-
Notifications
You must be signed in to change notification settings - Fork 0
/
readmem.c
executable file
·165 lines (146 loc) · 5.2 KB
/
readmem.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
// gcc -Wall -o readm readmem.c && ./readm pid
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <regex.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
extern int errno;
// This limits us to 99999. /proc/sys/kernel/pid_max holds the actual max
#define PID_MAX_CHARS 5
void readMemory(char *start, char *end, FILE *pmem, FILE *out, char *line) {
unsigned long long offset = strtoull(start, NULL, 16);
uint bytes = strtoull(end, NULL, 16) - offset;
//char buf[bytes]; // bytes can be large - use malloc to avoid overflow
void* buf = malloc(bytes);
fseeko(pmem, offset, SEEK_SET);
int count = fread(buf, 1, bytes, pmem);
if (count == bytes) {
fwrite(buf, 1, bytes, out);
} else {
if (strstr(line, "[vvar]") == NULL) {
// vvar is shared kernel variables and it's a special
// place. In many cases a failure to read this would be
// expected
fprintf(stderr, "failed to read %d bytes from memory location: %llx - %s\n",
bytes, offset, strerror(errno));
}
}
free(buf);
}
void processMap(char *matches[], void **args) {
// Get args out of what's been passed to us
FILE *pmem = (FILE *)args[0];
FILE *out = (FILE *)args[1];
//char *line = matches[0]; // line
char *start = matches[1]; // start
char *end = matches[2]; // end
char *access = matches[3]; // r or -
char *line = matches[4]; // parseLine will give us the whole line as last match
if (!strcmp(access, "r"))
readMemory(start, end, pmem, out, line);
}
void parseLine(char *line, regex_t *regexCompiled, size_t maxGroups,
void (*processParsedLine)(char *matches[], void **args), void **args) {
regmatch_t groupArray[maxGroups];
unsigned int m;
char * cursor;
size_t maxMatches = 1;
m = 0;
cursor = line;
for (m = 0; m < maxMatches; m ++) {
if (regexec(regexCompiled, cursor, maxGroups, groupArray, 0))
break; // No more matches
unsigned int g = 0;
unsigned int offset = 0;
char *matches[maxGroups + 1];
for (g = 0; g < maxGroups; g++) {
if (groupArray[g].rm_so == (size_t)-1)
break; // No more groups
if (g == 0)
offset = groupArray[g].rm_eo;
char cursorCopy[strlen(cursor) + 1];
strcpy(cursorCopy, cursor);
cursorCopy[groupArray[g].rm_eo] = 0;
matches[g] = (char *)malloc(strlen(cursorCopy + groupArray[g].rm_so));
strcpy(matches[g], cursorCopy + groupArray[g].rm_so);
// printf("Match %u, Group %u: [%2u-%2u]: %s\n",
// m, g, groupArray[g].rm_so, groupArray[g].rm_eo,
// cursorCopy + groupArray[g].rm_so);
}
matches[maxGroups] = line;
processParsedLine(matches, args);
for (g = 0; g < maxGroups; g++) { // we do not free the line passed to us
free(matches[g]);
}
cursor += offset;
}
}
void readAllPages(FILE *map, FILE *pmem, FILE *out) {
char *line = NULL;
size_t len;
size_t read;
char *regexString = "([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])";
//char *regexString = "([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])... [0-9]{8} [0-9]{2}:[0-9]{2} [0-9]+ +(.*)";
regex_t regexCompiled;
if (regcomp(®exCompiled, regexString, REG_EXTENDED)) {
fprintf(stderr, "Could not compile regular expression.\n");
return;
};
while ((read = getline(&line, &len, map)) != -1) {
//printf("Retrieved line of length %zu :\n", read);
//printf("%s", line);
void *args[] = { pmem, out };
parseLine(line, ®exCompiled, 4, &processMap, args);
}
if (line)
free(line);
regfree(®exCompiled);
}
int readProcess(pid_t pid, FILE *out) {
char map_file_name[12 + PID_MAX_CHARS];
FILE *map_fd;
char mem_file_name[11 + PID_MAX_CHARS];
FILE *mem_fd;
snprintf(map_file_name, 12 + PID_MAX_CHARS, "/proc/%d/maps", pid);
map_fd = fopen(map_file_name, "r");
if (map_fd == NULL) {
fprintf(stderr, "fatal: could not open %s. Are you root?\n", map_file_name);
return 1;
}
snprintf(mem_file_name, 11 + PID_MAX_CHARS, "/proc/%d/mem", pid);
mem_fd = fopen(mem_file_name, "rb");
if (mem_fd == NULL) {
fprintf(stderr, "fatal: could not open %s. Are you root?\n", mem_file_name);
return 1;
}
// We're going to assume we're root, so ptrace not necessary
// ptrace(PTRACE_ATTACH, pid, NULL, NULL);
// But we do need to send a stop signal
kill(pid, SIGSTOP);
// waitpid(pid, NULL, 0); // Wait necessary as ptrace is async
readAllPages(map_fd, mem_fd, out);
// Again, assuming we're root
//ptrace(PTRACE_DETACH, pid, NULL, NULL);
// But need to continue
kill(pid, SIGCONT);
fclose(mem_fd);
fclose(map_fd);
return 0;
}
int main(int argc, char *argv[]) {
pid_t pid;
if (argc < 2) {
printf("usage: readmem pid\n");
return 1;
}
pid = atoi(argv[1]);
if (pid == 0) {
fprintf(stderr, "invalid pid\n");
return 1;
}
return readProcess(pid, stdout);
}