Read the pile of an additional procedure?

I'm attempting to read a youngster procedure is pile yet without good luck. I recognize it is feasible making use of ptrace, yet ptrace is user interface permits you to read just one word at once, and also I'm attempting to check a bigger sections of the pile.

I've additionally attempted reviewing the /proc/$pid/mem from the boundries of the pile as removed from the /proc/$pid/maps documents after first making use of ptrace to affix to it (as recommended here) yet the read maintains falling short (also when running as origin) although the very same code does well when attempted reviewing from various components of the procedure (as an example lot).

What am I doing incorrect? Exists any kind of various other alternative?

2019-05-18 21:59:23
Source Share
Answers: 2

ptrace is user interface permits you to read just one word at once, and also I'm attempting to check a bigger sections of the pile

Well, simply make use of a loop, after that. I truthfully do not see just how that comprises a trouble with ptrace, I utilize all of it the moment to from another location access procedures.

I make use of something similar to this:

static int memcpy_from_target(pid_t pid, char *dest, long src, size_t n)
    static int const align = sizeof(long) - 1;

    while (n)
        size_t todo = MIN(n, sizeof(long) - (src & align));
        long data = ptrace(PTRACE_PEEKTEXT, pid, src - (src & align), 0);
        if (errno)
            perror("ptrace_peektext (memcpy_from_target)");
            return -1;
        memcpy(dest, (char *)&data + (src & align), todo);

        dest += todo; src += todo; n -= todo;

    return 0;
2019-05-31 11:31:07

Here is an additional approach that could require tweaking yet needs to be extra reliable with huge portions of information. The suggestion is to execute syscalls in the remote procedure in order to fetch the pile materials. It will certainly require details style code yet if you just target x86/ x86_64 it should not be way too much problem.

  1. Create a called pipeline such as "/tmp/fifo" in your calling procedure.
  2. Enter the mapped procedure till it returns from a syscall, making use of PTRACE_SYSCALL to tip, waitpid() to wait and also PTRACE_GETREGS/ PTRACE_PEEKTEXT to examine the presently implemented opcode.
  3. Back-up the remote processs signs up and also a tiny location of its pile.
  4. Execute syscalls on the remote procedure by bypassing its pile with your very own information: open("/tmp/fifo"), write() the pile materials, close() the descriptor.
  5. Recover the remote processs state.
  6. Read the fifo information from your calling procedure.

There could be extra classy choices to the called pipeline, yet I angle consider any kind of now. The factor I just make use of syscalls is due to the fact that remote code shot is rather unstable on modern-day systems as a result of numerous security defenses. The downside is that it will certainly hang till the remote procedure does a syscall (which can be a trouble for some programs that primarily do calculations).

You can see some free code applying a lot of the operate in this source file. Responses on the code rates!

2019-05-30 13:06:15