Found this video:
https://www.youtube.com/watch?v=De4rBaAdKNA
In the video Meltdown is used to read process memory based by PID/name.
How it is done?
The program looks for task_struct in leaked memory and parses data out of if, based on struct member PID or COMM?
Can somebody explain it? The best using programming concepts, but general answer is also ok.
How come it works so quickly, I made experiments and it seems that task_struct is 5760 bytes big for one process! It would take a while to read it, and how will you know that you got it completely? I mean you would have to check complete 5760 and see it at certain offsets (struct members) data makes sense?
Additionally, there is quite a big chunk of kernel virtual address space to read to look for this info:
#ifdef __x86_64__
#define DEFAULT_PHYSICAL_OFFSET 0xffff880000000000ull
#else
#define DEFAULT_PHYSICAL_OFFSET 0xc0000000ull
#endif
