Date: Thu, 08 Jun 2006 11:21:52 +0300 From: Diomidis Spinellis <dds@aueb.gr> To: Tofik Suleymanov <tofik@oxygen.az> Cc: freebsd-stable@FreeBSD.ORG, James Riendeau <jtriende@wisc.edu> Subject: Re: reading process memory Message-ID: <4487DE20.8010809@aueb.gr> In-Reply-To: <4487D6F0.1050702@oxygen.az> References: <4486A111.6020300@oxygen.az> <ED5EC8BD-0A92-4D73-BC01-48FD930311FF@wisc.edu> <4486EFC8.6080601@oxygen.az> <4487659E.8000303@aueb.gr> <4487D6F0.1050702@oxygen.az>
next in thread | previous in thread | raw e-mail | index | archive | help
Tofik Suleymanov wrote: > Diomidis Spinellis wrote: >> Tofik Suleymanov wrote: >>>> The only way you're going to be able to read another processes >>>> address space is in the kernel.Even a process running as root is not >>>> able to read another process's data. >> >> Incorrect; see this example: >> >> $ sed -e 's/this/that/' & >> [1] 87345 >> $ /bin/su >> Password: >> >> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings >> [...] >> @(#)compile.c 8.1 (Berkeley) 6/6/93 >> [...] >> RE error: %s >> RuneMagiNONE >> /this/that/ >> "s/this/that/ >> s/this/that/ >> this >> that >> that >> >> > I followed instructions in your email, but had no success of getting > simmilar results. When trying to read from mem file of particular > process i get error messages from dd: > (many of this records populate the screen) > 0 bytes transferred in 6.393733 secs (0 bytes/sec) > dd: /proc/13150/mem: Bad address > dd: /proc/13150/mem: Bad address > 0+0 records in > 0+0 records out > 0 bytes transferred in 6.393795 secs (0 bytes/sec) > > > while pid 13510 exists: > paranoia# ps ax |grep 13150 > 13150 p1 T 0:00.00 sed -e s/this/that/g > paranoia# > > > man 5 procfs says: > > mem The complete virtual memory image of the process. Only those > address which exist in the process can be accessed. Reads and > writes to this file modify the process. Writes to the text > seg- > ment remain private to the process. > map A map of the process' virtual memory. > > > I wonder why i cannot just dd data from mem ? > Not all areas of the process's memory are accessible. This is why I set the conv=noerr option to dd (rather than run strings directly on mem), and also redirected the dd's standard error output to /dev/null. Your root's shell (probably tcsh) failed to do that. (Tcsh doesn't offer a way to redirect just the error output). Run sh after the su command to have this facility at your disposal. Diomidis - http://www.spinellis.gr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4487DE20.8010809>