3 # Signature-du-Terroir module to handle /proc/<pid>
7 Start a command that will stall on reading STDIN, eg, grep, cat, dd, perl, python, ruby, bash.
8 Or enter the PID of an existing, running, task.
10 Use /proc/<pid>/{exe, maps} to collect information, eg, all loaded libraries, the file paths,
11 inode numbers, and mem addresses. Then use dbugfs to read out the inode numbers. The results can be
12 hashed with sha512sum (recommended) or returned raw.
15 reset() : Empty cache, next call to get_info() will run the command
16 get_info(command) : Run command and read all info, if command differs from current_command
17 get_info(PID) : Read all info from running process PID, if command differs from current pid
20 current_command : Command (path) for which the current values are relevant
21 address_list : The start, end, and offset addresses for each file (path) loaded (/proc/<pid>/maps). Ie, each address_list[path] is a list of address lists.
22 map_list : Information for /proc/<pid>/maps - [path]={'permissions', 'device', 'inode'}
23 path_list : All files (paths) loaded for the current command (/proc/<pid>/maps).
24 mapsfile : The first file path in /proc/<pid>/maps, ie, the file with the command
25 file_system : Device, /dev/..., on which mapsfile is stored
26 exe : The path to which /proc/<pid>/exe links
28 Methods returning contents of /proc/<pid>/maps as text tables
29 paths (command, key_list) : A table of all paths with one or more of ['permissions', 'device', 'inode'] (inode is default)
31 The following methods return the SHA512 hash. They use the prefix to start the hash
32 Files are read using the inode numbers with debugfs (sudo only)
33 inodeSHA (command, file, prefix): The file contents based on the inode number in /proc/<pid>/maps, if 'file' is '', the mapsfile is used.
34 mapsSHA (command, prefix) : All files in /proc/<pid>/maps, based on inode number
36 For debugging purposes:
37 fileSHA (command, prefix) : Simple file read from disk using mapsfile
38 exeSHA (command, prefix) : File read using the exe link
40 The following methods return the WHOLE, binary file content
41 Files are read using the inode numbers with debugfs (sudo only)
42 inode (command, file): The file based on the inode number in /proc/<pid>/maps
43 maps (command) : All files in /proc/<pid>/maps, based on inode number
45 For debugging purposes:
46 file (command) : Simple file read from disk using mapsfile
47 exe (command) : File read using the exe link
50 > python3 proc_PID.py [path1 ....]
51 Will run for each path:
65 # Basic support routines
66 def create_process (command
):
67 devnull
= open('/dev/null', 'w');
68 return subprocess
.Popen(command
.split(), stdin
= subprocess
.PIPE
, stdout
= devnull
, stderr
= subprocess
.PIPE
, shell
=False, universal_newlines
=False);
70 def kill_process (process
):
71 process
.stdin
.close();
72 errormess
= process
.stderr
.read();
73 if len(errormess
) > 0: print(str(errormess
), file=sys
.stderr
);
84 # Determine the file system on which a file is stored (using df)
85 def get_filesystem(path
):
86 command
= 'df -h '+path
+' |tail -1';
87 process
= subprocess
.Popen(command
, stdin
= None, stdout
= subprocess
.PIPE
, stderr
= sys
.stderr
, shell
=True, universal_newlines
=True);
88 df_output
= process
.stdout
.read();
89 return df_output
.split()[0];
91 def get_debugfs_command ():
92 return "/sbin/debugfs -f - "+file_system
+" -R ";
101 global current_command
;
108 current_command
= '';
110 # Start command and read info from /proc/<pid>/
111 # Do nothing if the command is identical to previous one
112 def getinfo (command
): # -> pid
119 global current_command
;
121 if command
== current_command
:
125 current_command
= command
;
127 # Do not create a process if it already exists
128 kill_process
= False;
129 if isinstance(command
, int):
131 elif re
.search(r
'[^0-9]', command
) == None:
134 process
= create_process(command
);
136 # Wait a quarter of a second to allow the loading of the command to finish
139 dir = '/proc/'+str(pid
);
140 exe
= os
.readlink(dir+'/exe');
142 # Get all mapped memory and files
143 with
open(dir+'/maps', 'r') as file:
145 record_list
= l
.split();
146 if len(record_list
) == 6 and int(record_list
[4]) > 0:
147 (addresses
, permissions
, offset
, device
, inode
, path
) = record_list
;
148 if path
not in path_list
:
149 path_list
.append(path
);
150 map_list
[path
] = {'permissions':permissions
, 'device':device
, 'inode':inode
};
151 address_list
[path
] = [];
152 (address1
, address2
) = addresses
.split('-');
153 address_list
[path
].append({'start':address1
, 'end':address2
, 'offset':offset
});
154 if kill_process
: kill_process(process
);
155 mapsfile
= path_list
[0];
156 file_system
= get_filesystem(mapsfile
);
159 # Print out running proc stats
160 def paths (command
, key_list
= 'inode'): # 'key'/['key1', 'key2', ...] -> text-table
164 if isinstance(key_list
, str):
165 key_list
= [key_list
];
166 # Construct a line for each path,
168 for path
in path_list
:
171 line
+= '\t'+map_list
[path
][key
];
173 result_table
+= line
;
176 # Methods that return the raw file contents (could be LARGE)
180 with
open(mapsfile
, 'rb') as file:
182 if type(l
).__name
__ == 'str':
183 l
= bytes(l
, encoding
='utf8');
190 with
open(exe
, 'rb') as file:
192 if type(l
).__name
__ == 'str':
193 l
= bytes(l
, encoding
='utf8');
195 kill_process(process
);
198 def inode (command
, path
):
201 # Get file contents on inode number
203 inode
= map_list
[path
]['inode'];
204 cat
= "'cat <"+str(inode
)+">'";
205 debugfs
= subprocess
.Popen(get_debugfs_command()+cat
, stdin
= None, stdout
= subprocess
.PIPE
, stderr
= sys
.stderr
, shell
=True, universal_newlines
=False);
206 # read out the file contents
207 for l
in debugfs
.stdout
:
208 if type(l
).__name
__ == 'str':
209 l
= bytes(l
, encoding
='utf8');
217 # Get file contents on inode number
219 for file in path_list
:
220 inode
= map_list
[file]['inode'];
221 cat
= "'cat <"+str(inode
)+">'";
222 debugfs
= subprocess
.Popen(get_debugfs_command()+cat
, stdin
= None, stdout
= subprocess
.PIPE
, stderr
= sys
.stderr
, shell
=True, universal_newlines
=False);
223 # read out the file contents
224 for l
in debugfs
.stdout
:
225 if type(l
).__name
__ == 'str':
226 l
= bytes(l
, encoding
='utf8');
231 # Methods that return the SHA512sum
232 def fileSHA (command
, prefix
=b
''):
234 filehash
= hashlib
.sha512(prefix
);
235 with
open(mapsfile
, 'rb') as file:
237 if type(l
).__name
__ == 'str':
238 l
= bytes(l
, encoding
='utf8');
240 return str(filehash
.hexdigest());
242 def exeSHA (command
, prefix
=b
''):
244 exehash
= hashlib
.sha512(prefix
);
245 with
open(exe
, 'rb') as file:
247 if type(l
).__name
__ == 'str':
248 l
= bytes(l
, encoding
='utf8');
250 return str(exehash
.hexdigest());
252 def inodeSHA (command
, path
='', prefix
=b
''):
254 if len(path
) == 0: path
= mapsfile
;
256 # Get file contents on inode number
257 mapshash
= hashlib
.sha512(prefix
);
258 inode
= map_list
[path
]['inode'];
259 cat
= "'cat <"+str(inode
)+">'";
260 debugfs
= subprocess
.Popen(get_debugfs_command()+cat
, stdin
= None, stdout
= subprocess
.PIPE
, stderr
= sys
.stderr
, shell
=True, universal_newlines
=False);
261 # read out the file contents
262 for l
in debugfs
.stdout
:
263 if type(l
).__name
__ == 'str':
264 l
= bytes(l
, encoding
='utf8');
267 return str(mapshash
.hexdigest());
269 def mapsSHA (command
, prefix
=b
''):
272 # Get file contents on inode number
273 mapshash
= hashlib
.sha512(prefix
);
274 for path
in path_list
:
275 inode
= map_list
[path
]['inode'];
276 cat
= "'cat <"+str(inode
)+">'";
277 debugfs
= subprocess
.Popen(get_debugfs_command()+cat
, stdin
= None, stdout
= subprocess
.PIPE
, stderr
= sys
.stderr
, shell
=True, universal_newlines
=False);
278 # read out the file contents
279 for l
in debugfs
.stdout
:
280 if type(l
).__name
__ == 'str':
281 l
= bytes(l
, encoding
='utf8');
284 return str(mapshash
.hexdigest());
286 if __name__
== "__main__":
287 if len(sys
.argv
) == 1:
290 for command
in sys
.argv
[1:]:
291 result
= fileSHA(command
);
292 print(mapsfile
+(len("/proc/<pid>/inode") - len(mapsfile
))*' ', result
);
293 result
= exeSHA(command
);
294 print("/proc/<pid>/exe"+(len("/proc/<pid>/inode") - len("/proc/<pid>/exe"))*' ', result
);
296 result
= inodeSHA(command
);
297 print("/proc/<pid>/inode"+(len(mapsfile
) - len("/proc/<pid>/inode"))*' ', result
);
298 result
= mapsSHA(command
);
299 print("/proc/<pid>/maps"+(len("/proc/<pid>/inode") - len("/proc/<pid>/all"))*' ', result
);
302 result
= paths(command
);