read/change the heap memory from a unix running process.

In this article I’m going to explain step by step how to change a data allocated in the heap memory from a process running on unix systems.

By accessing the proc filesystem you can access all the process running on your machine. The image bellow shows you a capture from my machine when I typed the command ls -l /proc. The numbers in blue are actually the process ids <pids>.

ls -l /proc

In this example I’m going to use a simple program that allocate a string in memory and print it uninterruptedly.

alloc a string in the heap memory

After compile and run this c program with the command gcc main.c -o hvm I type the command ps aux | grep hvm to obtain the <pid> of this process. I obtain 27630.

pid of the program

Once you have the process id you can see what is inside in the filesystem folder of this process with the command ls -l /proc/27630/

The folders we are interesting in are maps and mem. Maps folder is going to show you, beside other things, the memory regions that our program is occupying, in this case we are interesting in the [heap] memory.

heap adress memory

The first column is the space in memory in hex, this is the space in memory we are interested in.The /mem folder contains what is actually containing the space in memory of that process, this is what we are going to change.

The code bellow is a python program that is going to do the work.

Firstly we are going to need the process id <pid>. Whit the pid we can open the folder corresponding to this process:

maps_file = open('/proc/{0}/maps'.format(pid), 'r')

Then we read the lines and search the line containing the word ‘[heap]’

for line in maps_file.readlines():
if "[heap]" in line:
...

We need the first column, this column contains the addresses in the heap memory occupied by our program. To obtain this column we split the line and take the position 0 of the array, then we split again and obtain the address of the first byte and the byte after last, in hexa.

split_line = line.split()
adresses = split_line[0].split('-')
start = int(adresses[0], 16)
end = int(adresses[1], 16)

As the /mem folder maps this content we access it. We need to set the current position on the mem file at the start and then read that portion of memory. Once we have read it we search the string we want to change.

mem_file = open('/proc/{0}/mem'.format(pid), 'rb+', 0)
mem_file.seek(start)
chunk = mem_file.read(end - start)
pos = chunk.find(bytes('{0}'.format(search_string), "ASCII"))

If find returns -1 the string is not found otherwise return the position of the first letter. With this we can set the position on the mem properly and write on it:

if pos == -1:
print("no text found")
exit(1)
mem_file.seek(start + pos) mem_file.write(bytes('{0}\x00'.format(replace_string), "ASCII"))

And that is, we have manage to change the memory heap of a process running on a unix machine!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing, 3Box Chatbox Plugin

æpps Update: Sophia Smart Contract Language

Behind the Curtain of App Development

Technical Adventures – My Journey@Paytm

AEM Forms as a Cloud Service: Cloud Is the Future, and There’s More

Introducing RedisRate

Nuts and Bolts of Computer Vision using opencv — Part I

Health Collectable!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
German F

German F

More from Medium

Importance of Unlearning: Discard the old, welcome the change.

Honey Muse- Issue #5

Chrome Knights

What is the Kaira Network?