读取活动过程内存而不会中断它 [英] Reading living process memory without interrupting it
问题描述
我想探索一个正在运行的进程的内存,当我这样做时,该进程一定不会受到干扰-因此,将gdb附加到该进程(这将停止它)是不可行的. 因此,我想从/proc/kcore获取此信息(如果您知道执行此操作的另一种方法,请告诉我). 所以我做了一个小实验.我创建了一个名为TEST的文件,其中仅包含"EXTRATESTEXTRA". 然后我用更少的钱打开了它
I would like to explore the memory of a living process, and when I do so, the process must not get disturbed - so attaching gdb to the process (which would stop it) is not an option. Therefore I would like to get this info from /proc/kcore (if you know of another way to do this please let me know). So I made a little experiment. I created a file called TEST with only "EXTRATESTEXTRA" inside. Then I opened it with less
$ less TEST
我得到了这个过程的PID
I got the PID of this process with
$ ps aux | grep TEST
user 7785 0.0 0.0 17944 992 pts/8 S+ 16:15 0:00 less TEST
user 7798 0.0 0.0 13584 904 pts/9 S+ 16:16 0:00 grep TEST
然后我使用此脚本创建所有文件的转储:
And then I used this script to create a dump of all files :
#!/bin/bash
grep rw-p /proc/$1/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; done
(我在此网站上找到它 https://serverfault.com/Questions/173999/dump-a-linux-processs-memory-to-file )
(I found it on this site https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file)
$ sudo ./dump_all_pid_memory.sh 7785
此后,我在所有转储文件中寻找"TRATESTEX":
After this, I looked for "TRATESTEX" in all dumped files :
$ grep -a -o -e '...TRATESTEX...' ./*.dump
./7785-00624000-00628000.dump:HEXTRATESTEXTRA
./7785-00b8f000-00bb0000.dump:EXTRATESTEXTRA
./7785-00b8f000-00bb0000.dump:EXTRATESTEXTRA
因此,我得出结论,该字符串必须出现在0x00624000和0x00628000之间. 因此,我将偏移量转换为十进制数字,并使用dd从/proc/kcore获取内存:
So I concluded that there must be an occurance of this string somewhere between 0x00624000 and 0x00628000 . Therefore I converted the offsets into decimal numbers and used dd to get the memory from /proc/kcore :
$ sudo dd if="/proc/kcore" of="./y.txt" skip="0" count="1638400" bs=1
令我惊讶的是,文件y.txt充满了零(我没有在其中找到要查找的字符串).
To my surprise, the file y.txt was full of zeros (I didn't find the string I was looking for in it).
作为一个惊喜,我同时使用不同的测试文件运行了类似测试,并发现我正在使用的另一个测试字符串 (两个同时运行的进程较少)应该在同一位置找到(转储和greping给出了相同的偏移量). 所以肯定有一些我不清楚的东西.
As a bonus surprise, I ran a simmilar test at the same time with a different test file and found that the other test string i was using (both processes with less were running at the same time) should be found at the same location (the dumping and greping gave the same offset). So there must be something I don't understand clearly.
-
不是/proc/pid/maps应该显示内存的偏移量(即:如果它说"XXX"位于偏移量0x10处,则另一个程序不能使用相同的偏移量吗?对吗-这是我第二个惊喜的来源)
Isn't the /proc/pid/maps supposed to show the offset of the memory (i.e. : if it would say "XXX" is at offset 0x10, another program could not be using the same offset am I right? - this is the source of my second surprise)
如何读取/proc/kmap以获得属于我知道的pid进程的内存?
How can I read /proc/kmap to get the memory that belongs to a process which's pid I know ?
推荐答案
对于进程1234,您可以通过依次读取/proc/1234/maps(文本伪文件)来获取其内存映射,并通过例如以下命令读取虚拟内存. read(2) -ing或mmap(2)-/proc/1234/mem稀疏伪文件的适当段
For process 1234 you can get its memory map by reading sequentially /proc/1234/maps (a textual pseudo-file) and read the virtual memory by e.g. read(2)-ing or mmap(2)-ing appropriate segments of the /proc/1234/mem sparse pseudo-file.
但是,我相信您无法避免某种同步(也许使用 ptrace(2),与gdb一样),因为进程1234可以(并且确实)随时更改地址空间(并使用mmap和相关的系统调用).
However, I believe you cannot avoid some kind of synchronization (perhaps with ptrace(2), as gdb does), since the process 1234 can (and does) alter its address space at any time (with mmap & related syscalls).
如果受监视的进程1234不是任意的,则情况有所不同,但是如果您可以改进它以某种方式与监视进程进行通信,则情况会有所不同.
The situation is different if the monitored process 1234 is not arbitrary, but if you could improve it to communicate somehow with the monitoring process.
我不确定您为什么要问这个.并且gdb能够watch某个位置而无需停止该过程.
I'm not sure to understand why do you ask this. And gdb is able to watch some location without stopping the process.
这篇关于读取活动过程内存而不会中断它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
