What does a process look like?
One important file on any Linux system is the /proc/$pid/maps
file. This file shows the entire process address space of a running program, and it is something that I often parse in order to determine the location of certain files or memory mappings within a process.
On Linux kernels that have the Grsecurity patches, there is a kernel option called
GRKERNSEC_PROC_MEMMAP that, if enabled, will zero out the /proc/$pid/maps
file so that you cannot see the address space values. This makes parsing a process from the outside a bit more difficult, and you must rely on other techniques such as parsing the ELF headers and going from there.
Note
In the next chapter, we will be discussing the ECFS (short for Extended Core File Snapshot) format, which is a new ELF file format that expands on regular core files and contains an abundance of forensics-relevant data.
Here's an example of the process memory layout of the hello_world
program:
$ cat /proc/`pidof hello_world`/maps...