Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Envars listing addition + Macos process filtering enhanced.#7

Open
forensicxlab wants to merge 3 commits intomemflow:mainfrom
forensicxlab:main
Open

Envars listing addition + Macos process filtering enhanced.#7
forensicxlab wants to merge 3 commits intomemflow:mainfrom
forensicxlab:main

Conversation

@forensicxlab
Copy link

@forensicxlab forensicxlab commented Feb 27, 2026
edited
Loading

This PR implements the process environment APIs (envar_list_callback, environment_block_address, envar_list_from_address) across all native backends and aligns behavior between platforms.

Windows: Envars are collected via sysinfo (Process::environ()) and parsed.
Linux: Envars are collected from /proc/<pid>/environ and parsed.
MacOs: Envars are collected by calling sysctl(KERN_PROCARGS2) and parsed.

It is linked to memflow PR and memflow-rawmem PR and memflow-win32

To build this PR for testing (Linux/MacOs/Windows)

cd /TEST/PATH/
git clone https://github.com/forensicxlab/memflow-native.git
git clone https://github.com/forensicxlab/memflow.git
cd memflow-native

Uncomment the following lines in Cargo.toml

memflow = { version = "0.2", features = ["plugins", "goblin"] } <- Comment
#memflow = { path = "../memflow/memflow" } <- Uncomment

Testing on MacOs/Linux

Module listing (Now working on latest MacOS)

cd /TEST/PATH/memflow
MEMFLOW_PLUGIN_PATH=/TEST/PATH/memflow-native/target/debug \
cargo run --example module_list -- --os native --process module_list

Envars

cd /TEST/PATH/memflow
MEMFLOW_PLUGIN_PATH=FULL/PATH/TO/memflow-native/target/debug \
cargo run --example envars_list -- --os native --process envars_list --envar PATH

Testing on windows 11 latest (PowerShell)

Envars

cd /TEST/PATH/memflow
cmd /c "set \"MEMFLOW_PLUGIN_PATH=FULL\PATH\TO\memflow-native\target\release\" && cd /d FULL\PATH\TO\memflow\memflow && cargo run --example envars_list -- -o native -p explorer.exe -e PATH"

Fixes / enhancements

  • Fixed pidinfo call to use the target PID correctly (pidinfo(pid, 0)), instead of mixing caller/target args.
  • Reworked process arg parsing into reusable helpers (read_procargs2 / parse_procargs2) and used that for consistent path/command_line extraction.
  • Removed fixed shared scratch buffer from MacOs; buffer size now follows KERN_ARGMAX.
  • Decoupled process selection from task-port acquisition: MacProcess::try_new no longer hard-fails if task_for_pid is denied; it creates a process with deferred port acquisition.

For module enumeration I added a small improvement to get more results: kept dyld-based module enumeration as primary path which is working well. But we can also perform a fallback to region-based enumeration (PROC_PIDREGIONPATHINFO) when dyld/task-port path fails. This worked well for process protected like GUI processes (Finder, Dock, loginwindow), where dyld/task-port path is unavailable.

First contribution to this project, happy to follow your guidance on the implementation / things to correct.

@forensicxlab forensicxlab mentioned this pull request Feb 27, 2026
Open
@forensicxlab forensicxlab changed the title Envars listing addition. Envars listing addition + Macos process filtering enhanced. Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@forensicxlab