Skip to content

Process maps

blank edited this page Dec 11, 2016 · 1 revision

Based on the following outputs from the process maps files, we can see what userland libraries are being loaded. In the case of terrible malware, the malicious libraries will be visible in these files, but vlany removes any information about itself from these files as to avoid detection and potential isolation.

Source files responsible for removing incriminating information:

Contents of /proc/self/maps after vlany installation

00400000-0040c000 r-xp 00000000 08:01 1046640                            /bin/cat
0060b000-0060c000 r--p 0000b000 08:01 1046640                            /bin/cat
0060c000-0060d000 rw-p 0000c000 08:01 1046640                            /bin/cat
00d9f000-00dc0000 rw-p 00000000 00:00 0                                  [heap]
7f5c53d70000-7f5c53d78000 r-xp 00000000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5c53d78000-7f5c53f77000 ---p 00008000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5c53f77000-7f5c53f78000 r--p 00007000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5c53f78000-7f5c53f79000 rw-p 00008000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5c53f79000-7f5c53fa7000 rw-p 00000000 00:00 0
7f5c53fa8000-7f5c53fab000 r-xp 00000000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
7f5c53fab000-7f5c541aa000 ---p 00003000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
7f5c541aa000-7f5c541ab000 r--p 00002000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
7f5c541ab000-7f5c541ac000 rw-p 00003000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
7f5c541b0000-7f5c54351000 r-xp 00000000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
7f5c54351000-7f5c54551000 ---p 001a1000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
7f5c54551000-7f5c54555000 r--p 001a1000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
7f5c54555000-7f5c54557000 rw-p 001a5000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
7f5c54557000-7f5c5455b000 rw-p 00000000 00:00 0
7f5c54778000-7f5c54798000 r-xp 00000000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
7f5c54800000-7f5c54807000 r--s 00000000 08:01 399874                     /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f5c54808000-7f5c54991000 r--p 00000000 08:01 395606                     /usr/lib/locale/locale-archive
7f5c54992000-7f5c54998000 rw-p 00000000 00:00 0
7f5c54998000-7f5c54999000 r--p 00020000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
7f5c54999000-7f5c5499a000 rw-p 00021000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
7f5c5499a000-7f5c5499d000 rw-p 00000000 00:00 0
7fff7739f000-7fff773c0000 rw-p 00000000 00:00 0                          [stack]
7fff773d0000-7fff773d2000 r-xp 00000000 00:00 0                          [vdso]
7fff773d2000-7fff773d4000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Contents of /proc/self/numa_maps after vlany installation

00400000 default file=/bin/cat mapped=12 N0=12
0060b000 default file=/bin/cat anon=1 dirty=1 N0=1
0060c000 default file=/bin/cat anon=1 dirty=1 N0=1
7f13a6f28000 default file=/lib/x86_64-linux-gnu/libcrypt-2.19.so mapped=8 mapmax=14 N0=8
7f13a6f30000 default file=/lib/x86_64-linux-gnu/libcrypt-2.19.so
7f13a712f000 default file=/lib/x86_64-linux-gnu/libcrypt-2.19.so anon=1 dirty=1 N0=1
7f13a7130000 default file=/lib/x86_64-linux-gnu/libcrypt-2.19.so anon=1 dirty=1 N0=1
7f13a7131000 default
7f13a7160000 default file=/lib/x86_64-linux-gnu/libdl-2.19.so mapped=3 mapmax=39 N0=3
7f13a7163000 default file=/lib/x86_64-linux-gnu/libdl-2.19.so
7f13a7362000 default file=/lib/x86_64-linux-gnu/libdl-2.19.so anon=1 dirty=1 N0=1
7f13a7363000 default file=/lib/x86_64-linux-gnu/libdl-2.19.so anon=1 dirty=1 N0=1
7f13a7368000 default file=/lib/x86_64-linux-gnu/libc-2.19.so mapped=326 mapmax=46 N0=326
7f13a7509000 default file=/lib/x86_64-linux-gnu/libc-2.19.so
7f13a7709000 default file=/lib/x86_64-linux-gnu/libc-2.19.so anon=4 dirty=4 N0=4
7f13a770d000 default file=/lib/x86_64-linux-gnu/libc-2.19.so anon=2 dirty=2 N0=2
7f13a7930000 default file=/lib64/ld-linux-x86-64.so.2 mapped=32 mapmax=11 N0=32
7f13a79b8000 default file=/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mapped=7 mapmax=14 N0=7
7f13a79c0000 default file=/usr/lib/locale/locale-archive mapped=100 mapmax=11 N0=100
7f13a7b50000 default file=/lib64/ld-linux-x86-64.so.2 anon=1 dirty=1 N0=1
7f13a7b51000 default file=/lib64/ld-linux-x86-64.so.2 anon=1 dirty=1 N0=1

Contents of /proc/self/smaps after vlany installation

00400000-0040c000 r-xp 00000000 08:01 1046640                            /bin/cat
Size:                 48 kB
Rss:                  48 kB
Pss:                  48 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:        48 kB
Private_Dirty:         0 kB
Referenced:           48 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me dw sd
0060b000-0060c000 r--p 0000b000 08:01 1046640                            /bin/cat
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me dw ac sd
0060c000-0060d000 rw-p 0000c000 08:01 1046640                            /bin/cat
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me dw ac sd
01499000-014ba000 rw-p 00000000 00:00 0                                  [heap]
Size:                132 kB
Rss:                  12 kB
Pss:                  12 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:        12 kB
Referenced:           12 kB
Anonymous:            12 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe286188000-7fe286190000 r-xp 00000000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
Size:                 32 kB
Rss:                  32 kB
Pss:                   2 kB
Shared_Clean:         32 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           32 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me sd
7fe286190000-7fe28638f000 ---p 00008000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
Size:               2044 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: mr mw me sd
7fe28638f000-7fe286390000 r--p 00007000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me ac sd
7fe286390000-7fe286391000 rw-p 00008000 08:01 528273                     /lib/x86_64-linux-gnu/libcrypt-2.19.so
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe286391000-7fe2863bf000 rw-p 00000000 00:00 0
Size:                184 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe2863c0000-7fe2863c3000 r-xp 00000000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
Size:                 12 kB
Rss:                  12 kB
Pss:                   0 kB
Shared_Clean:         12 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           12 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me sd
7fe2863c3000-7fe2865c2000 ---p 00003000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
Size:               2044 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: mr mw me sd
7fe2865c2000-7fe2865c3000 r--p 00002000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me ac sd
7fe2865c3000-7fe2865c4000 rw-p 00003000 08:01 528274                     /lib/x86_64-linux-gnu/libdl-2.19.so
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe2865c8000-7fe286769000 r-xp 00000000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
Size:               1668 kB
Rss:                1304 kB
Pss:                  32 kB
Shared_Clean:       1304 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:         1304 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me sd
7fe286769000-7fe286969000 ---p 001a1000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
Size:               2048 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: mr mw me sd
7fe286969000-7fe28696d000 r--p 001a1000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
Size:                 16 kB
Rss:                  16 kB
Pss:                  16 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:        16 kB
Referenced:           16 kB
Anonymous:            16 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me ac sd
7fe28696d000-7fe28696f000 rw-p 001a5000 08:01 528271                     /lib/x86_64-linux-gnu/libc-2.19.so
Size:                  8 kB
Rss:                   8 kB
Pss:                   8 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         8 kB
Referenced:            8 kB
Anonymous:             8 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe28696f000-7fe286973000 rw-p 00000000 00:00 0
Size:                 16 kB
Rss:                   8 kB
Pss:                   8 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         8 kB
Referenced:            8 kB
Anonymous:             8 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
VmFlags: rd ex mr mw me sd
VmFlags: mr mw me sd
VmFlags: rd wr mr mw me ac sd
7fe286b90000-7fe286bb0000 r-xp 00000000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
Size:                128 kB
Rss:                 128 kB
Pss:                  13 kB
Shared_Clean:        128 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:          128 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me dw sd
7fe286c18000-7fe286c1f000 r--s 00000000 08:01 399874                     /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
Size:                 28 kB
Rss:                  28 kB
Pss:                   1 kB
Shared_Clean:         28 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           28 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr me ms sd
7fe286c20000-7fe286da9000 r--p 00000000 08:01 395606                     /usr/lib/locale/locale-archive
Size:               1572 kB
Rss:                 400 kB
Pss:                  64 kB
Shared_Clean:        400 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:          400 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me sd
7fe286dab000-7fe286db0000 rw-p 00000000 00:00 0
Size:                 20 kB
Rss:                  20 kB
Pss:                  20 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:        20 kB
Referenced:           20 kB
Anonymous:            20 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe286db0000-7fe286db1000 r--p 00020000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd mr mw me dw ac sd
7fe286db1000-7fe286db2000 rw-p 00021000 08:01 933837                     /lib64/ld-linux-x86-64.so.2
Size:                  4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me dw ac sd
7fe286db2000-7fe286db4000 rw-p 00000000 00:00 0
Size:                  8 kB
Rss:                   8 kB
Pss:                   8 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         8 kB
Referenced:            8 kB
Anonymous:             8 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7fe286db4000-7fe286db6000 rw-p 00000000 00:00 0
Size:                  8 kB
Rss:                   8 kB
Pss:                   8 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         8 kB
Referenced:            8 kB
Anonymous:             8 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me ac sd
7ffec9271000-7ffec9292000 rw-p 00000000 00:00 0                          [stack]
Size:                136 kB
Rss:                  24 kB
Pss:                  24 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:        24 kB
Referenced:           24 kB
Anonymous:            24 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd wr mr mw me gd ac
7ffec93a8000-7ffec93aa000 r-xp 00000000 00:00 0                          [vdso]
Size:                  8 kB
Rss:                   8 kB
Pss:                   0 kB
Shared_Clean:          8 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            8 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex mr mw me de sd
7ffec93aa000-7ffec93ac000 r--p 00000000 00:00 0                          [vvar]
Size:                  8 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd pf io de dd sd
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Size:                  4 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
AnonHugePages:         0 kB
Swap:                  0 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Locked:                0 kB
VmFlags: rd ex