如何从另一个程序访问内存

时间:2023-01-15 20:46:10

I have a closed-source 3rd party program, and I want to be able to

我有一个闭源第三方程序,我希望能够

  • Know what memory is allocated to the program
  • 知道为程序分配了什么内存

  • Access that memory (read only is fine)
  • 访问该内存(只读是好的)

Utilities like vmmap(1), heap(1), and leaks(1) seem to have similar functionality to what I need, but I can't find their source anywhere (the OS X versions) and can't figure out how they work. Preferably, this would all be done in user-space, possibly running as root, I don't want to write kernel code for the purpose of bypassing memory protection if I can avoid it.

像vmmap(1),heap(1)和leaks(1)这样的实用程序似乎具有与我需要的功能类似的功能,但是我无法在任何地方找到它们的源代码(OS X版本)并且无法弄清楚它们是如何实现的工作。优选地,这将全部在用户空间中完成,可能以root身份运行,如果我可以避免,我不想编写内核代码以绕过内存保护。

I tried using shared memory passing the address of what I want to read as the 2nd argument to shmat(2), but this was ultimately unsuccessful (and probably not its intended usage and/or bad practice) and still left me without a way to determine what memory I'm looking for anyway (the program who owned the memory had to report its address to me).

我尝试使用共享内存传递我想要读取的地址作为shmat(2)的第二个参数,但这最终是不成功的(可能不是它的预期用法和/或不良做法)并且仍然没有办法确定我正在寻找什么样的内存(拥有内存的程序必须向我报告其地址)。

Is there a way to just disable memory protection for a certain program so that it won't segfault when it tries to read/write memory that is allocated to a different process? Is there a better way that wouldn't enable bugs to seriously corrupt my entire system?

有没有办法只是禁用某个程序的内存保护,以便它在尝试读/写分配给不同进程的内存时不会出现段错误?有没有更好的方法不会使错误严重破坏我的整个系统?

How is this achieved?

这是如何实现的?

2 个解决方案

#1


3  

I don't have access to an OS X machine, but this looks very similar to what you're trying to do:

我无法访问OS X计算机,但这与您尝试执行的操作非常相似:

Reading Other Process' Memory in OS X?

在OS X中读取其他进程的内存?

Here's an archive of the link that doesn't work:

这是一个不起作用的链接存档:

http://web.archive.org/web/20090627062246/http://www.matasano.com/log/1100/what-ive-been-doing-on-my-summer-vacation-or-it-has-to-work-otherwise-gdb-wouldnt/

#2


3  

Basically, this guy is right.

基本上,这家伙是对的。

Go download the source code that accompanies this book and see vm_rw_master.c of example 8-16 for a working implementation.

请下载本书附带的源代码,并参阅示例8-16的vm_rw_master.c以获取有效的实现。

See http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/ for documentation, it's slightly outdated, and questionably correct, but it's the best available.

有关文档,请参阅http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/,它有点过时,并且可疑的是正确的,但它是最好的。

EDIT: Also, see http://lightbulbone.com/2011/05/dumping-process-memory-on-mac-os-x/ (note that the task who owns memory you are trying to read does NOT need to be a child of the process trying to do the reading, you just need to have the proper authorization.)

编辑:另外,请参阅http://lightbulbone.com/2011/05/dumping-process-memory-on-mac-os-x/(请注意,您尝试阅读的拥有内存的任务不需要是尝试阅读的过程的孩子,你只需要有适当的授权。)

EDIT: Also, see http://os-tres.net/blog/2010/02/17/mac-os-x-and-task-for-pid-mach-call/ for a good example of authorization.

编辑:另外,请参阅http://os-tres.net/blog/2010/02/17/mac-os-x-and-task-for-pid-mach-call/以获得授权的良好示例。

#1


3  

I don't have access to an OS X machine, but this looks very similar to what you're trying to do:

我无法访问OS X计算机,但这与您尝试执行的操作非常相似:

Reading Other Process' Memory in OS X?

在OS X中读取其他进程的内存?

Here's an archive of the link that doesn't work:

这是一个不起作用的链接存档:

http://web.archive.org/web/20090627062246/http://www.matasano.com/log/1100/what-ive-been-doing-on-my-summer-vacation-or-it-has-to-work-otherwise-gdb-wouldnt/

#2


3  

Basically, this guy is right.

基本上,这家伙是对的。

Go download the source code that accompanies this book and see vm_rw_master.c of example 8-16 for a working implementation.

请下载本书附带的源代码,并参阅示例8-16的vm_rw_master.c以获取有效的实现。

See http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/ for documentation, it's slightly outdated, and questionably correct, but it's the best available.

有关文档,请参阅http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/,它有点过时,并且可疑的是正确的,但它是最好的。

EDIT: Also, see http://lightbulbone.com/2011/05/dumping-process-memory-on-mac-os-x/ (note that the task who owns memory you are trying to read does NOT need to be a child of the process trying to do the reading, you just need to have the proper authorization.)

编辑:另外,请参阅http://lightbulbone.com/2011/05/dumping-process-memory-on-mac-os-x/(请注意,您尝试阅读的拥有内存的任务不需要是尝试阅读的过程的孩子,你只需要有适当的授权。)

EDIT: Also, see http://os-tres.net/blog/2010/02/17/mac-os-x-and-task-for-pid-mach-call/ for a good example of authorization.

编辑:另外,请参阅http://os-tres.net/blog/2010/02/17/mac-os-x-and-task-for-pid-mach-call/以获得授权的良好示例。