ptrace

Moraxus · 02-10-2009, 10:03 AM

I'm using ptrace function to read data from memory of other process.
It's equivalent of readprocessmemory() function from windows, but there is one difference.
4th argument of readprocessmemory is nSize, so if we want to read int it's needed to put there 4.
Similarly when we want to read long we put there 8, and when we want to read text we put there lenght of this text.
The problem with ptrace is that this function haven't nSize argument, and it returns all data as long.
For example, i have text like this in some process memory:

|T|E|X|T| - text
|1|2|3|4| - addresses

If I'd like to read this text on windows I'd call:

Code:

readprocessmemory(hProcess, 1, buff, 4);

But how to read it with ptrace?

wje_lq · 02-11-2009, 06:17 AM

All the details are in the man page. Do this at the command line:

Code:

man ptrace

If your system is installed without this man page, google this:

Code:

Linux man ptrace

Hope this helps.

Moraxus · 02-11-2009, 08:09 AM

I have read this manual but there's no information about reading string from memory.

wje_lq · 02-11-2009, 10:57 AM

Search the man page for each of these strings, depending on which data you'd like to access:

Code:

PTRACE_PEEKTEXT
PTRACE_PEEKUSER
PTRACE_GETREGS
PTRACE_GETFPREGS

My guess is you'd want PTRACE_PEEKTEXT.

Moraxus · 02-11-2009, 11:08 AM

Maybe you are right, but how to use it?
I can write something like this:

Code:

char *buf=ptrace(PTRACE_PEEKTEXT, pid, address, 0);

but ptrace returns long int, so i doubt it'll work.

wje_lq · 02-11-2009, 11:19 AM

Well, you have to put it in a loop. Figure out how much data you want, where you want to get it from, where you want to put it, and get it four bytes at a time.

Loops shouldn't be that difficult.

Moraxus · 02-11-2009, 11:43 AM

So your suggestion is to read characters one by one?
I think that's good idea but size of char is 1 byte, not 8 bytes.
ptrace reads 8 bytes so is there any way to read char with it?

wje_lq · 02-11-2009, 01:11 PM

Quote:

So your suggestion is to read characters one by one?

No, not one by one.

Quote:

I think that's good idea but size of char is 1 byte, not 8 bytes.

Correct. But what does 8 bytes have to do with it?

Quote:

ptrace reads 8 bytes so is there any way to read char with it?

No, it reads 4 bytes. Compile and run this program:

Code:

#include <stdio.h>

int main(void)
{
  printf("%d\n",sizeof(long));

  return 0;
}

It spits out this:

Code:

So the idea is to read characters not one by one, not eight by eight, but four by four.

Write yourself a loop. You know C, correct?

Moraxus · 02-11-2009, 01:27 PM

Quote:

So the idea is to read characters not one by one, not eight by eight, but four by four.

Thanks, but I have idea how to read them one by one.
I know that it'll work slower, but should be much more simple.
I found on other forum how to read one byte, it was something like this:

Code:

BYTE byte=(BYTE)ptrace(...);

Is it correct?
If it is, I could write simple loop:

Code:

char c;
int addr=0x00123456, i=0;
char buff[1000];
while(c){
 c=(char)ptrace(PTRACE_PEEKTEXT, pid, addr, 0);
 addr++;
 buff[i]=c;
}

If this solution is incorrect, how do I read 4 charaters by one ptrace?

wje_lq · 02-11-2009, 02:21 PM

Your code will almost work. It will be slower getting the data byte by byte, but your code will be simpler.

I'm assuming that what you want to read is a string, right, with a NUL byte at the end? You seem to be testing for a NUL byte as the termination condition.

A problem with your code is that you test for the NUL byte at the beginning of the loop, rather than at the end. And you don't initialize c to be anything in particular before you go into the loop. So if c contains all bits off when you go into the loop, you'll never actually execute the body of the loop.

So initialize c to something nonzero, anything at all between 1 and 255, (or between -128 and 127, but not including zero) before the for statement.

You could avoid that by using a do...while loop, because it would test c at the end of each time through the loop, not the beginning.

Moraxus · 02-11-2009, 03:26 PM

I can do it easier becouse I know lenght of text that I read

Thanks a lot wje_lq, of course if someone know better solution I'd be thankful for any suggestions.

PS. wj_lq, could you show me the example how to read 4 characters using one ptrace? :P

wje_lq · 02-11-2009, 06:27 PM

Quote:

could you show me the example how to read 4 characters using one ptrace?

Code:

#include <sys/ptrace.h>
#include <string.h>

pid_t  the_pid;

void  *the_address;

long   ptrace_result;

char   tiny_buffer[4];

/* Initialize the_pid and the_address first. */

ptrace_result=(PTRACE_PEEKTEXT, the_pid, the_addr, 0);

memmove(tiny_buffer,&ptrace_result,sizeof(ptrace_result));