Problem
Many modern applications (and malware) spawn child processes via fork() or CreateProcess(). Currently, m-vis loses the trail if the target spawns a new PID.
Proposed Solution
Windows: Use Debug Events to catch CREATE_PROCESS_DEBUG_EVENT
Debug event code: 3
useful documentations:
https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Diagnostics/Debug/struct.CREATE_PROCESS_DEBUG_INFO.html
https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-create_process_debug_info
https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-debug_event
Linux: Use PTRACE_SETOPTIONS with PTRACE_O_TRACEFORK, PTRACE_O_TRACEVFORK, and PTRACE_O_TRACECLONE
useful documentations:
https://www.man7.org/linux/man-pages/man2/ptrace.2.html
UX: The TUI should prompt the user or automatically switch to the new PID, maintaining a "History" of traced processes.
Problem
Many modern applications (and malware) spawn child processes via fork() or CreateProcess(). Currently, m-vis loses the trail if the target spawns a new PID.
Proposed Solution
Windows: Use Debug Events to catch CREATE_PROCESS_DEBUG_EVENT
Debug event code: 3
useful documentations:
https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Diagnostics/Debug/struct.CREATE_PROCESS_DEBUG_INFO.html
https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-create_process_debug_info
https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-debug_event
Linux: Use PTRACE_SETOPTIONS with PTRACE_O_TRACEFORK, PTRACE_O_TRACEVFORK, and PTRACE_O_TRACECLONE
useful documentations:
https://www.man7.org/linux/man-pages/man2/ptrace.2.html
UX: The TUI should prompt the user or automatically switch to the new PID, maintaining a "History" of traced processes.