reading process memory
Diomidis Spinellis
dds at aueb.gr
Thu Jun 8 10:17:20 UTC 2006
Tofik Suleymanov wrote:
> Diomidis Spinellis wrote:
>> Tofik Suleymanov wrote:
>>>> The only way you're going to be able to read another processes
>>>> address space is in the kernel.Even a process running as root is not
>>>> able to read another process's data.
>>
>> Incorrect; see this example:
>>
>> $ sed -e 's/this/that/' &
>> [1] 87345
>> $ /bin/su
>> Password:
>>
>> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings
>> [...]
>> @(#)compile.c 8.1 (Berkeley) 6/6/93
>> [...]
>> RE error: %s
>> RuneMagiNONE
>> /this/that/
>> "s/this/that/
>> s/this/that/
>> this
>> that
>> that
>>
>>
> I followed instructions in your email, but had no success of getting
> simmilar results. When trying to read from mem file of particular
> process i get error messages from dd:
> (many of this records populate the screen)
> 0 bytes transferred in 6.393733 secs (0 bytes/sec)
> dd: /proc/13150/mem: Bad address
> dd: /proc/13150/mem: Bad address
> 0+0 records in
> 0+0 records out
> 0 bytes transferred in 6.393795 secs (0 bytes/sec)
>
>
> while pid 13510 exists:
> paranoia# ps ax |grep 13150
> 13150 p1 T 0:00.00 sed -e s/this/that/g
> paranoia#
>
>
> man 5 procfs says:
>
> mem The complete virtual memory image of the process. Only those
> address which exist in the process can be accessed. Reads and
> writes to this file modify the process. Writes to the text
> seg-
> ment remain private to the process.
> map A map of the process' virtual memory.
>
>
> I wonder why i cannot just dd data from mem ?
>
Not all areas of the process's memory are accessible. This is why I set
the conv=noerr option to dd (rather than run strings directly on mem),
and also redirected the dd's standard error output to /dev/null. Your
root's shell (probably tcsh) failed to do that. (Tcsh doesn't offer a
way to redirect just the error output). Run sh after the su command to
have this facility at your disposal.
Diomidis - http://www.spinellis.gr
More information about the freebsd-stable
mailing list