User Name
Password

Go Back   Planetarion Forums > Non Planetarion Discussions > Programming and Discussion

Reply
Thread Tools Display Modes
Unread 15 Apr 2005, 17:09   #1
Gayle29uk
Bitch
 
Join Date: Jun 2002
Location: North Yorkshire
Posts: 3,848
Gayle29uk is just really niceGayle29uk is just really niceGayle29uk is just really niceGayle29uk is just really nice
Searching for a string across all memory

I need to search for a specific string in memory (all memory, not just that used by my app) and return both the location and data from around that location. Anyone any ideas?
__________________
ACHTUNG!!!
Das machine is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der springenwerk, blowenfusen und corkenpoppen mit
spitzensparken. Ist nicht fur gewerken by das dummkopfen. Das
rubbernecken sightseeren keepen hands in das pockets. Relaxen und vatch
das blinkenlights!!!
Gayle29uk is offline   Reply With Quote
Unread 16 Apr 2005, 01:07   #2
JetLinus
Friendly geek of GD :-/
 
JetLinus's Avatar
 
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
JetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud of
Arrow Re: Searching for a string across all memory

Hm.
WinHex Memory Viewer?
http://www.x-ways.net/winhex/index-m.html

Taken from:
http://www.infosecwriters.com/text_r..._In_Memory.pdf



Could be difficult I imagine. Getting access violations and so on. Try to use APIs?

Or let your programm occupy memory of the size of RAM available. The rest should be swapped to the swap-file, which you could read and analyze? Stupid method I guess.
__________________
[»] Entropy increases! :-/
JetLinus is offline   Reply With Quote
Unread 16 Apr 2005, 02:01   #3
queball
Ball
 
queball's Avatar
 
Join Date: Oct 2001
Posts: 4,410
queball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so little
Re: Searching for a string across all memory

What OS? What language? Do you want to do it from the program or from outside?

I might try http://cpan.uwinnipeg.ca/htdocs/Win32-Process-Memory/ on Windows, or on Unix use /proc.

Last edited by queball; 16 Apr 2005 at 02:08.
queball is offline   Reply With Quote
Unread 16 Apr 2005, 09:15   #4
Gayle29uk
Bitch
 
Join Date: Jun 2002
Location: North Yorkshire
Posts: 3,848
Gayle29uk is just really niceGayle29uk is just really niceGayle29uk is just really niceGayle29uk is just really nice
Re: Searching for a string across all memory

Running on Linux. /proc was enough of a hint for me to find this on kerneltrap.org which appears as if it may do the trick.

Thanks queball, now to find out if what I want to do is even possible (I don't think so but hey, it's worth a shot).
__________________
ACHTUNG!!!
Das machine is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der springenwerk, blowenfusen und corkenpoppen mit
spitzensparken. Ist nicht fur gewerken by das dummkopfen. Das
rubbernecken sightseeren keepen hands in das pockets. Relaxen und vatch
das blinkenlights!!!
Gayle29uk is offline   Reply With Quote
Unread 16 Apr 2005, 20:30   #5
JetLinus
Friendly geek of GD :-/
 
JetLinus's Avatar
 
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
JetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud ofJetLinus has much to be proud of
Arrow Re: Searching for a string across all memory

So WHAT do you want to do?
__________________
[»] Entropy increases! :-/
JetLinus is offline   Reply With Quote
Unread 17 Apr 2005, 06:07   #6
queball
Ball
 
queball's Avatar
 
Join Date: Oct 2001
Posts: 4,410
queball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so little
Re: Searching for a string across all memory

Quote:
Originally Posted by Gayle29uk
Running on Linux. /proc was enough of a hint for me to find this on kerneltrap.org which appears as if it may do the trick.

Thanks queball, now to find out if what I want to do is even possible (I don't think so but hey, it's worth a shot).
If it helps, /proc/<pid>/mem is process memory, and /proc/<pid>/maps gives a clue as to what's interesting. You need to have ptrace'd that pid to access mem (plus you can always access your own process memory (/proc/self/mem)).

The following perl script will dump a process's memory to files into the current directory. Embarassingly I wouldn't know how to search a large file using perl, but by dumping each memory mapped region you can use for example grep and hexdump.
Code:
#!/usr/bin/perl

use strict;
use warnings;

require 'syscall.ph';
use Fcntl 'SEEK_SET';

sub attach($) {
    my ($pid) = @_;
    my $result;
    
    print "Attaching to process $pid.\n";
    $result = syscall(&SYS_ptrace, 16, # PTRACE_ATTACH
		      $pid, 0, 0);
    die $! if $result;
    
    print "Attached. Waiting for process to stop.\n";
    $result = wait;
    die "wait returned $result." if ($result != $pid);
    
    print "Process stopped.\n";
}

my $pid = int ($ARGV[0]) or die "usage: dumpmem.pl pid";
attach $pid;

print "Accessing /proc.\n";
my ($MAPS, $MEM);
open MAPS, "</proc/$pid/maps" or die $!;
open MEM, "</proc/$pid/mem" or die $!;

sub dumpmem($$) {
    my ($start, $end) = @_;
    sysseek(MEM, $start, SEEK_SET) or die $!;
    
    my $DUMP;
    open DUMP, sprintf (">%08x", $start);
    
    my $data;
    while ($start<$end) {
	$start+=(sysread MEM, $data, 1024 or die $!);
	syswrite DUMP, $data, 1024 or die $!;
    }
}

print "Dumping memory.\n";
while (<MAPS>) {
    /([0-9a-f]{8})-([0-9a-f]{8})/i or die "Malformed map: $_";
    dumpmem (hex $1, hex $2);
}

Last edited by queball; 17 Apr 2005 at 11:40. Reason: remove complete nonsense
queball is offline   Reply With Quote
Unread 17 Apr 2005, 12:21   #7
queball
Ball
 
queball's Avatar
 
Join Date: Oct 2001
Posts: 4,410
queball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so littlequeball contributes so much and asks for so little
Re: Searching for a string across all memory

/dev/mem seems to work fine for me

Last edited by queball; 18 Apr 2005 at 02:12.
queball is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Forum Jump


All times are GMT +1. The time now is 03:00.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2018