Process memory mapped files and pseudo device/regions.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_memory_map

  • Windows
  • Linux
  • Mac OSX
  • Free BSD

Table schema

Name Type Description
pid INTEGER Process (or thread) ID
start TEXT Virtual start address (hex)
end TEXT Virtual end address (hex)
permissions TEXT r=read, w=write, x=execute, p=private (cow)
offset BIGINT Offset into mapped path
device TEXT MA:MI Major/minor device ID
inode INTEGER Mapped path inode, 0 means uninitialized (BSS)
path TEXT Path to mapped file or mapped type
pseudo INTEGER 1 If path is a pseudo path, else 0

Query examples

select * from process_memory_map where pid = 1