[Mono-dev] {kinda OT} Linux equivalent of Win32 "ReadProcessMemory"...

Martin Baulig martin at novell.com
Tue Apr 14 11:47:39 EDT 2009 

On Mon, 2009-04-13 at 10:45 -0400, Miguel de Icaza wrote:

> > * Has anyone actually done something like this and run into non- 
> > obvious
> > problems?  I'm most concerned that there are some gotchas in how Linux
> > manages memory, though if its just a matter of trial and error to find
> > the right spots in memory I'm already assuming that's coming.
> 
> You might want to first look in /proc/PID/maps which describes which  
> memory addresses are actually valid for that process.   Then you can  
> start seeking and reading at will.

Hi,

you're not allowed to do that !

The following restrictions apply:

a) you're trying to read from yourself - that's allowed

or

b) you're the tracing parent of the target process - and the restriction
   applies on thread-level.

This means that in a multi-threaded application, only the thread which
initially started ptrace()'ing the target process is allowed to read
from its /proc/PID/mem.

You can check mem_read() in fs/proc/base.c in the Linux kernel
(I'm using 2.6.25.20):

====[around line 726]=====
static ssize_t mem_read(struct file * file, char __user * buf,
                        size_t count, loff_t *ppos)
{
        struct task_struct *task =
get_proc_task(file->f_path.dentry->d_inode);
        char *page;
        unsigned long src = *ppos;
        int ret = -ESRCH;
        struct mm_struct *mm;

        if (!task)
                goto out_no_task;

        if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
                goto out;
======

and MAY_TRACE() is defined as

====[around line 217]=====
#define MAY_PTRACE(task) \
        (task == current || \
        (task->parent == current && \
        (task->ptrace & PT_PTRACED) && \
         (task_is_stopped_or_traced(task)) && \
         security_ptrace(current,task) == 0))
========

The reasoning for these restriction is simple: you must not attempt to
read from a process'es memory while that process is running.  The linux
kernel enforces this by requiring you to ptrace() the process.

-- 
Martin Baulig - martin at novell.com
Novell GmbH, Nördlicher Zubringer 9-11, 40470 Düsseldorf
GF: Dr. Jürgen Müller, Sylvia Geil, Felix Imendörffer; HRB 21108 (AG
Düsseldorf)

More information about the Mono-devel-list mailing list