在Linux上读取和写入内存进程
[英]reading and writing on memory process on linux
问题描述
I wrote a small programm that read and write the memory of a process but I can't understand why it doesn't work. 
我写了一个小程序来读写进程的内存,但我不明白为什么它不起作用。 that's my code: 那是我的代码:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/ptrace.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
int main()
{
pid_t pid=3169;
char mem_file_name[2048];
int mem_fd;
int offset=0;
char buf[1005128];
sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDWR,S_IRWXU);
printf("1 %s\n",strerror(errno));
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
printf("2 %s\n",strerror(errno));
waitpid(pid, NULL, 0);
printf("3 %s\n",strerror(errno));
lseek(mem_fd, offset, SEEK_SET);
printf("4 %s\n",strerror(errno));
read(mem_fd, buf, _SC_PAGE_SIZE);
printf("5 %s\n",strerror(errno));
ptrace(PTRACE_DETACH, pid, NULL, NULL);
printf("6 %s\n",strerror(errno));
printf("%s\n",buf );
}
that's my output: 那是我的输出:
1 Success
2 Success
3 Success
4 Success
5 Input/output error
6 Input/output error
I compiled with 我用
gcc -Wall -Wextra main.c
and I run with root permission 我以root权限运行
sudo ./a.out
on this example I only try to read from a process, but it doesn't work. 在此示例中,我仅尝试从流程中读取内容,但无效。 My idea is to dump the memory of a process, but I don't know why I can't read. 我的想法是转储进程的内存,但我不知道为什么我看不懂。
ps I know that there are some tools that can dump the memory of a process, but I want to create a small programm for exercise. ps我知道有一些工具可以转储进程的内存,但是我想创建一个用于锻炼的小型程序。
1 个解决方案
解决方案1
1 2018-11-05 11:20:51
There are several things that goes wrong with your code. 您的代码有几处出错。
Your main problem is that you are trying to read from offset 0, which is the process address 0x00000000 which is not mapped to your process. 您的主要问题是您试图从偏移量0读取,偏移量0是未映射到您的进程的进程地址0x00000000。
int offset=0;
...
lseek(mem_fd, offset, SEEK_SET);
it is like reading from your memory at address zero: 就像从内存中读取地址零:
int offset=0;
char* p = 0x0;
printf("%d data",p[offset]);
You can only read memory through /proc/PID/mem at offsets which are valid and mapped addresses in your process. 您只能通过/ proc / PID / mem以偏移量读取内存,这些偏移量是进程中有效的地址和映射的地址。
For example, if you want to read you buf variable's memory through this API you can read it by seeking to its address: 例如,如果您想通过此API读取buf变量的内存,则可以通过查找其地址来读取它:
lseek(mem_fd, (off_t)buf, SEEK_SET); /* note that on 64 bit you need to use lseek64 and off64_t */
read(mem_fd, buf, _SC_PAGE_SIZE); /* this should work */
Notes: 笔记:
- PID should not be hard coded, either you read it from
getpidor you use/proc/self/mem不应该对PID进行硬编码,无论是从getpid读取它,还是使用/proc/self/mem - There is no point in opening the file descriptor for writing (the proc API is read only) 打开文件描述符进行写入没有任何意义(proc API是只读的)
- Suggest you reading http://man7.org/linux/man-pages/man5/proc.5.html as well 建议您也阅读http://man7.org/linux/man-pages/man5/proc.5.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.