Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enumerate KVM virtual machine process PID #108

Open
JIUYUE521 opened this issue Dec 30, 2023 · 5 comments
Open

Enumerate KVM virtual machine process PID #108

JIUYUE521 opened this issue Dec 30, 2023 · 5 comments

Comments

@JIUYUE521
Copy link

Hi, may I ask when it is possible to increase the number of Linux enumerations, KVM virtual machine processes, PID, and threads
Looking forward to your addition of new function features and calling columns!
@h33p
Copy link
Member

h33p commented Dec 30, 2023

I don't think I fully understand what you mean.

If you have multiple KVM VMs running, you can submit a pid as argument to the connector, like so:

-c kvm:1337 -o win32

Or is there something else you wanted to ask?

@JIUYUE521
Copy link
Author

What I mean is to enumerate the number of threads in processes with the same name and traverse to the process PID that you need

@JIUYUE521
Copy link
Author

Take process PID parameters without thread count

void Memory::open_proc(const char* name)
{
if(!conn)
{
ConnectorInventory *inv = inventory_scan();
conn = inventory_create_connector(inv, "qemu_procfs", "");
inventory_free(inv);
}

if (conn)
{
    if(!kernel)
    {
        kernel = kernel_build(conn);
    }

    if(kernel)
    {
        Kernel *tmp_ker = kernel_clone(kernel);
	    proc.hProcess = kernel_into_process(tmp_ker, name);
    }
	
    if (proc.hProcess)
    {
		Win32ModuleInfo *module = process_module_info(proc.hProcess, name);

		if (module)
        {
			OsProcessModuleInfoObj *obj = module_info_trait(module);
			proc.baseaddr = os_process_module_base(obj);
			os_process_module_free(obj);
			mem = process_virt_mem(proc.hProcess);
            status = process_status::FOUND_READY;
        }
        else
        {
            status = process_status::FOUND_NO_ACCESS;
			close_proc();
        }
    }
    else
    {
        status = process_status::NOT_FOUND;
    }
}
else
{
    printf("Can't create connector\n");
	exit(0);
}

}

@h33p
Copy link
Member

h33p commented Jan 5, 2024

First point: please file general issues in https://github.com/memflow/memflow. I am transferring this issue there.

@h33p h33p transferred this issue from memflow/memflow-kvm Jan 5, 2024
@h33p
Copy link
Member

h33p commented Jan 5, 2024

Now, as for your question, you can do the following:

	int i = 0;

	os.process_info_list_callback([&i, filter](ProcessInfo info) {

		if (!strstr(info.name, filter)) {
			return true;
		}

		char sys_arch[11];
		char proc_arch[11];

		fmt_arch(sys_arch, sizeof(sys_arch), info.sys_arch);
		fmt_arch(proc_arch, sizeof(proc_arch), info.proc_arch);

		printf("%-4d | %-8d | %-10s | %-10s | %s\n", i++, info.pid, sys_arch, proc_arch, info.name);

		return true;
	});

this will print processes that contain filter inside their name. Inside the lambda, you may also choose to take the ProcessInfo object and push it on a std::vector. The point is, this lambda lets you iterate through the processes.

This will give you all processes with the same name.

This will not give you all threads of 1 process.

Thread != process

If you want threads, you'll have to do something different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h33p @JIUYUE521