How to find path of an executable in a kernel module
Dear All,
How to find the path of a running process in HDD ?
e.g. a process name myproc is running currently . In hard disk it's
executable is stored in /home/myproc.
I want to write a module.In that particular module, i want to print
the path of this current process(/home/proc).
I am trying to use current->proc_dentry->d_name.name ,
I am getting segfault ...iam trying with many other things as well but
not been able to solve the problem. Can anyone please guide me
through.
I shall be thankful.
Regards,
Ashish
Re: How to find path of an executable in a kernel module
Ashish Kumar <ashish.sachan@gmail.com> writes:
[color=blue]
> Dear All,
>
> How to find the path of a running process in HDD ?[/color]
Which path? A file can have zero, one, or many different names.
Furthermore, a process need not be associated with a file at all.
--
Måns Rullgård
[email]mans@mansr.com[/email]
Re: How to find path of an executable in a kernel module
On Dec 7, 1:13 am, Måns Rullgård <m...@mansr.com> wrote:
[color=blue]
> Which path? A file can have zero, one, or many different names.
> Furthermore, a process need not be associated with a file at all.[/color]
I know it's possible to get the original path by which the file was
opened when the executable began its life. However, the file that that
*now* points to, if any, may not have any relationship to the file
that was opened when the executable began its life.
From user-space, for example, try 'stat /proc/self/exe'. For a kernel-
space example, look at proc_exe_link in fs/proc/task_mmu.c directory.
The basic idea is you grab the task's mm context and look for an
executable that's mmapped into the mm context as an executable. When/
if you find one, you can look at its f_path field.
DS
Re: How to find path of an executable in a kernel module
On Dec 7, 5:53 pm, David Schwartz <dav...@webmaster.com> wrote:[color=blue]
> On Dec 7, 1:13 am, Måns Rullgård <m...@mansr.com> wrote:
>[color=green]
> > Which path? A file can have zero, one, or many different names.
> > Furthermore, a process need not be associated with a file at all.[/color]
>
> I know it's possible to get the original path by which the file was
> opened when the executable began its life. However, the file that that
> *now* points to, if any, may not have any relationship to the file
> that was opened when the executable began its life.
>
> From user-space, for example, try 'stat /proc/self/exe'. For a kernel-
> space example, look at proc_exe_link in fs/proc/task_mmu.c directory.
>
> The basic idea is you grab the task's mm context and look for an
> executable that's mmapped into the mm context as an executable. When/
> if you find one, you can look at its f_path field.
>
> DS[/color]
Thanks David for the pointer ,Yes exactly that 'original path' we need
to find in some kernel space ....
I will try it and shall get back to you ...
Probably using some of the Fops functions in VFS we can get that ...
Thanks
Re: How to find path of an executable in a kernel module
On Dec 7, 2:13 pm, Måns Rullgård <m...@mansr.com> wrote:[color=blue]
> Ashish Kumar <ashish.sac...@gmail.com> writes:[color=green]
> > Dear All,[/color]
>[color=green]
> > How to find the path of a running process in HDD ?[/color]
>
> Which path? A file can have zero, one, or many different names.
> Furthermore, a process need not be associated with a file at all.
>
> --
> Måns Rullgård
> m...@mansr.com[/color]
But initially for a user space a process started by running some
executable.
say i made an exe named a.out in /home/Ashish ...
now i give ./a.out ....
Now this a.out process is running ...
So now i have to write some kernel module which captures the pathname
of this executable a.out from where the process a.out was started ....
Hmm i guess i m able to express the problem to some extent atleast :(
Re: How to find path of an executable in a kernel module
On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar <ashish.sachan@gmail.com> wrote:
| On Dec 7, 2:13 pm, M?ns Rullg?rd <m...@mansr.com> wrote:
|> Ashish Kumar <ashish.sac...@gmail.com> writes:
|> > Dear All,
|>
|> > How to find the path of a running process in HDD ?
|>
|> Which path? A file can have zero, one, or many different names.
|> Furthermore, a process need not be associated with a file at all.
|>
|> --
|> M?ns Rullg?rd
|> m...@mansr.com
|
| But initially for a user space a process started by running some
| executable.
| say i made an exe named a.out in /home/Ashish ...
| now i give ./a.out ....
| Now this a.out process is running ...
| So now i have to write some kernel module which captures the pathname
| of this executable a.out from where the process a.out was started ....
| Hmm i guess i m able to express the problem to some extent atleast :(
What if a.out, and the directory it was in, have been unlinked while the
process is still running? Even if you think you would never do this, you
really need to handle it, anyway, for a complete and correct program.
Otherwise you are potentially creating a DoS exploit.
Do you want the path that was running when the process was created by fork()
or do you want the new path established by any subsequent execve() calls?
I have noted that "lsof" can report the path of an executable that has been
deleted (and it's current directory as well):
foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)
So that info is clearly stored somewhever even within the reach of a user
space program like lsof. Maybe see where lsof is getting it and do the
same for your code.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / [email]spamtrap-2007-12-09-1027@ipal.net[/email] |
|------------------------------------/-------------------------------------|
Re: How to find path of an executable in a kernel module
On Dec 9, 9:34 pm, phil-news-nos...@ipal.net wrote:[color=blue]
> On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar <ashish.sac...@gmail.com> wrote:
> | On Dec 7, 2:13 pm, M?ns Rullg?rd <m...@mansr.com> wrote:
> |> Ashish Kumar <ashish.sac...@gmail.com> writes:
> |> > Dear All,
> |>
> |> > How to find the path of a running process in HDD ?
> |>
> |> Which path? A file can have zero, one, or many different names.
> |> Furthermore, a process need not be associated with a file at all.
> |>
> |> --
> |> M?ns Rullg?rd
> |> m...@mansr.com
> |
> | But initially for a user space a process started by running some
> | executable.
> | say i made an exe named a.out in /home/Ashish ...
> | now i give ./a.out ....
> | Now this a.out process is running ...
> | So now i have to write some kernel module which captures the pathname
> | of this executable a.out from where the process a.out was started ....
> | Hmm i guess i m able to express the problem to some extent atleast :(
>
> What if a.out, and the directory it was in, have been unlinked while the
> process is still running? Even if you think you would never do this, you
> really need to handle it, anyway, for a complete and correct program.
> Otherwise you are potentially creating a DoS exploit.
>
> Do you want the path that was running when the process was created by fork()
> or do you want the new path established by any subsequent execve() calls?
>
> I have noted that "lsof" can report the path of an executable that has been
> deleted (and it's current directory as well):
>
> foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
> foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)
>
> So that info is clearly stored somewhever even within the reach of a user
> space program like lsof. Maybe see where lsof is getting it and do the
> same for your code.
>
> --
> |---------------------------------------/-----------------------------------|
> | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
> | first name lower case at ipal.net / spamtrap-2007-12-09-1...@ipal.net |
> |------------------------------------/--------------------------------------|[/color]
It was easy :)
just use the kernel method d_path() ....
Thanks ,
Ashish
Re: How to find path of an executable in a kernel module
On Dec 10, 3:42 pm, Ashish Kumar <ashish.sac...@gmail.com> wrote:[color=blue]
> On Dec 9, 9:34 pm, phil-news-nos...@ipal.net wrote:
>
>
>
>
>[color=green]
> > On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar <ashish.sac...@gmail.com> wrote:
> > | On Dec 7, 2:13 pm, M?ns Rullg?rd <m...@mansr.com> wrote:
> > |> Ashish Kumar <ashish.sac...@gmail.com> writes:
> > |> > Dear All,
> > |>
> > |> > How to find the path of a running process in HDD ?
> > |>
> > |> Which path? A file can have zero, one, or many different names.
> > |> Furthermore, a process need not be associated with a file at all.
> > |>
> > |> --
> > |> M?ns Rullg?rd
> > |> m...@mansr.com
> > |
> > | But initially for a user space a process started by running some
> > | executable.
> > | say i made an exe named a.out in /home/Ashish ...
> > | now i give ./a.out ....
> > | Now this a.out process is running ...
> > | So now i have to write some kernel module which captures the pathname
> > | of this executable a.out from where the process a.out was started ....
> > | Hmm i guess i m able to express the problem to some extent atleast :([/color]
>[color=green]
> > What if a.out, and the directory it was in, have been unlinked while the
> > process is still running? Even if you think you would never do this, you
> > really need to handle it, anyway, for a complete and correct program.
> > Otherwise you are potentially creating a DoS exploit.[/color]
>[color=green]
> > Do you want the path that was running when the process was created by fork()
> > or do you want the new path established by any subsequent execve() calls?[/color]
>[color=green]
> > I have noted that "lsof" can report the path of an executable that has been
> > deleted (and it's current directory as well):[/color]
>[color=green]
> > foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
> > foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)[/color]
>[color=green]
> > So that info is clearly stored somewhever even within the reach of a user
> > space program like lsof. Maybe see where lsof is getting it and do the
> > same for your code.[/color]
>[color=green]
> > --
> > |---------------------------------------/------------------------------------|
> > | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
> > | first name lower case at ipal.net / spamtrap-2007-12-09-1...@ipal.net |
> > |------------------------------------/---------------------------------------|[/color]
>
> It was easy :)
> just use the kernel method d_path() ....
>
> Thanks ,
> Ashish- Hide quoted text -
>
> - Show quoted text -[/color]
I just wrote few lines , code is not optimized though,
char buf[100];
char *s= buf;
s = d_path(cur->fs->pwd, cur->fs->pwdmnt, buf, sizeof(buf));
printk("NAME = %s\n",s);
It seems working fine...
