Implement the dump_process_memory action#140
Merged
panhania merged 4 commits intogoogle:masterfrom Aug 6, 2025
Merged
Conversation
CRefice
force-pushed
the
feature/dump-process-memory-action
branch
2 times, most recently
from
a56b0ed to
49aebff
Compare
panhania
requested changes
Aug 5, 2025
CRefice
force-pushed
the
feature/dump-process-memory-action
branch
from
49aebff to
c3db4c1
Compare
panhania
approved these changes
Aug 6, 2025
Member
panhania
left a comment
panhania
left a comment
There was a problem hiding this comment.
There are some nits left, but I don't want to stall your work until I am back, so I am going to merge for now. These are minor things that we can tweak anytime.
panhania
changed the title
dump_process_memory actiondump_process_memory action
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR ports the
YaraProcessMemoryDumpaction from the GRR client to RRG.Only Linux is supported for now, and the relevant modules are gated behind
#[cfg(target_os = "linux").The implementation parses a process' memory maps from
/proc/{pid}/mapsand then reads its memory from/proc/{pid}/mem.The memory is then chunked into batches as necessary and sent to the blob sink.
I have kept the interface (request and response protos) mostly the same as in the GRR action, but have omitted features related to process table scanning. So for now, callers of the action should know in advance the PIDs of the processes whose memory they're interested in. Maybe PID discovery can be delegated to a separate action in the future.