Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Jun 2006 10:51:12 +0300
From:      Tofik Suleymanov <tofik@oxygen.az>
To:        Diomidis Spinellis <dds@aueb.gr>
Cc:        Tofik Suleymanov <tofik@oxygen.az>, freebsd-stable@FreeBSD.ORG, James Riendeau <jtriende@wisc.edu>
Subject:   Re: reading process memory
Message-ID:  <4487D6F0.1050702@oxygen.az>
In-Reply-To: <4487659E.8000303@aueb.gr>
References:  <4486A111.6020300@oxygen.az>	<ED5EC8BD-0A92-4D73-BC01-48FD930311FF@wisc.edu>	<4486EFC8.6080601@oxygen.az> <4487659E.8000303@aueb.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
Diomidis Spinellis wrote:
> Tofik Suleymanov wrote:
>>>   The only way you're going to be able to read another processes 
>>> address space is in the kernel.Even a process running as root is not 
>>> able to read another process's data.
>
> Incorrect; see this example:
>
> $ sed -e 's/this/that/' &
> [1] 87345
> $ /bin/su
> Password:
>
> # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings
> [...]
> @(#)compile.c   8.1 (Berkeley) 6/6/93
> [...]
> RE error: %s
> RuneMagiNONE
> /this/that/
> "s/this/that/
> s/this/that/
> this
> that
> that
>
>
I followed instructions in your email, but had no success of getting 
simmilar results. When trying to read from mem file of particular 
process i get error messages from dd:
(many of this records populate the screen)
0 bytes transferred in 6.393733 secs (0 bytes/sec)
dd: /proc/13150/mem: Bad address
dd: /proc/13150/mem: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 6.393795 secs (0 bytes/sec)


while pid 13510 exists:
paranoia# ps ax |grep 13150
13150  p1  T      0:00.00 sed -e s/this/that/g
paranoia#


man 5 procfs says:

mem     The complete virtual memory image of the process.  Only those
             address which exist in the process can be accessed.  Reads and
             writes to this file modify the process.  Writes to the text 
seg-
             ment remain private to the process.
map     A map of the process' virtual memory.


I wonder why i cannot just dd data from mem ?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4487D6F0.1050702>