Text only | Text with Images

Clan x86

Technical (Development, Security, etc.) => General Programming => Topic started by: Ender on April 24, 2007, 05:59:26 PM

Title: Memory Editors
Post by: Ender on April 24, 2007, 05:59:26 PM
For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?
Title: Re: Memory Editors
Post by: iago on April 24, 2007, 06:06:48 PM
in Windows, it reads memory using ReadProcessMemory and writes with WriteProcessMemory. I've never looked into how to do it on Linux since most stuff is opensource and, therefore, the discussion is irrelevant :)
Title: Re: Memory Editors
Post by: nslay on April 25, 2007, 11:58:32 AM
Quote from: Ender on April 24, 2007, 05:59:26 PM
For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?

Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.

This is always fun: dd if=/dev/random of=/dev/mem :o
Title: Re: Memory Editors
Post by: MyndFyre on April 25, 2007, 12:21:16 PM
Quote from: nslay on April 25, 2007, 11:58:32 AM
This is always fun: dd if=/dev/random of=/dev/mem :o

LOL
Title: Re: Memory Editors
Post by: iago on April 25, 2007, 06:10:32 PM
Quote from: nslay on April 25, 2007, 11:58:32 AM
Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.
There's gotta be a way to edit processes without having to go through system memory. But the only IPC I've used on Linux/Unix was when I had control of both processes, so I didn't have to do anything special.

Quote from: nslay on April 25, 2007, 11:58:32 AM
This is always fun: dd if=/dev/random of=/dev/mem :o
Using /dev/random would take forever, since it's needs constant entropy. You'd get more success with /dev/urandom :P
Title: Re: Memory Editors
Post by: Blaze on April 25, 2007, 11:16:26 PM
Wouldn't that just replace your memory with random stuff?  Sounds like an adventure..  :)
Title: Re: Memory Editors
Post by: Newby on April 25, 2007, 11:31:06 PM
Yeah. I did that and now my Linux box refuses to boot. :(

I guess I should just install Windows on the box. :)
Title: Re: Memory Editors
Post by: Sidoh on April 25, 2007, 11:36:13 PM
Haha, what?  Isn't /dev/mem supposed to be volatile?
Title: Re: Memory Editors
Post by: Joe on April 26, 2007, 03:37:07 AM
His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0    push offset_rm     call bash::execute or something.

I did cat /dev/urandom the other day at school. Almost everyone (including but not limited to the teacher) gave me an awkward stare, while Zagaroth just said "Joe, you're weird.."
Title: Re: Memory Editors
Post by: Newby on April 26, 2007, 10:12:27 AM
Quote from: Joex86/64] link=topic=9191.msg116818#msg116818 date=1177573027]
His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0    push offset_rm     call bash::execute or something.

Yeah because on a server that doesn't get used, that's somewhere in my memory.
Title: Re: Memory Editors
Post by: Joe on April 26, 2007, 04:40:42 PM
It could be in your urandom somewhere, though.
Title: Re: Memory Editors
Post by: Skywing on April 26, 2007, 06:00:57 PM
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.
Title: Re: Memory Editors
Post by: Newby on April 26, 2007, 06:15:06 PM
Quote from: Skywing on April 26, 2007, 06:00:57 PM
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.
Title: Re: Memory Editors
Post by: nslay on April 26, 2007, 09:54:02 PM
Quote from: Newby on April 26, 2007, 06:15:06 PM
Quote from: Skywing on April 26, 2007, 06:00:57 PM
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.

Ah :(
I meant the dd thing as a joke, I didn't think anyone would actually want to crash their machine ...
Nonetheless, you might be able to boot a livecd and recover data from partitions still intact and run fsck on all of them.
Title: Re: Memory Editors
Post by: Newby on April 26, 2007, 09:59:40 PM
Haha. I ran it as a joke because I never use the server. So :P.
Text only | Text with Images