/proc/$pid/maps
/proc/$pid/mem
shows the contents of $pid's memory mapped the same way as in the process, i.e., the byte at offset x in the pseudo-file is the same as the byte at address x in the process. If an address is unmapped in the process, reading from the corresponding offset in the file returns EIO
(Input/output error). For example, since the first page in a process is never mapped (so that dereferencing a NULL
pointer fails cleanly rather than unintendedly accessing actual memory), reading the first byte of /proc/$pid/mem
always yield an I/O error.
The way to find out what parts of the process memory are mapped is to read
/proc/$pid/maps
. This file contains one line per mapped region, looking like this:08048000-08054000 r-xp 00000000 08:01 828061 /bin/cat
08c9b000-08cbc000 rw-p 00000000 00:00 0 [heap]
The first two numbers are the boundaries of the region (addresses of the first byte and the byte after last, in hexa). The next column contain the permissions, then there's some information about the file (offset, device, inode and name) if this is a file mapping. See the
proc(5)
man page orUnderstanding Linux /proc/id/maps for more information.
Here's a proof-of-concept script that dumps the contents of its own memory.
#! /usr/bin/env python
import re
maps_file = open("/proc/self/maps", 'r')
mem_file = open("/proc/self/mem", 'r', 0)
for line in maps_file.readlines(): # for each mapped region
m = re.match(r'([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])', line)
if m.group(3) == 'r': # if this is a readable region
start = int(m.group(1), 16)
end = int(m.group(2), 16)
mem_file.seek(start) # seek to region start
chunk = mem_file.read(end - start) # read region contents
print chunk, # dump contents to standard output
maps_file.close()
mem_file.close()
/proc/$pid/mem
If you try to read from the
mem
pseudo-file of another process, it doesn't work: you get an ESRCH
(No such process) error.
The permissions on
/proc/$pid/mem
(r--------
) are more liberal than what should be the case. For example, you shouldn't be able to read a setuid process's memory. Furthermore, trying to read a process's memory while the process is modifying it could give the reader an inconsistent view of the memory, and worse, there were race conditions that could trace older versions of the Linux kernel (according to this lkml thread, though I don't know the details). So additional checks are needed:- The process that wants to read from
/proc/$pid/mem
must attach to the process usingptrace
with thePTRACE_ATTACH
flag. This is what debuggers do when they start debugging a process; it's also whatstrace
does to a process's system calls. Once the reader has finished reading from/proc/$pid/mem
, it should detach by callingptrace
with thePTRACE_DETACH
flag. - The observed process must not be running. Normally calling
ptrace(PTRACE_ATTACH, …)
will stop the target process (it sends aSTOP
signal), but there is a race condition (signal delivery is asynchronous), so the tracer should callwait
(as documented inptrace(2)
).
A process running as root can read any process's memory, without needing to call
ptrace
, but the observed process must be stopped, or the read will still return ESRCH
.
In the Linux kernel source, the code providing per-process entries in
/proc
is in fs/proc/base.c
, and the function to read from /proc/$pid/mem
is mem_read
. The additional check is performed by check_mem_permission
.
Here's some sample C code to attach to a process and read a chunk its of
mem
file (error checking omitted):sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDONLY);
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
lseek(mem_fd, offset, SEEK_SET);
read(mem_fd, buf, _SC_PAGE_SIZE);
ptrace(PTRACE_DETACH, pid, NULL, NULL);
Hello. Are you in need of a Hacker .I recommend (Gadgethacksolution@gmail.com) via Email. I have used them and they are the best. They render services such as:
ReplyDelete-Facebook hack
-Gmail hack
-Twitter hack
-WhatsApp hack
-Mobile phone hack
-Database Hack
-Retrival of lost files
-Viber hack
-Untraceable IP
-University grades changing
-Bank account hack
-Bypassing of Icloud
-Verified Paypal account.
Do you need to hack a mobile phone? i know of someone who can help.
ReplyDeleteI saw a review about him and I needed help hacking my wifes iphone so i contacted him and he said he was going to help me.I gave him the information he required about my wifes phone and after some few hours later i received all her mobile phone activity and got all her deleted text messages linked directly to me. He was reliable and trustworthy i just want to say thank you to him. If you need help you can contact him on Gmail(Worldcyberhackers) or WhatsApp : +12678773020
Do you need the assitance of a proffesional that can help you get through your spouse email, whatsapp ,call log what ever you can thing off cantact Themainprofessionalhacker@tutanota.com
ReplyDeleteTried a lot of hackers but i strongly recommend thehackerspro.com where i eventually hired the dreaded darkhat hacker vladimir kolarov
ReplyDeletealthough he was much more expensive than other hackers i contacted but he did a good job and their customer support on the website is friendly and very helpful.
These are ethical hackers that’ll solve all your problems like hack emails,Facebook, Twitter ,Instagram , change grades ,
erase criminal records, credit and debit top up, insurance paper,
access or recover lost files, background checks on individuals and organizations
or monitor cheating spouses’ phone or social media activities, contact at h4ckerspro@gmail.com or call/text 1 646 948 8125.
for faster and direct access just add him on telegram @h4ckerspro
Guys What's up
ReplyDeleteWe are selling Fresh Fullz & TOOLS Here
@killhacks Tel-egram
75-28-22-04-0 I_C_Q
Complete info available in Fullz
SSN DOB DL EMPLOYEE all info
CC FULLZ
HIGH CS FULLZ
All Available
Tools With Complete Tutorials Guide
Kal-i Linux
Key_Loggers
Btc Crac_ker
FB/WA Hac-king
CC HAC-King
All stuff is legit & verified
If you need anything Ping me here
@leadsupplier
7.5.2.8.2.2.0.4.0 I>C>Q