gdb轉儲內存和錯誤?
[英]gdb dump memory & errors?
問題描述
我試圖綁定到一個進程,創建一個內存快照,然后使用/ proc / pid / maps和/ proc / pid / mem查看正在運行的進程通過內存的項目。
gdb中使用了一個python腳本來執行似乎正常的操作。 一些信息:
- 我希望查看內存段的進程正在運行普通的非特權用戶。
- 綁定到該進程的gdb實例以root /特權用戶身份運行。
- 運行gdb的python腳本執行以下操作:
- 創建/ dev / mem的快照(即dd if = / dev / mem of = / tmp / mem.bin)
- 檢查/ proc / pid / maps和/ proc / pid / mem以提取開始和結束內存地址以進行搜索
- 然后,它依賴gdb並運行以下命令: (gdb)內存轉儲/tmp/mem.bin [開始] [結束]
問題是檢查的每個內存段都返回錯誤:
%> # gdb -x mem.py --pid 24204
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 24204
ptrace: Operation not permitted.
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.0903829 s, 11.6 MB/s
Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000
Examining: 15306752 15396864
Error: Cannot access memory at address 0xe99000
Examining: 15396864 15429632
Error: Cannot access memory at address 0xeaf000
Examining: 34545664 36294656
Error: Cannot access memory at address 0x20f2000
Examining: 10833544417280 10833546514432
Error: Cannot access memory at address 0x61911000
Examining: 18212460691456 18212461740032
Error: Cannot access memory at address 0x6b400000
Examining: 23029163552768 23029163556864
Error: Cannot access memory at address 0xe51cf000
Examining: 24071492337664 24071492358144
Error: Cannot access memory at address 0x1eaba000
Examining: 140278443610112 140278443614208
Error: Cannot access memory at address 0x1ecd1000
Examining: 140278443614208 140278443618304
Error: Cannot access memory at address 0x1ecd2000
Examining: 140278443618304 140278443634688
Error: Cannot access memory at address 0x1faa3000
Examining: 140278458105856 140278458109952
Error: Cannot access memory at address 0x1faa4000
Examining: 140736783110144 140736783196160
Error: Cannot access memory at address 0xd5f6d000
Examining: 140736783654912 140736783659008
Error: Cannot access memory at address 0xd5ff2000
Examining: 18446744073699065856 18446744073699069952
Error: Cannot access memory at address 0xff600000
我知道內核確實可以保護系統內存,但是,對於使root用戶無法訪問所有內存段的userland進程而言,這似乎是不准確的。 任何幫助表示贊賞。
2 個解決方案
解決方案1
2 2014-03-13 19:59:28
dd: reading `/dev/mem': Operation not permitted
/dev/mem映射到物理內存,並且在大多數發行版中默認出於安全原因被禁用,因此不足為奇。 假設后面的錯誤像
Examining: 4194304 13213696 Error: Cannot access memory at address 0x400000
是由於訪問/dev/<PID>/mem ,您可能需要先使用PTRACE_ATTACH暫停該過程。 例如
sprintf(mem_file_name, "/proc/%d/mem", pid); mem_fd = open(mem_file_name, O_RDONLY); ptrace(PTRACE_ATTACH, pid, NULL, NULL); waitpid(pid, NULL, 0); lseek(mem_fd, offset, SEEK_SET); read(mem_fd, buf, _SC_PAGE_SIZE); ptrace(PTRACE_DETACH, pid, NULL, NULL);
參見https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux
解決方案2
1 已采納 2014-03-25 12:41:23
內存轉儲格式如gdb中的xxd
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.