Planetarion Forums

Planetarion Forums (https://pirate.planetarion.com/index.php)
-   Programming and Discussion (https://pirate.planetarion.com/forumdisplay.php?f=57)
-   -   Searching for a string across all memory (https://pirate.planetarion.com/showthread.php?t=184715)

Gayle29uk 15 Apr 2005 17:09
Searching for a string across all memory
 
I need to search for a specific string in memory (all memory, not just that used by my app) and return both the location and data from around that location. Anyone any ideas?

JetLinus 16 Apr 2005 01:07
Re: Searching for a string across all memory
 
Hm.
WinHex Memory Viewer?
http://www.x-ways.net/winhex/index-m.html

Taken from:
http://www.infosecwriters.com/text_r..._In_Memory.pdf



Could be difficult I imagine. Getting access violations and so on. Try to use APIs?

Or let your programm occupy memory of the size of RAM available. The rest should be swapped to the swap-file, which you could read and analyze? Stupid method I guess.

queball 16 Apr 2005 02:01
Re: Searching for a string across all memory
 
What OS? What language? Do you want to do it from the program or from outside?

I might try http://cpan.uwinnipeg.ca/htdocs/Win32-Process-Memory/ on Windows, or on Unix use /proc.

Gayle29uk 16 Apr 2005 09:15
Re: Searching for a string across all memory
 
Running on Linux. /proc was enough of a hint for me to find this on kerneltrap.org which appears as if it may do the trick.

Thanks queball, now to find out if what I want to do is even possible (I don't think so but hey, it's worth a shot).

JetLinus 16 Apr 2005 20:30
Re: Searching for a string across all memory
 
So WHAT do you want to do?

queball 17 Apr 2005 06:07
Re: Searching for a string across all memory
 
Quote:
Originally Posted by Gayle29uk
Running on Linux. /proc was enough of a hint for me to find this on kerneltrap.org which appears as if it may do the trick.

Thanks queball, now to find out if what I want to do is even possible (I don't think so but hey, it's worth a shot).
If it helps, /proc/<pid>/mem is process memory, and /proc/<pid>/maps gives a clue as to what's interesting. You need to have ptrace'd that pid to access mem (plus you can always access your own process memory (/proc/self/mem)).

The following perl script will dump a process's memory to files into the current directory. Embarassingly I wouldn't know how to search a large file using perl, but by dumping each memory mapped region you can use for example grep and hexdump.
Code:
#!/usr/bin/perl

use strict;
use warnings;

require 'syscall.ph';
use Fcntl 'SEEK_SET';

sub attach($) {
    my ($pid) = @_;
    my $result;
   
    print "Attaching to process $pid.\n";
    $result = syscall(&SYS_ptrace, 16, # PTRACE_ATTACH
                      $pid, 0, 0);
    die $! if $result;
   
    print "Attached. Waiting for process to stop.\n";
    $result = wait;
    die "wait returned $result." if ($result != $pid);
   
    print "Process stopped.\n";
}

my $pid = int ($ARGV[0]) or die "usage: dumpmem.pl pid";
attach $pid;

print "Accessing /proc.\n";
my ($MAPS, $MEM);
open MAPS, "</proc/$pid/maps" or die $!;
open MEM, "</proc/$pid/mem" or die $!;

sub dumpmem($$) {
    my ($start, $end) = @_;
    sysseek(MEM, $start, SEEK_SET) or die $!;
   
    my $DUMP;
    open DUMP, sprintf (">%08x", $start);
   
    my $data;
    while ($start<$end) {
        $start+=(sysread MEM, $data, 1024 or die $!);
        syswrite DUMP, $data, 1024 or die $!;
    }
}

print "Dumping memory.\n";
while (<MAPS>) {
    /([0-9a-f]{8})-([0-9a-f]{8})/i or die "Malformed map: $_";
    dumpmem (hex $1, hex $2);
}

queball 17 Apr 2005 12:21
Re: Searching for a string across all memory
 
/dev/mem seems to work fine for me


All times are GMT +1. The time now is 10:49.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2018