I need to scan another process' memory in Windows. The ReadProcessMemory function does it just fine but it copies each time memory from the target process to one of my buffers.. is there any way to access another process' memory without copying it to my process' memory every time? If there were I could use pointers to access the other process' memory
Debuggers use ReadProcessMemory, so if you're implementing something that functions like a debugger, that's the right way to do it.
If you're implementing something else, you're probably heading into the weeds and you should give us a higher-level view of the problem you're trying to solve.
Related
I am writing a device driver which uses character device file to copy data from user space buffer which is allocated by using malloc to kernel buffer. Currently using copy_from_user api to copy user data to kernel buffer. Trying to find a way to avoid data copying between user and kernel spaces. Is there any way to access user space buffer (allocated by malloc) in kernel space without using copy_from_user?
Let's start by answering the question you've asked. Yes, you can access memory malloced by the userspace from the kernel. I'm not sure of the technicalities of how, but if your kernel code runs in the context of the calling thread, it might be possible to simply use the user space pointer given to you.
Please don't do that, however.
The reason you shouldn't do that is that if the user space pointer is bad, or the memory is too short, or any other problem exists, the user space process may need to crash with a segmentation fault. Sadly, you are not running user space code, you are running kernel space. The kernel equivalent of segmentation fault is a kernel panic. Don't inflict that on your users.
A better approach is to use a mechanism where userspace writes the data once, and then the character device can simply use it. Having user space mmap the page was mentioned in the comments. A method that might be more standard to the way file descriptors work would be to implement splice_read in the device's fileops struct.
Now, splice is not an easy interface to work with, but the main advantage is that if your source is also splice aware, the user can pass data directly from the source to your driver without it ever passing through user space.
If you want to save the copies, I suggest you go with one of those solutions. Again, do not access the user supplied pointer directly unless you know what you're doing.
get_user_pages() API can be used to pin the user pages from swapped out from physical memory and kernel can access this memory area by accessing physical pages of corresponding virtual address.
I am trying to determine whether a group of contiguous memory locations on my Linux system are currently holding data for a process. If they are not then I want to allocate these locations to my programme and ensure that other processes know that those memory locations are reserved for my programme.
I need to access a specific memory location, e.g. 0xF0A35194. Any old location will not do.
I have been searching for solutions but have not been brave enough to execute and test any code for fear that I will destroy my system.
I do not want to run this code in kernel-space so a user-space solution is preferable.
Any help would be greatly appreciated!
There are a lot of issues at play here. To start, each process has its own memory address space. Even if a particular memory address is allocated for one process, it won't be for a different process. Memory virtualize and paging is a complex and opaque abstraction that can't be broken from within user space.
Next, the only reason that I can imagine you want to do something like this is to go hunting for particular DMA ranges for devices. That is also not allowed from user space and there are much better ways to accomplish that.
If you can post what you are trying to achieve more directly, we can provide a better solution.
I need to scan the entire memory of the calling process of my program and separate check which blocks are read-only, read-write, or inaccessible. It sounds pretty straight forward but I'm having trouble getting started. I'm wondering if anyone can point me in the right direction by providing relevant functions for scanning the memory of a calling process
For example, to start off, how would I obtain the starting and ending memory addresses of the calling process?
This might be kernel dependent, but on Linux the /proc file system can access it:
/proc/[pid]/mem is the contents of the memory by a process, so you just have to identify your parent's pid, and if you have access you can scan it.
The actual layout of the file will depend somewhat on the executable type and kernel in question.
http://linux.die.net/man/5/proc
As started here
I need to know how to read the start address and length (virtual memory map) of a process.
I would like to map a process memory. I would like to read values of a process memory and write values to them.
I'm curious about how programs like Cheat-O'matic (cheat-o-matic.softonic.com.br) work. First thing I thought was that the process would be loaded in a contiguous memory location. But that seems not right.
Call repeatedly VirtualQueryEx, starting with address zero and increasing each time of the value obtained in the RegionSize member of the MEMORY_BASIC_INFORMATION structure you passed to it. To obtain a meaningful map obviously the process should be paused.
Still, even after you got this memory map, I'm not sure what you can do with it: unless you know (by other means) the internals of the process you are accessing all you get to know is locations where you can read or write without triggering an access violation, not the meaning of their content. You should really clarify what you are trying to achieve, Read/WriteProcessMemory usually aren't a solution for "normal" problems.
Short question:
Is it possible to map a buffer that has been malloc'd to have two ways (two pointers pointing to the same physical memory) of accessing the same buffer?
Or, is it possible to temporarily move a virtual memory address received by malloc? Or is it possible to point from one location in virtual space to another?
Background:
I am working with DirectFB, a surface management and 2D graphics composting library. I am trying to enforce the Locking protocol which is to Lock a surface, modify the memory only while locked (the pointer is to system memory allocated using malloc), and unlocking the surface.
I am currently trying to trace down a bug in an application that is locking a surface and then storing the pixel pointer and modifying the surface later. This means that the library does not know when it is safe to read or write to a surface. I am trying to find a way to detect that the locking protocol has been violated. What I would like is a way to invalidate the pointer passed to the user after the unlock call is made. Even better, I would like the application to seg fault if it tries to access the memory after the lock. This would stop in the debugger and give us an idea of which surface is involved, which routine is involved, who called it, etc.
Possible solutions:
Create a temporary buffer, pass the buffer pointer to the user, on unlock copy the pixels to the actual buffer, delete the temporary
buffer.
Pros: This is an implementable solution.
Cons: Performance is slow as it requires a copy which is expensive, also the memory may or may not be available. There is no
way to guarantee that one temporary surface overlaps another allowing
an invalidated pointer to suddenly work again.
Make an additional map to a malloc'd surface and pass that to the user. On unlock, unmap the memory.
Pros: Very fast, no additional memory required.
Cons: Unknown if this is possible.
Gotchas: Need to set aside a reserved range of addresses are never used by anything else (including malloc or the kernel). Also need to
ensure that no two surfaces overlap which could allow an old pointer
to suddenly point to something valid and not seg fault when it should.
Take advantage of the fact that the library does not access the memory while locked by the user and simply move the virtual address on
a lock and move it back on an unlock.
Pros: Very fast, no additional memory required.
Cons: Unknown if this is possible.
Gotchas: Same as "2" above.
Is this feasible?
Additional info:
This is using Linux 2.6, using stdlib.
The library is written in C.
The library and application run in user space.
There is a possibility of using a kernel module (to write a custom memory allocation routine), but the difficulty of writing a module in
my current working climate would probably reduce the chances to near
zero levels that I could actually implement this solution. But if this
is the only way, it would be good to know.
The underlying processor is x86.
The function you want to create multiple mappings of a page is shm_open.
You may only be using the memory within one process, but it's still "shared memory" - that is to say, multiple virtual mappings for the same underlying physical page will exist.
However, that's not what you want to do. What you should actually do is have your locking functions use the mprotect system call to render the memory unreadable on unlock and restore the permissions on lock; any access without the lock being held will cause a segfault. Of course, this'll only work with a single simultaneous accessing thread...
Another, possibly better, way to track down the problem would be to run your application in valgrind or another memory analysis tool. This will greatly slow it down, but allows you very fine control: you can have a valgrind script that will mark/unmark memory as accessible and the tool will kick you straight into the debugger when a violation occurs. But for one-off problem solving like this, I'd say install an #ifdef DEBUG-wrapped mprotect call in your lock/unlock functions.