process_memory_map¶
Process memory mapped files and pseudo device/regions.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_memory_map
Windows
Linux
Mac OSX
Free BSD
Table schema¶
Name |
Type |
Description |
|---|---|---|
pid |
INTEGER |
Process (or thread) ID |
start |
TEXT |
Virtual start address (hex) |
end |
TEXT |
Virtual end address (hex) |
permissions |
TEXT |
r=read, w=write, x=execute, p=private (cow) |
offset |
BIGINT |
Offset into mapped path |
device |
TEXT |
MA:MI Major/minor device ID |
inode |
INTEGER |
Mapped path inode, 0 means uninitialized (BSS) |
path |
TEXT |
Path to mapped file or mapped type |
pseudo |
INTEGER |
1 If path is a pseudo path, else 0 |
Query examples¶
select * from process_memory_map where pid = 1