reading process memory
Tofik Suleymanov
tofik at oxygen.az
Thu Jun 8 10:29:58 UTC 2006
Diomidis Spinellis wrote:
> Tofik Suleymanov wrote:
>> Diomidis Spinellis wrote:
>>> Tofik Suleymanov wrote:
>>>>> The only way you're going to be able to read another processes
>>>>> address space is in the kernel.Even a process running as root is
>>>>> not able to read another process's data.
>>>
>>> Incorrect; see this example:
>>>
>>> $ sed -e 's/this/that/' &
>>> [1] 87345
>>> $ /bin/su
>>> Password:
>>>
>>> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings
>>> [...]
>>> @(#)compile.c 8.1 (Berkeley) 6/6/93
>>> [...]
>>> RE error: %s
>>> RuneMagiNONE
>>> /this/that/
>>> "s/this/that/
>>> s/this/that/
>>> this
>>> that
>>> that
>>>
>>>
>> I followed instructions in your email, but had no success of getting
>> simmilar results. When trying to read from mem file of particular
>> process i get error messages from dd:
>> (many of this records populate the screen)
>> 0 bytes transferred in 6.393733 secs (0 bytes/sec)
>> dd: /proc/13150/mem: Bad address
>> dd: /proc/13150/mem: Bad address
>> 0+0 records in
>> 0+0 records out
>> 0 bytes transferred in 6.393795 secs (0 bytes/sec)
>>
>>
>> while pid 13510 exists:
>> paranoia# ps ax |grep 13150
>> 13150 p1 T 0:00.00 sed -e s/this/that/g
>> paranoia#
>>
>>
>> man 5 procfs says:
>>
>> mem The complete virtual memory image of the process. Only those
>> address which exist in the process can be accessed. Reads
>> and
>> writes to this file modify the process. Writes to the
>> text seg-
>> ment remain private to the process.
>> map A map of the process' virtual memory.
>>
>>
>> I wonder why i cannot just dd data from mem ?
>>
>
> Not all areas of the process's memory are accessible. This is why I set
> the conv=noerr option to dd (rather than run strings directly on mem),
> and also redirected the dd's standard error output to /dev/null. Your
> root's shell (probably tcsh) failed to do that. (Tcsh doesn't offer a
> way to redirect just the error output). Run sh after the su command to
> have this facility at your disposal.
>
> Diomidis - http://www.spinellis.gr
>
Works.
Thank you.
Sincerely,
Tofik Suleymanov
More information about the freebsd-stable
mailing list