gdb dump memory&错误?

时间:2014-03-13 19:19:41

标签: python debugging memory gdb

我正在尝试绑定到进程,创建内存快照,然后使用 / proc / pid / maps & / proc / pid / mem 查看正在运行进程的内存中的项目。

在gdb中使用python脚本来执行似乎正常工作的操作。一些信息:

  1. 我希望查看内存段的进程正在运行一个普通的非特权用户。
  2. 绑定到进程的gdb实例作为root /特权用户运行。
  3. 运行gdb的python脚本执行以下操作:
    • 创建/ dev / mem的快照(即dd if = / dev / mem of = / tmp / mem.bin)
    • 检查 / proc / pid / maps & / proc / pid / mem 提取开始和结束内存地址以进行搜索
    • 然后依赖于gdb并运行以下命令:(gdb)memory dump /tmp/mem.bin [start] [end]

    4. 问题是检查的每个内存段都返回错误:

    %> # gdb -x mem.py --pid 24204
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 24204
ptrace: Operation not permitted.
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.0903829 s, 11.6 MB/s
Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000
Examining: 15306752 15396864
Error: Cannot access memory at address 0xe99000
Examining: 15396864 15429632
Error: Cannot access memory at address 0xeaf000
Examining: 34545664 36294656
Error: Cannot access memory at address 0x20f2000
Examining: 10833544417280 10833546514432
Error: Cannot access memory at address 0x61911000
Examining: 18212460691456 18212461740032
Error: Cannot access memory at address 0x6b400000
Examining: 23029163552768 23029163556864
Error: Cannot access memory at address 0xe51cf000
Examining: 24071492337664 24071492358144
Error: Cannot access memory at address 0x1eaba000
Examining: 140278443610112 140278443614208
Error: Cannot access memory at address 0x1ecd1000
Examining: 140278443614208 140278443618304
Error: Cannot access memory at address 0x1ecd2000
Examining: 140278443618304 140278443634688
Error: Cannot access memory at address 0x1faa3000
Examining: 140278458105856 140278458109952
Error: Cannot access memory at address 0x1faa4000
Examining: 140736783110144 140736783196160
Error: Cannot access memory at address 0xd5f6d000
Examining: 140736783654912 140736783659008
Error: Cannot access memory at address 0xd5ff2000
Examining: 18446744073699065856 18446744073699069952
Error: Cannot access memory at address 0xff600000

    我知道内核确实保护了系统内存,但是对于用户进程来说root用户无法访问所有内存段似乎是不准确的。任何帮助表示赞赏。

2 个答案:

答案 0 :(得分:2)

dd: reading `/dev/mem': Operation not permitted

/dev/mem映射到物理内存,并且出于安全原因在大多数发行版上默认禁用,因此这并不奇怪。假设后面的错误如

Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000

是由访问/dev/<PID>/mem引起的,您可能需要先使用PTRACE_ATTACH暂停该过程。 e.g。

sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDONLY);
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
lseek(mem_fd, offset, SEEK_SET);
read(mem_fd, buf, _SC_PAGE_SIZE);
ptrace(PTRACE_DETACH, pid, NULL, NULL);

请参阅https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux

答案 1 :(得分:1)

虽然@scott是正确的,但这里的答案是我没有在流程运行时考虑内存的快照。

我必须实现一个循环来执行对分配给/ proc // mem中的进程ID的当前内存的比较分析。

以下是整个解决方案的gist

相关问题
最新问题