reading process memory
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Thu Jun 8 21:58:12 UTC 2006
Hello!
On Wed, 7 Jun 2006, Tofik Suleymanov wrote:
> I believe that it is possible to read contents of the memory used/utilized
> by
> a process (assuming right privileges).
Yes, procfs allows it to user with the process's UID (or root).
> First i've tried to do this through procfs by reading 'mem' property of the
> given process, but no success.
Yes, process's virtual address space is accessible via /proc/<PID>/mem file,
just don't forget that it's sparse. So you can't just 'hd mem', you should
specify valid offset. /proc/<PID>/map will help you to do so:
dmitry at homelynx$ cd /proc/curproc
dmitry at homelynx$ cat map
0x8048000 0x80b0000 99 0 0xc68fc630 r-x 20 10 0x8004 COW NC vnode
...
dmitry at homelynx$ dd if=mem bs=0x100 skip=0x80480 |hd|more
00000000 7f 45 4c 46 01 01 01 09 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 24 6e 05 08 34 00 00 00 |........$n..4...|
00000020 e0 ac 06 00 00 00 00 00 34 00 20 00 05 00 28 00 |Ю╛......4. ...(.|
P.S. I've once found the cause of the memory leak by examining virtual address
space of my process and finding the repeated leaked pattern.
> Thanks,
> Tofik Suleymanov
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-stable
mailing list