From owner-freebsd-stable@FreeBSD.ORG Thu Jun 8 09:50:14 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D339B16D5B1 for ; Thu, 8 Jun 2006 07:51:19 +0000 (UTC) (envelope-from tofik@oxygen.az) Received: from mail.azerin.com (mail.azerin.com [212.47.128.23]) by mx1.FreeBSD.org (Postfix) with SMTP id A89CF43D45 for ; Thu, 8 Jun 2006 07:51:18 +0000 (GMT) (envelope-from tofik@oxygen.az) Received: (qmail 39915 invoked from network); 8 Jun 2006 07:51:37 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on ml350.azerin.com X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.1.1 Received: from qmail by qscan (mail filter); 8 Jun 2006 07:51:37 +0000 Received: from unknown (HELO ?212.47.129.5?) (212.47.129.5) by mail.azerin.com with SMTP; 8 Jun 2006 07:51:37 -0000 Message-ID: <4487D6F0.1050702@oxygen.az> Date: Thu, 08 Jun 2006 10:51:12 +0300 From: Tofik Suleymanov User-Agent: Thunderbird 1.5.0.2 (X11/20060425) MIME-Version: 1.0 To: Diomidis Spinellis References: <4486A111.6020300@oxygen.az> <4486EFC8.6080601@oxygen.az> <4487659E.8000303@aueb.gr> In-Reply-To: <4487659E.8000303@aueb.gr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Tofik Suleymanov , freebsd-stable@FreeBSD.ORG, James Riendeau Subject: Re: reading process memory X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:50:14 -0000 Diomidis Spinellis wrote: > Tofik Suleymanov wrote: >>> The only way you're going to be able to read another processes >>> address space is in the kernel.Even a process running as root is not >>> able to read another process's data. > > Incorrect; see this example: > > $ sed -e 's/this/that/' & > [1] 87345 > $ /bin/su > Password: > > # dd if=/proc/87345/mem conv=noerror 2> /dev/null | strings > [...] > @(#)compile.c 8.1 (Berkeley) 6/6/93 > [...] > RE error: %s > RuneMagiNONE > /this/that/ > "s/this/that/ > s/this/that/ > this > that > that > > I followed instructions in your email, but had no success of getting simmilar results. When trying to read from mem file of particular process i get error messages from dd: (many of this records populate the screen) 0 bytes transferred in 6.393733 secs (0 bytes/sec) dd: /proc/13150/mem: Bad address dd: /proc/13150/mem: Bad address 0+0 records in 0+0 records out 0 bytes transferred in 6.393795 secs (0 bytes/sec) while pid 13510 exists: paranoia# ps ax |grep 13150 13150 p1 T 0:00.00 sed -e s/this/that/g paranoia# man 5 procfs says: mem The complete virtual memory image of the process. Only those address which exist in the process can be accessed. Reads and writes to this file modify the process. Writes to the text seg- ment remain private to the process. map A map of the process' virtual memory. I wonder why i cannot just dd data from mem ?