1

I'm trying to read a process's memory by reading /proc/<pid>/mem. My code works as expected when I'm using 

char *data = malloc(123456);
read(fd_mem, buffer, 123456);

But that can take a lot of time because of the malloc/read call, if the chuck of memory is really big. That's why I'm trying to switch to mmap. I did some test code and it kept failing until I googled about mmaping /proc/<pid>/mem and I realized that it's not possible (or is it?).

So my question is: How can I read the data inside /proc/<pid>/mem like if it was a block of memory without the delay caused by malloc/read

EDIT: I need access to the entire block of memory. I do not want to read N bytes at a time.

EDIT: I already saw mmap on /proc/pid/mem. That question doesn't have an answer, it just says /proc/mem doesn't support mmap, which I already know. I'm asking for a solution.

Community
  • 1
  • 1
alexandernst
  • 14,352
  • 22
  • 97
  • 197
  • 1
    @AdamMaras That question doesn't have an answer, it just says /proc/mem doesn't support mmap, which I already know. I'm asking for a solution. Please remove your close vote... – alexandernst Nov 13 '13 at 19:09
  • 2
    Maybe worth looking at http://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux – Duck Nov 13 '13 at 19:33
  • 1
    @Duck Thank you for the link, but anyways, I already know what /mem and /maps represent and that I should ptrace ATTACH/DETACH before/after reading the memory block. The code example in there is using ```read```, which is exactly what I'm trying to avoid because it's slow. – alexandernst Nov 13 '13 at 19:37
  • See [man `splice()`](http://linux.die.net/man/2/splice). Of course you need a buffer otherwise. The memory in the process is changing at the same time you are trying to read it. – artless noise Nov 14 '13 at 01:21
  • 1
    @artlessnoise But ```splice``` will allow me to "copy" from one fd to another. What I want is to access the data fom the fd as if it was a memory block. – alexandernst Nov 14 '13 at 08:56
  • And that is to the point that the memory will constantly be changing. Not just the values, but things will be mapped/unmapped. Look at [linux-nat.c](https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob;f=gdb/linux-nat.c;hb=HEAD), which is the GDB *native* layer for Linux. At line 4148 they are using `pread()`. So if you find a faster way, you might contact them. – artless noise Nov 14 '13 at 17:55
  • If you have control over the other processes code, you can have it setup shared memory. But it sounds like you want to do this generically. `mmap` is the way to do what you want and it is not allowed. – artless noise Nov 14 '13 at 18:48
  • @artlessnoise But the process's memory won't change even a single bit as I use ptrace_attach! That sends a STOP signal to the process. – alexandernst Nov 14 '13 at 20:23
  • You maybe able to have the process `mmap()` the memory directly if you are using the ptrace interface. I guess that you can execute code in the context of that pid? At least you could re-write memory and execute some code in it's context and then revert the code back again before resuming. The */proc/pid/mem* probably can not assume the process is stopped. – artless noise Nov 14 '13 at 20:31

0 Answers0