Hi everyone. I asked once here and it went well, so I'm very happy with this community.
I have a new question to ask. I would like to read&write specify memory of a process which is not the process I'm doing it from, nor a child nor a parent.
So, I want to do a program similar to Cheat Engine. I already have done the speed hack module (thank you unix.com!), and now I'm going to start with memory modifying part.
First of all, I need to know how to read (and write) bytes from (and to) another process. In windows API those are (Read)&(Write)ProcessMemory I guess.
Second, I need to know which are the readable regions so I can do a full snapshot of all the readable memory of an application.
If you need to know the OS target:
Code:
uname -a
Linux littleEzek-desktop 2.6.35-27-generic #48-Ubuntu SMP Tue Feb 22 20:25:46 UTC 2011 x86_64 GNU/Linux
To mess with another process' memory in Linux you use ptrace as described here. This is the same way things like gdb do it. The obvious way to do so, /proc/pid/mem, won't work until you've connected with ptrace.
Getting the readable regions is a little more easy.
I'm getting in trouble trying to do this. Firstly, a c++ problem:
This is on memory.cpp (it got compiled):
Code:
template<class T>
bool peekValue(T * value, char * offset, pid_t pid)
{
// Get /proc/$pid/mem
char mem_file_name[255];
sprintf(mem_file_name, "/proc/%d/mem", pid);
// Opening /proc/$pid/mem
FILE * mem_fd = fopen(mem_file_name, "r");
// Tracing the app.
if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1)
return false;
// Force it to wait
if (waitpid(pid, NULL, 0) == -1)
{
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return false;
}
// Move pointer to offset.
fseek(mem_fd, (long int)offset, SEEK_SET);
// Read from memory.
fread(value, 1, sizeof(T), mem_fd);
// End petrace.
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return true;
}
and in main.cpp:
Code:
many includes after:
int main(int argc, char ** argv)
{
programinfo pnfo;
int m;
long int offset = 0;
...
cout << "Enter the PID of the program you want to hack" << endl;
cin >> pnfo.pid;
cout << "Enter the pointer to int you want to read" << endl;
cin >> offset;
pnfo.mem_blocks = getMemoryMemblocks(pnfo.pid);
peekValue<int>(&m, (char*)offset, pnfo.pid);
cout << m << endl;
return 0;
}
Got error (from linker):
Code:
/home/***/proyectos/xeat_engine/main.cpp|22|undefined reference to `bool peekValue<int>(int*, char*, int)'|
So I changed it to:
Code:
/*template<class T>*/
bool peekValue(int * value, char * offset, pid_t pid)
{
// Get /proc/$pid/mem
char mem_file_name[255];
sprintf(mem_file_name, "/proc/%d/mem", pid);
// Opening /proc/$pid/mem
FILE * mem_fd = fopen(mem_file_name, "r");
// Tracing the app. This fails:
if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1)
return false;
// Force it to wait
if (waitpid(pid, NULL, 0) == -1)
{
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return false;
}
// Move pointer to offset.
fseek(mem_fd, (long int)offset, SEEK_SET);
// Read from memory.
fread(value, 1, sizeof(int), mem_fd);
// End petrace.
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return true;
}
And:
Code:
many includes after:
int main(int argc, char ** argv)
{
programinfo pnfo;
int m;
long int offset = 0;
...
cout << "Enter the PID of the program you want to hack" << endl;
cin >> pnfo.pid;
cout << "Enter the pointer to int you want to read" << endl;
cin >> offset;
pnfo.mem_blocks = getMemoryMemblocks(pnfo.pid);
peekValue/*<int>*/(&m, (char*)offset, pnfo.pid);
cout << m << endl;
return 0;
}
It "works". Any idea about this?
The second question is that it "works". It means the function got executed but it doesn't do its job. It fails on ptrace attachment. I'm trying to ptrace pid 6000, which is the pid of neverball (a videogame of a ball), but it returns -1.
What are the conditions to do a ptrace? Any idea?
Thank you for read.
---------- Post updated at 04:55 PM ---------- Previous update was at 11:09 AM ----------
I've solved the above problem (super user privileges).
Now I'm wonder a thing. Is to write in /proc/pid/mem possible?
I'm not sure, but I do know it's wasteful to have 9 different kinds of functions that differ only in one way, size -- this is one of the really wasteful things about the C++ model, people forget how to write truly generic functions.
You shouldn't be using fopen() on raw devices either, you don't want them buffered by accident, use the basic system calls instead. Doesn't matter so much on read but could matter a lot on write. How about this?
Code:
/*template<class T>*/
bool peekValue(void *value, void *offset, size_t size, pid_t pid)
{
// Get /proc/$pid/mem
char mem_file_name[255];
sprintf(mem_file_name, "/proc/%d/mem", pid);
// Opening /proc/$pid/mem
int fd=open(mem_file_name, O_RDWR);
// Tracing the app. This fails:
if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1)
return false;
// Force it to wait
if (waitpid(pid, NULL, 0) == -1)
{
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return false;
}
// Move pointer to offset.
lseek(fd, (off_t)offset, SEEK_SET);
// Read from memory.
read(value, size, fd);
// End petrace.
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return true;
}
Ideally, you'd want to just attach to the process once and use the same fd over and over, too, though it'd naturally be more complicated starting and stopping the child etc etc etc.
Quote:
I've solved the above problem (super user privileges).
I think the process either has to be a child of yours, or you have to be root. You might have more luck as a limited user if your own program launched the application with fork/exec.
Quote:
Now I'm wonder a thing. Is to write in /proc/pid/mem possible?
Yes. Only to segments which allow writing of course. Beyond that there shouldn't be anything special about it. Of course the program may have optimized certain variables out for all you know and respond either badly or not at all to writes in certain places; hard to tell when you don't control the source!
Last edited by Corona688; 03-22-2011 at 01:06 PM..
Hi all,
I have a moderate size (300 lines) BASH Shell script that performs various tasks on different source reports (CSV files). One of the tasks that it performs, is to use SED to replace 'non-conforming' titles with conformant ones. For example "How to format a RAW Report" needs to become... (3 Replies)
I use the following as an example. I find myself always doing this and I believe my scripts would run much faster if I put the sed results into a place in memory rather than writing to files. Again, its not about sed, its about redirecting to a place in memory rather than an external file.
... (5 Replies)
Hi ,
I am new to this scripting , I am facing an issue like how to read different values from external file by using different variables,
In script I supposed to declare
var 1
var 2
var 3
I know how to call this variables from external file (I am using awk command by giving same... (3 Replies)
Hi,
We have smb client running on two of the linux boxes and smb server on another linux system. During a backup operation which uses smb, read of a file was allowed while write to the same file was going on.Also simultaneous writes to the same file were allowed.Following are the settings in the... (1 Reply)
I have created and attached a shared memory segment. However I do not know how am I supposed to write and read data from it. I want to save various different data on this segment such as process IDs and other. Do you know how am I supposed to write these and be able to read such data in the correct... (1 Reply)
I created a shared memory and attached it. I also created the appropriate semaphores to sync. my read/write operations. However I do not know how am I supposed to do so. Anyone has got any ideas? I want to write int the form of 1234:23:444:... where each number between : means something to the... (0 Replies)
I need to find all the files that have group Read or Write permission or files that have user write permission.
This is what I have so far:
find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}'
It shows me all files where group read = true, group write = true... (5 Replies)
I'm doing server maintainence to a HP UX server and I have 2 files that someone need for an unknown reason. I was wondering If I can put this files on a memory stick, or is there someother way I have to copy it for them? (3 Replies)
I've done this in the past, but I didn't save the syntax. I'm still kicking myself about that...
I am trying to mount \\server_name\share_name for read/write under CentOS 5.2 (a "generic" version of RedHat). As I recall, there was a fairly simple (maybe a oneline) command that would allow NTFS... (2 Replies)
I am looking for C program source code. Could you please help me in finding the source code required mentioned below.
program to create multiple threads (one master thread and rest worker threads) and using the threads write into and read from shared memory
Restrictions:
Only one thread... (2 Replies)
03-15-2011
