Add Linux memory map table

2024-11-07 18:08:53 +00:00 · 2015-02-09 00:47:40 -07:00 · 2015-02-09 00:47:40 -07:00 · edc93fb81b
commit edc93fb81b
parent 653b3a19e5
3 changed files with 71 additions and 0 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -64,6 +64,7 @@ else()
    system/linux/kernel_info.cpp
    system/linux/kernel_integrity.cpp
    system/linux/kernel_modules.cpp
+    system/linux/memory_map.cpp
    system/linux/mounts.cpp
    system/linux/pci_devices.cpp
    system/linux/processes.cpp
--- a/osquery/tables/specs/linux/memory_map.table
+++ b/osquery/tables/specs/linux/memory_map.table
@ -0,0 +1,9 @@
+table_name("memory_map")
+description("OS memory region map.")
+schema([
+    Column("region", INTEGER, "Region index"),
+    Column("type", TEXT, "Textual description"),
+    Column("start", TEXT, "Start address of memory region"),
+    Column("end", TEXT, "End address of memory region"),
+])
+implementation("memory_map@genMemoryMap")
--- a/osquery/tables/system/linux/memory_map.cpp
+++ b/osquery/tables/system/linux/memory_map.cpp
@ -0,0 +1,61 @@
+/*
+ *  Copyright (c) 2014, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <boost/algorithm/string.hpp>
+
+#include <osquery/core.h>
+#include <osquery/filesystem.h>
+#include <osquery/logger.h>
+#include <osquery/tables.h>
+
+namespace fs = boost::filesystem;
+
+namespace osquery {
+namespace tables {
+
+const std::string kMemoryMapLocation = "/sys/firmware/memmap";
+
+QueryData genMemoryMap(QueryContext& context) {
+  QueryData results;
+
+  // Linux memory map is exposed in /sys.
+  std::vector<std::string> regions;
+  auto status = listDirectoriesInDirectory(kMemoryMapLocation, regions);
+  if (!status.ok()) {
+    return {};
+  }
+
+  for (const auto& index : regions) {
+    fs::path index_path(index);
+    Row r;
+    r["region"] = index_path.filename().string();
+
+    // The type is a textual description
+    std::string content;
+    readFile(index_path / "type", content);
+    boost::trim(content);
+    r["type"] = content;
+
+    // Keep these in 0xFFFF (hex) form.
+    readFile(index_path / "start", content);
+    boost::trim(content);
+    r["start"] = content;
+
+    readFile(index_path / "end", content);
+    boost::trim(content);
+    r["end"] = content;
+
+    results.push_back(r);
+  }
+
+  return results;
+}
+}
+}