Author Topic: Memory Editors  (Read 7079 times)

0 Members and 1 Guest are viewing this topic.

Offline Ender

  • x86
  • Hero Member
  • *****
  • Posts: 2390
    • View Profile
Memory Editors
« on: April 24, 2007, 05:59:26 pm »
For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Memory Editors
« Reply #1 on: April 24, 2007, 06:06:48 pm »
in Windows, it reads memory using ReadProcessMemory and writes with WriteProcessMemory. I've never looked into how to do it on Linux since most stuff is opensource and, therefore, the discussion is irrelevant :)

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Memory Editors
« Reply #2 on: April 25, 2007, 11:58:32 am »
For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?

Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.

This is always fun: dd if=/dev/random of=/dev/mem :o
An adorable giant isopod!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Memory Editors
« Reply #3 on: April 25, 2007, 12:21:16 pm »
This is always fun: dd if=/dev/random of=/dev/mem :o

LOL
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Memory Editors
« Reply #4 on: April 25, 2007, 06:10:32 pm »
Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.
There's gotta be a way to edit processes without having to go through system memory. But the only IPC I've used on Linux/Unix was when I had control of both processes, so I didn't have to do anything special.

This is always fun: dd if=/dev/random of=/dev/mem :o
Using /dev/random would take forever, since it's needs constant entropy. You'd get more success with /dev/urandom :P

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Memory Editors
« Reply #5 on: April 25, 2007, 11:16:26 pm »
Wouldn't that just replace your memory with random stuff?  Sounds like an adventure..  :)
And like a fool I believed myself, and thought I was somebody else...

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Memory Editors
« Reply #6 on: April 25, 2007, 11:31:06 pm »
Yeah. I did that and now my Linux box refuses to boot. :(

I guess I should just install Windows on the box. :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Memory Editors
« Reply #7 on: April 25, 2007, 11:36:13 pm »
Haha, what?  Isn't /dev/mem supposed to be volatile?

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Memory Editors
« Reply #8 on: April 26, 2007, 03:37:07 am »
His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0    push offset_rm     call bash::execute or something.

I did cat /dev/urandom the other day at school. Almost everyone (including but not limited to the teacher) gave me an awkward stare, while Zagaroth just said "Joe, you're weird.."
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Memory Editors
« Reply #9 on: April 26, 2007, 10:12:27 am »
His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0    push offset_rm     call bash::execute or something.

Yeah because on a server that doesn't get used, that's somewhere in my memory.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Memory Editors
« Reply #10 on: April 26, 2007, 04:40:42 pm »
It could be in your urandom somewhere, though.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Memory Editors
« Reply #11 on: April 26, 2007, 06:00:57 pm »
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Memory Editors
« Reply #12 on: April 26, 2007, 06:15:06 pm »
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Memory Editors
« Reply #13 on: April 26, 2007, 09:54:02 pm »
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.

Ah :(
I meant the dd thing as a joke, I didn't think anyone would actually want to crash their machine ...
Nonetheless, you might be able to boot a livecd and recover data from partitions still intact and run fsck on all of them.
An adorable giant isopod!

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Memory Editors
« Reply #14 on: April 26, 2007, 09:59:40 pm »
Haha. I ran it as a joke because I never use the server. So :P.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.