modulepackage
0.0.0-20240313182602-55f644eba713
Repository: https://github.com/audibleblink/it-o.git
Documentation: pkg.go.dev
# README
IT-O
Hacky linux memory probe with a grep-like interface for on-the-fly searching.
ito -p 123 -r '.{20}[D|d]roid.{20}'
123 0x000002645f60 State)({username:"droid",password:""}),t=b(d.
123 0x000002645f60 x)(Xl.Input,{label:"Droid",name:"password", "
...
Or use baked-in yara rules to search for multiple things at once.
ito -p 123 -Y
0x00000023dc3a 123 "sql://root:[email protected]:3306/portal\"" username_and_password_in_uri
0x00000027d5ea 123 "http://jean:[email protected]/jean/api.git" username_and_password_in_uri
...
Yara
Rules in the rules directory are embedded in the resulting binary. Use the -Y flag to run them
against a PID.
Project uses https://github.com/hillu/go-yara go bindings which means CGO. Deps:
- automake
- libtool
- make
- gcc
- pkg-config
make deps
make ito
Credits
- Procfs code taken from
Prometheus - Initial yara rules from
shhgit
# Functions
No description provided by the author
NewFS returns a new FS mounted under the given mountPoint.
NewProc returns a process for the given pid under /proc.
No description provided by the author
# Constants
DefaultProcMountPoint is the common mount point of the proc filesystem.
# Variables
go:embed rules/*.
# Structs
No description provided by the author
No description provided by the author
ProcMap contains the process memory-mappings of the process read from `/proc/[pid]/maps`.
ProcMapPermissions contains permission settings read from `/proc/[pid]/maps`.
No description provided by the author
# Type aliases
FS represents a pseudo-filesystem, normally /proc or /sys, which provides an interface to kernel data structures.