Re: reading process memory
On 6/7/06, Tofik Suleymanov <[EMAIL PROTECTED]> wrote: Hello, folks I believe that it is possible to read contents of the memory used/utilized by a process (assuming right privileges). First i've tried to do this through procfs by reading 'mem' property of the given process, but no success. Maybe there is another way of doing such things ? Any clue would be appreciated. If i understood correctly what you wish to do,then you can use the proc_rwmem() function in the kernel.But ofcourse, it can only be used through a KLD or directly through the kernel src.This is what ptrace ultimately uses. For 5.4 stable you can find it here : http://fxr.watson.org/fxr/ident?v=RELENG54&i=proc_rwmem HTH. Regards, Pranav UNIX is a computer virus with an interface. -- The UNIX-HATERS Handbook ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
Hello! On Wed, 7 Jun 2006, Tofik Suleymanov wrote: I believe that it is possible to read contents of the memory used/utilized by a process (assuming right privileges). Yes, procfs allows it to user with the process's UID (or root). First i've tried to do this through procfs by reading 'mem' property of the given process, but no success. Yes, process's virtual address space is accessible via /proc//mem file, just don't forget that it's sparse. So you can't just 'hd mem', you should specify valid offset. /proc//map will help you to do so: [EMAIL PROTECTED] cd /proc/curproc [EMAIL PROTECTED] cat map 0x8048000 0x80b 99 0 0xc68fc630 r-x 20 10 0x8004 COW NC vnode ... [EMAIL PROTECTED] dd if=mem bs=0x100 skip=0x80480 |hd|more 7f 45 4c 46 01 01 01 09 00 00 00 00 00 00 00 00 |.ELF| 0010 02 00 03 00 01 00 00 00 24 6e 05 08 34 00 00 00 |$n..4...| 0020 e0 ac 06 00 00 00 00 00 34 00 20 00 05 00 28 00 |Ю╛..4. ...(.| P.S. I've once found the cause of the memory leak by examining virtual address space of my process and finding the repeated leaked pattern. Thanks, Tofik Suleymanov Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: [EMAIL PROTECTED] nic-hdl: LYNX-RIPE ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
James Riendeau wrote: I'm going to anticipate your next question, and say that if you're not the parent, you will have to "attach" to the process. How that's done? I don't know, probably through a system call to ptrace or writing to the procfs ctl directory. I'm speaking through erudite knowledge rather than any real experience working with procfs. -james Continue reading this thread and you will see, that you are right. In order to read/write process memory we need to use either ptrace(2) system call or procfs. Thanks for all useful thoughts! Sincerely, Tofik Suleymanov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
I'm going to anticipate your next question, and say that if you're not the parent, you will have to "attach" to the process. How that's done? I don't know, probably through a system call to ptrace or writing to the procfs ctl directory. I'm speaking through erudite knowledge rather than any real experience working with procfs. -james On Jun 7, 2006, at 2:33 PM, James Riendeau wrote: Ahh. I think I goofed slightly. I think your application has to be the parent of the running process to get at that property. See: http://www.informit.com/articles/article.asp?p=366888&seqNum=10 James Riendeau MMI Computer Support Technician 1300 University Ave Rm. 436, Dept. of MedMicro Madison, WI 53706 Phone: (608) 262-3351 After-hours Phone: (608) 260-2696 Fax: (608) 262-8418 Email: [EMAIL PROTECTED] On Jun 7, 2006, at 10:24 AM, Tofik Suleymanov wrote: James Riendeau wrote: How are you defining "assuming right privileges"? assuming uid 0 The only way you're going to be able to read another processes address space is in the kernel.Even a process running as root is not able to read another process's data. how does gdb then reads for example different variables of running program ? One of the principle responsibilities of the OS is to manage the private memory space of each process, and I emphasize private. The last thing you would want on a secure system is the ability of other processes to read or write to another process's address space.Even a parent process should not be able to read a child's address space, as the fork logically duplicates their address space and they go their separate ways. An attempt to read another processes address space should trap to the kernel and the kernel should kill the process immediately. There is one exception to this: you can setup a pipe or memory share between two processes, however, both processes have to agree to share some memory or connect via a pipe. I'm not going to give you a howto via email as the subject usually fills a solid chapter in most OS books. Thank you for brief and altogether extensive explanation of the case.The thing i wanted to do is to read let's say portions of memory where .bss and .data block of a running program reside. is that possible ? Sincerely, Tofik Suleymanov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
Ahh. I think I goofed slightly. I think your application has to be the parent of the running process to get at that property. See: http://www.informit.com/articles/article.asp?p=366888&seqNum=10 James Riendeau MMI Computer Support Technician 1300 University Ave Rm. 436, Dept. of MedMicro Madison, WI 53706 Phone: (608) 262-3351 After-hours Phone: (608) 260-2696 Fax: (608) 262-8418 Email: [EMAIL PROTECTED] On Jun 7, 2006, at 10:24 AM, Tofik Suleymanov wrote: James Riendeau wrote: How are you defining "assuming right privileges"? assuming uid 0 The only way you're going to be able to read another processes address space is in the kernel.Even a process running as root is not able to read another process's data. how does gdb then reads for example different variables of running program ? One of the principle responsibilities of the OS is to manage the private memory space of each process, and I emphasize private. The last thing you would want on a secure system is the ability of other processes to read or write to another process's address space.Even a parent process should not be able to read a child's address space, as the fork logically duplicates their address space and they go their separate ways. An attempt to read another processes address space should trap to the kernel and the kernel should kill the process immediately. There is one exception to this: you can setup a pipe or memory share between two processes, however, both processes have to agree to share some memory or connect via a pipe. I'm not going to give you a howto via email as the subject usually fills a solid chapter in most OS books. Thank you for brief and altogether extensive explanation of the case.The thing i wanted to do is to read let's say portions of memory where .bss and .data block of a running program reside. is that possible ? Sincerely, Tofik Suleymanov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
> > I believe that it is possible to read contents of the memory used/ > > utilized by a process (assuming right privileges). > > First i've tried to do this through procfs by reading 'mem' > > property of the given process, but no success. > > Maybe there is another way of doing such things ? > > Any clue would be appreciated. see "man 5 procfs" [I removed -stable, as I think it's unnecessary cross-posting] -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: reading process memory
How are you defining "assuming right privileges"? The only way you're going to be able to read another processes address space is in the kernel. Even a process running as root is not able to read another process's data. One of the principle responsibilities of the OS is to manage the private memory space of each process, and I emphasize private. The last thing you would want on a secure system is the ability of other processes to read or write to another process's address space. Even a parent process should not be able to read a child's address space, as the fork logically duplicates their address space and they go their separate ways. An attempt to read another processes address space should trap to the kernel and the kernel should kill the process immediately. There is one exception to this: you can setup a pipe or memory share between two processes, however, both processes have to agree to share some memory or connect via a pipe. I'm not going to give you a howto via email as the subject usually fills a solid chapter in most OS books. James Riendeau MMI Computer Support Technician 1300 University Ave Rm. 436, Dept. of MedMicro Madison, WI 53706 Phone: (608) 262-3351 After-hours Phone: (608) 260-2696 Fax: (608) 262-8418 Email: [EMAIL PROTECTED] On Jun 7, 2006, at 4:49 AM, Tofik Suleymanov wrote: Hello, folks I believe that it is possible to read contents of the memory used/ utilized by a process (assuming right privileges). First i've tried to do this through procfs by reading 'mem' property of the given process, but no success. Maybe there is another way of doing such things ? Any clue would be appreciated. Thanks, Tofik Suleymanov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
reading process memory
Hello, folks I believe that it is possible to read contents of the memory used/utilized by a process (assuming right privileges). First i've tried to do this through procfs by reading 'mem' property of the given process, but no success. Maybe there is another way of doing such things ? Any clue would be appreciated. Thanks, Tofik Suleymanov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"