Gilad Ben-Yossef wrote:
At least in theory this should work. I say in theory, because I've
been getting an error on my Ubuntu trying to open /proc/$PID/mem by YMMV:
$ cat /proc/$PID/mem | hexdump -c > before
$ cat /proc/$PID/mem | hexdump -c> after
You can only use /proc/PID/mem if you are already attached to that
process as a debugger. This makes /proc/PID/mem somewhat redundant to
using PTRACE_PEEKDATA. For some reason, even as a debugger, you cannot
mmap it and use it as a forced shared mem mechanism. Furthermore, I have
actually had cases where PTRACE_PEEKDATA returned data and /proc/PID/mem
didn't for the same memory area, even when attached as a debugger. As
such, I rate /proc/PID/mem as somewhere beneath useless.
What Noam is looking for, as far as I can tell, is something where pause
the program and tell the debugger "now the value I'm looking for is 5",
resume the program, play some more, and then pause it and say "now the
value is 4". Eventually, hopefully, you narrow down the value to the
point where you know where it is stored in memory, despite not having
any prior knowledge about the program. This is not difficult to write
(for some definition of "difficult").
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]