to set a non-zero start address used to skip some
memory regions when scanning a process. This is useful when scanning very
large processes.</p></li><li><p><strong>maxlength</strong> can be used to stop the scanning of the memory of a process when
X number of bytes have been read. This is useful when scanning very large
processes.</p></li><li><p><strong>logfailures</strong> indicates whether MM should return detailed logs of memory
walking failures. Failures happen all the time because processes have regions
that are locked and cannot be read. The underlying Masche library does not
attempt to force its way through unreadable memory regions by default, but
skips and logs them instead.</p></li></ul></section></section><section id="memory-scanning-algorithm"><header><h2><a href="#id4">2   Memory scanning algorithm</a></h2></header><p>The memory of a process is read from <cite>offset</cite> until <cite>maxlength</cite> by chunks of 4kB
by default. If one of the search includes a byte string that's longer than 4kB,
the size of the buffer is increased to twice the size of the longest byte
string to accomodate it.</p><p>Memory is read sequentially, and the buffer is moved forward by half of its size
at each iteration, meaning that the memory of a given process is read twice in
the sliding buffer:</p><pre>v-offset v-maxlength
|----------process-memory------------------------------------------------|
[--- buffer i=1 ---]
[--- buffer i=2 ---]
[--- buffer i=3 ---]
[--- buffer i=4 ---]STOP</pre><p>All searches that are currently active are ran on a copy of the buffer. A given
memory region is only ever read once, regardless of the number of searches being
performed.</p><p>Walking the memory stops either when all the memory has been read, when
<cite>maxlength</cite> is reached, or as soon as all search filters have matched once.</p></section></body></html>
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку