Date: Thu, 08 Jun 2006 11:47:04 +0300 From: Tofik Suleymanov <tofik@oxygen.az> To: Diomidis Spinellis <dds@aueb.gr> Cc: freebsd-stable@FreeBSD.ORG, James Riendeau <jtriende@wisc.edu> Subject: Re: reading process memory Message-ID: <4487E408.1050604@oxygen.az> In-Reply-To: <4487DE20.8010809@aueb.gr> References: <4486A111.6020300@oxygen.az> <ED5EC8BD-0A92-4D73-BC01-48FD930311FF@wisc.edu> <4486EFC8.6080601@oxygen.az> <4487659E.8000303@aueb.gr> <4487D6F0.1050702@oxygen.az> <4487DE20.8010809@aueb.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Diomidis Spinellis wrote: > Tofik Suleymanov wrote: >> Diomidis Spinellis wrote: >>> Tofik Suleymanov wrote: >>>>> The only way you're going to be able to read another processes >>>>> address space is in the kernel.Even a process running as root is >>>>> not able to read another process's data. >>> >>> Incorrect; see this example: >>> >>> $ sed -e 's/this/that/' & >>> [1] 87345 >>> $ /bin/su >>> Password: >>> >>> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings >>> [...] >>> @(#)compile.c 8.1 (Berkeley) 6/6/93 >>> [...] >>> RE error: %s >>> RuneMagiNONE >>> /this/that/ >>> "s/this/that/ >>> s/this/that/ >>> this >>> that >>> that >>> >>> >> I followed instructions in your email, but had no success of getting >> simmilar results. When trying to read from mem file of particular >> process i get error messages from dd: >> (many of this records populate the screen) >> 0 bytes transferred in 6.393733 secs (0 bytes/sec) >> dd: /proc/13150/mem: Bad address >> dd: /proc/13150/mem: Bad address >> 0+0 records in >> 0+0 records out >> 0 bytes transferred in 6.393795 secs (0 bytes/sec) >> >> >> while pid 13510 exists: >> paranoia# ps ax |grep 13150 >> 13150 p1 T 0:00.00 sed -e s/this/that/g >> paranoia# >> >> >> man 5 procfs says: >> >> mem The complete virtual memory image of the process. Only those >> address which exist in the process can be accessed. Reads >> and >> writes to this file modify the process. Writes to the >> text seg- >> ment remain private to the process. >> map A map of the process' virtual memory. >> >> >> I wonder why i cannot just dd data from mem ? >> > > Not all areas of the process's memory are accessible. This is why I set > the conv=noerr option to dd (rather than run strings directly on mem), > and also redirected the dd's standard error output to /dev/null. Your > root's shell (probably tcsh) failed to do that. (Tcsh doesn't offer a > way to redirect just the error output). Run sh after the su command to > have this facility at your disposal. > > Diomidis - http://www.spinellis.gr > Works. Thank you. Sincerely, Tofik Suleymanov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4487E408.1050604>