write arbitraty data to a running process memory

write arbitraty data to a running process memory

[Daniel Souza]

hi, im getting a bit confused about somethings... first, looks to me
that under >= 2.4 kernels, we cant mmap() a /proc/pid/mem file... (not
tested by me, just heard at linux-kernel mailing list) so, there's a
way to write to a running process memory (without use ptrace will be
better, because its disabled in some systems) ? for example, supposing
that there is a little program running as pid 1000, that has a little
buffer of 1024 bytes at address 0x80486ab... and I want to access the
content of that buffer via /proc/1000/mem. How can I calculate the
offset that I need start reading within the memory file that will be
exactly the start of the buffer ? how can I calculate the
correspondent areas of /proc/1000/maps into /proc/1000/mem (if that
maps are really in the mem file) ? like...

root@fooboo:~# cat /proc/1000/maps
08048000-08057000 r-xp 00000000 03:06 13385      /root/fooboo-bin
08057000-08059000 rw-p 0000f000 03:06 13385      /root/fooboo-bin
08059000-0805c000 rwxp 00000000 00:00 0
40000000-40014000 r-xp 00000000 03:06 12031      /lib/ld-2.3.2.so
40014000-40015000 rw-p 00013000 03:06 12031      /lib/ld-2.3.2.so
40015000-40016000 rw-p 00000000 00:00 0
4001f000-40147000 r-xp 00000000 03:06 12065      /lib/libc-2.3.2.so
40147000-4014b000 rw-p 00128000 03:06 12065      /lib/libc-2.3.2.so
4014b000-4014e000 rw-p 00000000 00:00 0
bffff000-c0000000 rwxp 00000000 00:00 0

I want to know that, for example, the range of each map in the mem file... like
08048000-08057000 r-xp 00000000 03:06 13385      /root/fooboo-bin
starts at offset 0xAAAAAAAA and ends at 0xBBBBBBBB in the /proc/1000/mem file

And other things, like... where the stack begins within /proc/1000/mem
? is there any docs about the layout of a usual /proc/x/mem file ? I
wrote a little app that can get cpu registers etc from a running
process... so, having the current stack pointer, can I reproduce a
backtrace ? is there any tool like "dress" (from lcamtuf, looks like
its not running at 2.4 kernels... at least in my slack10 box... or im
getting fooled by my self stupidness... lol) that can recover a
stripped binary (at least part of it) ? how can I access (suposing
that its not a stripped binary) the tables like relocation, dynamic
symbols, etc in memory ? (anyways, I believe that read the executable
file will be easier than the direct memory... am I wrong? but I want
to know how to get that from memory, cuz as I believe, the executable
code is in the /proc/pid/mem file, so I can also read the tables from
a process that the executable file was removed after it started)

Ok, i'll stop right here =X

thanks !

Daniel


-- 
making the world a better place to live since '85

Re: write arbitraty data to a running process memory

[Glynn Clements]

Daniel Souza wrote:

> hi, im getting a bit confused about somethings... first, looks to me
> that under >= 2.4 kernels, we cant mmap() a /proc/pid/mem file... (not
> tested by me, just heard at linux-kernel mailing list) so, there's a
> way to write to a running process memory (without use ptrace will be
> better, because its disabled in some systems) ?

A process can only read/write a /proc/<pid>/mem file if the process
to which <pid> refers is either:

a) the current process, or
b) a child of the current process which is being ptrace()d.

See the file fs/proc/base.c in the kernel source code.

-- 
Glynn Clements <glynn@gclements.plus.com>