Jump to: navigation, search


218 bytes removed, 15:07, 29 August 2012
no edit summary
The process dumper (lets call it a dumper further) does the following steps during checkpoint stage
# A '''$pid''' of a process group leader is obtained from the command line.# By using this '''$pid''' the dumper walks though '''/proc/$pid/statustask/$tid/children''' and gathers children '''$pids''' recursively. At the end we will have a process tree.# Then it takes we take every '''$pid''' from a process tree, sends seize and them with ptrace ''SIGSTOPPTRACE_SEIZE'' to every process foundcall (which put tasks into seized state, where tasks do not know that they are actually stopped and someone does nasty things with them :), and performs the following steps on each '''$pid'''.#* Collects Collect VMA areas by parsing '''/proc/$pid/maps'''.#* Seizes a Collect file descriptor numbers the task has via relatively new ptrace interface. Seizing a task means to put it into a special state when the task have no idea if it's being operated by ptrace''/proc/$pid/fd'''.#* Core parameters of a task (such as registers and friends) are being dumped via ptrace interface and parsing '''/proc/$pid/stat''' entry.#* The dumper injects a parasite code into a task via ptrace interface. This allows us to dump pages of a task right from within the task's address space.#** An injection procedure is pretty simple done in two steps - the dumper scans executable VMA areas of a task (which were collected previously) and tests if there at first we inject only a place few bytes for <code>''mmap'' syscall</code> call, then (by at CS:IP the task has at moment of seizing. Then ptrace as well) it substitutes allow us to run an original code with <code>injected syscall</code> instructions and creates we allocate enough memory for a new VMA area inside process address spaceparasite code chunk we need for dumping.#** Finally After that the parasite code get is copied into the new VMA place inside dumpee address space and the former CS:IP set respectively to point to our parasite code which was modified during parasite bootstrap procedure get restored.#* Then After everything dumped (by using a parasite code) the dumper flushes contents of a task's such as memory pages to the file. And pulls , which can be written out parasite code block completely, since only from inside dumpee address space) we don't need it anymore.#* Once parasite removed a task get unseized via use ptrace call but it remains stopped still.#* The dumper writes facility again and cure dumpee by dropping out files all our parasite code and pipes parameter and datarestoring original code.
# The procedure continues for every '''$pid'''.
Anonymous user

Navigation menu