lookup_dcookie¶

Intro¶

lookup_dcookie - assigns a process identification number (pid) to the given cookie

Description¶

The lookup_dcookie syscall relates a cookie value with a process identification (pid). The cookie is an unsigned long integer, usually obtained by get_pid_list() syscall. The syscall has a buffer of type char*, and its size is given by the argument len. The buffer contains the path of the executable related with the pid. The result is negative if the search fails.

This syscall can be used to obtain a process related information such as its executable path.

Arguments¶

cookie:u64 - unsigned long integer containing the cookie value.
buffer:char*[KU] - user space pointer to a buffer of type char*, where the path of the executable will be written.
len:size_t[KU] - user space pointer to the size of the buffer.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)

Hooks¶

sys_lookup_dcookie¶

Type¶

kretprobe

Purpose¶

Hooked to gain visibility into the system calls that assign a process identification to the given cookie.

Example Use Case¶

The lookup_dcookie syscall can be used to identify the executable responsible for a particular process running on the system. It can also be used to monitor the system for processes initiating with a same cookie value.

Issues¶

If the buffer is too small, the syscall may fail, leading to an incomplete path.

get_pid_list
read_exec

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.