reading process memory

Tofik Suleymanov tofik at oxygen.az
Thu Jun 8 10:29:58 UTC 2006 

Diomidis Spinellis wrote:
> Tofik Suleymanov wrote:
>> Diomidis Spinellis wrote:
>>> Tofik Suleymanov wrote:
>>>>>   The only way you're going to be able to read another processes 
>>>>> address space is in the kernel.Even a process running as root is 
>>>>> not able to read another process's data.
>>>
>>> Incorrect; see this example:
>>>
>>> $ sed -e 's/this/that/' &
>>> [1] 87345
>>> $ /bin/su
>>> Password:
>>>
>>> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings
>>> [...]
>>> @(#)compile.c   8.1 (Berkeley) 6/6/93
>>> [...]
>>> RE error: %s
>>> RuneMagiNONE
>>> /this/that/
>>> "s/this/that/
>>> s/this/that/
>>> this
>>> that
>>> that
>>>
>>>
>> I followed instructions in your email, but had no success of getting 
>> simmilar results. When trying to read from mem file of particular 
>> process i get error messages from dd:
>> (many of this records populate the screen)
>> 0 bytes transferred in 6.393733 secs (0 bytes/sec)
>> dd: /proc/13150/mem: Bad address
>> dd: /proc/13150/mem: Bad address
>> 0+0 records in
>> 0+0 records out
>> 0 bytes transferred in 6.393795 secs (0 bytes/sec)
>>
>>
>> while pid 13510 exists:
>> paranoia# ps ax |grep 13150
>> 13150  p1  T      0:00.00 sed -e s/this/that/g
>> paranoia#
>>
>>
>> man 5 procfs says:
>>
>> mem     The complete virtual memory image of the process.  Only those
>>             address which exist in the process can be accessed.  Reads 
>> and
>>             writes to this file modify the process.  Writes to the 
>> text seg-
>>             ment remain private to the process.
>> map     A map of the process' virtual memory.
>>
>>
>> I wonder why i cannot just dd data from mem ?
>>
> 
> Not all areas of the process's memory are accessible. This is why I set 
> the conv=noerr option to dd (rather than run strings directly on mem), 
> and also redirected the dd's standard error output to /dev/null.  Your 
> root's shell (probably tcsh) failed to do that.  (Tcsh doesn't offer a 
> way to redirect just the error output).  Run sh after the su command to 
> have this facility at your disposal.
> 
> Diomidis - http://www.spinellis.gr
> 

Works.
Thank you.

Sincerely,
Tofik Suleymanov

More information about the freebsd-stable mailing list