Holberton School and The Low-Level Algorithms

The memory and the processes

How processes interact with the virtual memory

This image is a combination of Filindmitriy86, and oldschoolroleplaying.

The process

Every time that you run a program or a binary file, the OS creates an instance. It has an ID associated and you can see its value with the program ps. You can use the flag ps -A to see all the processes.

Running ps.

The binary

If we want to know how the memory works. First, we need a simple program. Our «hello world».

  • It has to show the PID and the memory allocated.
  • And let’s include a counter and a sleep for better visualization.
#include <string.h>             /* strdup */
#include <unistd.h> /* sleep, getpid */
#include <stdio.h> /* printf */
/**
* main - simple program which shows
* the PID and allocated memory
* Return: 0
*/
int main(void)
{
char *msg;
pid_t pid;
int counter;
msg = strdup("Welcome to Holberton");
pid = getpid();
counter = 0;
while(1)
{
printf("[%d] %4d: %s\n", pid, counter++, msg);
sleep(1);
}
}
Creating Infinite program.
[68461]   0: Welcome to Holberton
[68461] 1: Welcome to Holberton
[68461] 2: Welcome to Holberton
.
.
[68637] 1: Welcome to Holberton
[68637] 2: Welcome to Holberton
.
.

/proc

OK, we have our program running, and we have its PID. The next step is to check what has been generated. This information can be found here. In the directory /proc/<PID>/.

Content of /proc/<PID>.
  • mem: It is the virtual memory’s content of the process. This is what we want to hack.
  • maps: It shows the distribution of the virtual memory as human-readable information.
  • status: This file contains all the human-readable information of the process PID, PPID, NAME, UID, GROUPS, etc.
  • environ: This file has the environment variables of the process.
  • cmdline: This file has the arguments of the program.
  • cwd/: This is a symbolic link to the current directory of the program.
  • root/: This is another symbolic link, but it is pointing to the program’s root directory, normally /.

Let’s meet maps and mem

Let’s check what maps has inside with the cat program.

$ cat maps
Content of maps file.
  • Each line is a section of memory. You can see where stack, heap, vsyscall start and end.
  • The lower memory is at the top and the higher memory is at the bottom.
Virtual memory representation
  • For example. We want to know what is happening in the heap. So it starts at 0x55996d276000 and ends at 0x55996d297000, which correspond to a length of 0x21000 bytes or 132KiB or 132 kilo-binary bytes.
  • It has read and write permissions (rw-p). This is useful for hacking the mem file.
$ sudo cat mem
cat: mem: Input/output error

Say hi to my little xxd

Here is when the xxd enters the scene. This program can dump an isolated section of a binary file translated into hexadecimal format.

Fragment of xxd’s manual.
  • len (-l): it will make the program stop after reading len bytes or octets (8 bits). The syntax is -l len.

Read the heap

First, Let’s check the heap location with cat maps | grep heap:

$ cat maps | grep heap
55996d276000-55996d297000 rw-p 00000000 00:00 0 [heap]
$ sudo xxd -s 0x55996d276000 -l $((-0x55996d276000+0x55996d297000)) mem | less
Finding the start of the allocated string.

Edit with dd

Now, if we want to edit the running memory we need:

  • To edit byte by byte in mem file.
The first line of dd’s manual.
  • Buffer size (bs=): this flag sets the read/write size, we have to set it in 1 to prevent writing outside of the memory allocated. Our syntax is bs=1.
  • Conventions (conv=): by default dd truncates the output but we don’t want to lose information. So we need to include the flag notrunc. Our syntax is conv=notrunc(for more information check this link).
  • Seek (seek=): it will skip N objects at the output. We want to change the file from the allocated memory. But watch out! It must be an integer. Our syntax is seek=<allocated-memory-address-int>.
$ python3 -c "print(int(0x55996d2762a0))"
94117449654944
$ printf "Welcome to Bogota :)" | sudo dd of=mem conv=notrunc seek=94117449654944 bs=1
20+0 records in
20+0 records out
20 bytes copied, 0.000119827 s, 167 kB/s
...
$
Changing virtual memory.

Conclusions

In this example, it was shown that:

  • A process has an id associated or PID.
  • The process information is located in the /proc directory.
  • The /proc directory has information about every process: arguments, environment variables, file descriptors, virtual memory.
  • The /proc/<PID>/maps file shows the virtual memory distribution.
  • The /proc/<PID>/mem file shows the content of the virtual memory for the process.
  • The/proc/<PID>/mem file has sections and it needs an offset for writing or reading.
  • And if you want to know about virtual memory, check my other post ;).

References

Articles

Thanks

Nataly and Melany for your help, your patience and your advices

About the Author

Tavo