Intercept process creation
Opened this issue · 2 comments
Currently the module runs on a timer and saves digests for process virtual memory areas when it discovers the monitored process at the first time. The process might already have changed before this moment and we will not be able to detect this change.
UPD: process creation is now intercepted when _do_fork returns. The problem is that initially a process has the same mm_struct that its parent, but it quickly changes (if executables of the processes are not the same, obviously). Currently msleep(10) is used to wait for it:
It is necessary to find a correct way to wait for this.
Possible solution: find a name of executable corresponding to the process and compare it with the parent's one. If the executable names are identical, there is no need to wait; if not, we just need to find a way to wait until mm_struct is changed first time and assume that it will not change later.
UPD: a significantly more correct way to intercept process creation is using kprobe for finalize_exec instead of kretprobe for _do_fork. But experiments have shown that despite the fact that newly created process's VMAs are different from the parent's ones, some other VMAs might be created just after finalize_exec. Using kprobe with do_mmap, vm_mmap or do_shmat does not intercept the creation of these VMAs, so a further investigation is needed.