Debian Question posted in
The oficial documentation can be found here.

Is possible to read virtual memory on Unix/Linux? And on Windows? – Debian

I am working on Debian GNU/Hurd with Mach. I have been asked to write a program that, given a PID and an address, executes vm_read over the address and prints the result.

This is the code I have written:

#include <mach_error.h>
#include <mach/mig_errors.h>
#include <mach/thread_status.h>
#include <mach/processor_info.h>
#include <mach/i386/vm_param.h>
#include <stdio.h>
#include <stdlib.h>
#include <hurd.h>
#include <string.h>

int main(int argc, char * argv[]) {

    if(argc != 3) {
        printf ("Wrong arguments: ./vm_read PID addressn");
        exit(1);
    }
    
    int res;
    mach_port_t target_task = pid2task(atoi(argv[1]));

    vm_address_t addr = atoi(argv[2]);
    vm_offset_t *data;
    mach_msg_type_number_t data_count;
    res = vm_read (target_task, addr, sizeof(int), &data, &data_count);

    if (res != KERN_SUCCESS) {
            printf ("Error reading virtual mem (0x%x), %s n", res, 
            mach_error_string(res));
            exit(1);
    }
    printf("donen");

    for (int i=0; i<data_count; ++i){
        printf("byte %d : %xn",i,((char*)data)[i]);
    }
}

It works correctly, but now I’m asked if it is possible to write a version for Unix/Linux and another for Windows that do the same thing.

I’ve been searching and it looks like it shouldn’t be any problem because both use virtual memory in their procceses, but I’m not sure if there could be complications with permissions or anything else.

Tags:

2

Answers


  1. 0

    For Windows, if you need to read memory from a process, you’ll need to request the PROCESS_VM_READ when you get your handle to the process (ReadProcessMemory is the appropriate call). In order to get that Handle, it’s usually easier to start the process yourself with OpenProcess.

    Login or Signup to reply.
  2. 0

    There’s no standard way to access the memory of another process on UNIX, but on Linux, you can do it by reading the special file /proc/pid/mem:

    char memfile[32];
snprintf(memfile, sizeof(memfile), "/proc/%s/mem", argv[1]);
int mfd = open(memfile, O_RDONLY);
if (mfd < 0) {
    perror("Can't open pid/mem file");
    exit(1); }
if (lseek(mfd, (off_t)strtoull(argv[2], 0, 0), SEEK_SET) {
    perror("Can't seek to address");
    exit(1); }
if (read(mfd, &data, sizeof(data)) <= 0) {
    fprintf(stderr, "No data at address %sn", argv[2]);
    exit(1); }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search