reading process memory

Diomidis Spinellis dds at aueb.gr
Thu Jun 8 10:17:20 UTC 2006 

Tofik Suleymanov wrote:
> Diomidis Spinellis wrote:
>> Tofik Suleymanov wrote:
>>>>   The only way you're going to be able to read another processes 
>>>> address space is in the kernel.Even a process running as root is not 
>>>> able to read another process's data.
>>
>> Incorrect; see this example:
>>
>> $ sed -e 's/this/that/' &
>> [1] 87345
>> $ /bin/su
>> Password:
>>
>> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings
>> [...]
>> @(#)compile.c   8.1 (Berkeley) 6/6/93
>> [...]
>> RE error: %s
>> RuneMagiNONE
>> /this/that/
>> "s/this/that/
>> s/this/that/
>> this
>> that
>> that
>>
>>
> I followed instructions in your email, but had no success of getting 
> simmilar results. When trying to read from mem file of particular 
> process i get error messages from dd:
> (many of this records populate the screen)
> 0 bytes transferred in 6.393733 secs (0 bytes/sec)
> dd: /proc/13150/mem: Bad address
> dd: /proc/13150/mem: Bad address
> 0+0 records in
> 0+0 records out
> 0 bytes transferred in 6.393795 secs (0 bytes/sec)
> 
> 
> while pid 13510 exists:
> paranoia# ps ax |grep 13150
> 13150  p1  T      0:00.00 sed -e s/this/that/g
> paranoia#
> 
> 
> man 5 procfs says:
> 
> mem     The complete virtual memory image of the process.  Only those
>             address which exist in the process can be accessed.  Reads and
>             writes to this file modify the process.  Writes to the text 
> seg-
>             ment remain private to the process.
> map     A map of the process' virtual memory.
> 
> 
> I wonder why i cannot just dd data from mem ?
> 

Not all areas of the process's memory are accessible. This is why I set 
the conv=noerr option to dd (rather than run strings directly on mem), 
and also redirected the dd's standard error output to /dev/null.  Your 
root's shell (probably tcsh) failed to do that.  (Tcsh doesn't offer a 
way to redirect just the error output).  Run sh after the su command to 
have this facility at your disposal.

Diomidis - http://www.spinellis.gr

More information about the freebsd-stable mailing list