在不中断的情况下读取活动进程内存 [英] Reading living process memory without interrupting it
问题描述
我想探索一个活动进程的内存,当我这样做时,进程不能受到干扰 - 所以将 gdb 附加到进程(这会阻止它)不是一种选择.因此,我想从/proc/kcore 获取此信息(如果您知道另一种方法,请告诉我).所以我做了一个小实验.我创建了一个名为 TEST 的文件,里面只有EXTRATESTEXTRA".然后我用less打开它
I would like to explore the memory of a living process, and when I do so, the process must not get disturbed - so attaching gdb to the process (which would stop it) is not an option. Therefore I would like to get this info from /proc/kcore (if you know of another way to do this please let me know). So I made a little experiment. I created a file called TEST with only "EXTRATESTEXTRA" inside. Then I opened it with less
$ less TEST
我得到了这个进程的PID
I got the PID of this process with
$ ps aux | grep TEST
user 7785 0.0 0.0 17944 992 pts/8 S+ 16:15 0:00 less TEST
user 7798 0.0 0.0 13584 904 pts/9 S+ 16:16 0:00 grep TEST
然后我使用这个脚本来创建所有文件的转储:
And then I used this script to create a dump of all files :
#!/bin/bash
grep rw-p /proc/$1/maps | sed -n 's/^([0-9a-f]*)-([0-9a-f]*) .*$/1 2/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; done
(我在这个网站上找到了它https://serverfault.com/问题/173999/dump-a-linux-processs-memory-to-file)
(I found it on this site https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file)
$ sudo ./dump_all_pid_memory.sh 7785
此后,我在所有转储文件中查找TRATESTEX":
After this, I looked for "TRATESTEX" in all dumped files :
$ grep -a -o -e '...TRATESTEX...' ./*.dump
./7785-00624000-00628000.dump:HEXTRATESTEXTRA
./7785-00b8f000-00bb0000.dump:EXTRATESTEXTRA
./7785-00b8f000-00bb0000.dump:EXTRATESTEXTRA
所以我得出结论,在 0x00624000 和 0x00628000 之间的某个地方一定出现了这个字符串.因此,我将偏移量转换为十进制数并使用 dd 从/proc/kcore 获取内存:
So I concluded that there must be an occurance of this string somewhere between 0x00624000 and 0x00628000 . Therefore I converted the offsets into decimal numbers and used dd to get the memory from /proc/kcore :
$ sudo dd if="/proc/kcore" of="./y.txt" skip="0" count="1638400" bs=1
令我惊讶的是,文件 y.txt 全是零(我没有在其中找到我要查找的字符串).
To my surprise, the file y.txt was full of zeros (I didn't find the string I was looking for in it).
作为额外的惊喜,我用不同的测试文件同时运行了一个类似的测试,发现我正在使用的另一个测试字符串(较少的两个进程同时运行)应该在同一位置找到(转储和greping给出了相同的偏移量).所以一定有我不明白的地方.
As a bonus surprise, I ran a simmilar test at the same time with a different test file and found that the other test string i was using (both processes with less were running at the same time) should be found at the same location (the dumping and greping gave the same offset). So there must be something I don't understand clearly.
/proc/pid/maps 不是应该显示内存的偏移量吗(即:如果它说XXX"在偏移量 0x10 处,另一个程序不能使用相同的偏移量,我是对吗?-这是我第二个惊喜的来源)
Isn't the /proc/pid/maps supposed to show the offset of the memory (i.e. : if it would say "XXX" is at offset 0x10, another program could not be using the same offset am I right? - this is the source of my second surprise)
如何读取/proc/kmap 来获取属于我知道的 pid 进程的内存?
How can I read /proc/kmap to get the memory that belongs to a process which's pid I know ?
推荐答案
对于进程 1234,您可以通过顺序读取 /proc/1234/maps(文本伪文件)和通过例如读取虚拟内存read(2)-ing 或 mmap(2)-/proc/1234 的适当部分/mem 稀疏伪文件.
For process 1234 you can get its memory map by reading sequentially /proc/1234/maps (a textual pseudo-file) and read the virtual memory by e.g. read(2)-ing or mmap(2)-ing appropriate segments of the /proc/1234/mem sparse pseudo-file.
但是,我相信您无法避免某种同步(也许与 ptrace(2),正如 gdb 所做的那样),因为进程 1234 可以(并且确实)随时(使用 mmap &相关的系统调用).
However, I believe you cannot avoid some kind of synchronization (perhaps with ptrace(2), as gdb does), since the process 1234 can (and does) alter its address space at any time (with mmap & related syscalls).
如果被监控进程 1234 不是任意的,情况就不同了,但如果你可以改进它以某种方式与监控进程通信.
The situation is different if the monitored process 1234 is not arbitrary, but if you could improve it to communicate somehow with the monitoring process.
我不确定你为什么问这个.并且 gdb 能够在不停止进程的情况下watch某个位置.
I'm not sure to understand why do you ask this. And gdb is able to watch some location without stopping the process.
这篇关于在不中断的情况下读取活动进程内存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
