Memory Editors

Ender · April 24, 2007, 05:59:26 PM

For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?

iago · April 24, 2007, 06:06:48 PM

in Windows, it reads memory using ReadProcessMemory and writes with WriteProcessMemory. I've never looked into how to do it on Linux since most stuff is opensource and, therefore, the discussion is irrelevant :)

nslay · April 25, 2007, 11:58:32 AM

Quote from: Ender on April 24, 2007, 05:59:26 PM
For those of you familiar with memory editors such as ArtMoney on Windows, I have two questions:

1) Do you know of any free memory editors for linux?
2) Do you know how these memory editors work programmatically? I thought that a process is restricted to its own memory space. How does it access other processes' memory spaces? Can you shed any light on how to do this in C and/or assembly? And is it possible in C (forgetting inline asm) or is it only possible in assembly?

Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.

This is always fun: dd if=/dev/random of=/dev/mem :o

MyndFyre · April 25, 2007, 12:21:16 PM

Quote from: nslay on April 25, 2007, 11:58:32 AM
This is always fun: dd if=/dev/random of=/dev/mem :o

LOL

iago · April 25, 2007, 06:10:32 PM

Quote from: nslay on April 25, 2007, 11:58:32 AM
Write a program that opens (open(2)) /dev/mem (mem(4)) or /dev/kmem (kmem(4)) and do your worst.
You should probably run it as root.

There's gotta be a way to edit processes without having to go through system memory. But the only IPC I've used on Linux/Unix was when I had control of both processes, so I didn't have to do anything special.

Quote from: nslay on April 25, 2007, 11:58:32 AM
This is always fun: dd if=/dev/random of=/dev/mem :o

Using /dev/random would take forever, since it's needs constant entropy. You'd get more success with /dev/urandom :P

Blaze · April 25, 2007, 11:16:26 PM

Wouldn't that just replace your memory with random stuff? Sounds like an adventure.. :)

Newby · April 25, 2007, 11:31:06 PM

Yeah. I did that and now my Linux box refuses to boot. :(

I guess I should just install Windows on the box. :)

Sidoh · April 25, 2007, 11:36:13 PM

Haha, what? Isn't /dev/mem supposed to be volatile?

Joe · April 26, 2007, 03:37:07 AM

His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0 push offset_rm call bash::execute or something.

I did cat /dev/urandom the other day at school. Almost everyone (including but not limited to the teacher) gave me an awkward stare, while Zagaroth just said "Joe, you're weird.."

Newby · April 26, 2007, 10:12:27 AM

Quote from: Joex86/64] link=topic=9191.msg116818#msg116818 date=1177573027]
His urandom probably had it in for him -- managed to make EIP point to the instructions offset_rm db "rm -rf /*",13,0 push offset_rm call bash::execute or something.

Yeah because on a server that doesn't get used, that's somewhere in my memory.

Joe · April 26, 2007, 04:40:42 PM

It could be in your urandom somewhere, though.

Skywing · April 26, 2007, 06:00:57 PM

Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

Newby · April 26, 2007, 06:15:06 PM

Quote from: Skywing on April 26, 2007, 06:00:57 PM
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.

nslay · April 26, 2007, 09:54:02 PM

Quote from: Newby on April 26, 2007, 06:15:06 PM
Quote from: Skywing on April 26, 2007, 06:00:57 PM
Writing garbage over physical memory seems like a great way to cause random disk corruption to me, espeically if you overwrite something being DMA'd or some memory mapped device registers.

I figured there was some disk corruption that was the cause of it. I wonder if a fsck would fix it.

Ah :(
I meant the dd thing as a joke, I didn't think anyone would actually want to crash their machine ...
Nonetheless, you might be able to boot a livecd and recover data from partitions still intact and run fsck on all of them.

Newby · April 26, 2007, 09:59:40 PM

Haha. I ran it as a joke because I never use the server. So :P.

Clan x86

News:

Memory Editors

Ender

iago

nslay

MyndFyre

iago

Blaze

Newby

Sidoh

Joe

Newby

Joe

Skywing

Newby

nslay

Newby