|
|
|
|
|
|
by rafaeldavidtin
450 days ago
|
|
|
Take a look at https://jibril.garnet.ai/readme/theory-behind so you have a better understanding what we are doing. As long as there is 'a resource' and 'an action', we can track it. Full memory (file-backed or not) introspection is tricky due to performance reasons (like checksumming files, picking entire content being read/write to pages, etc). Still, we would be able to do if we wanted (specially considering we can add uprobes on-demand for binaries being executed). Hope that helps. |
|
|