gdb轉儲內存和錯誤？

我試圖綁定到一個進程，創建一個內存快照，然後使用的/ proc/PID /圖 & 的/ proc/PID/MEM來看看通過內存通過爲正在運行的進程的項目。gdb轉儲內存和錯誤？

在gdb中使用python腳本來執行似乎工作正常的操作。一些信息：

我想查看內存段的過程是運行一個普通的非特權用戶。
綁定到進程的gdb實例作爲root用戶/特權用戶運行。
運行GDB - Python腳本以下執行：
- 創建的快照的/ dev/MEM（即如果DD =/TMP/mem.bin的=的/ dev/MEM）
- 檢查/PROC/PID /地圖 & /proc /進程/ MEM提取開始和結束存儲器地址來搜索
- 然後它依賴於GDB並運行下列：（GDB）存儲器轉儲/tmp/mem.bin [開始] [end]

的問題是，每個內存段審查會返回錯誤：

%> # gdb -x mem.py --pid 24204 
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1) 
Copyright (C) 2010 Free Software Foundation, Inc. 
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> 
This is free software: you are free to change and redistribute it. 
There is NO WARRANTY, to the extent permitted by law. Type "show copying" 
and "show warranty" for details. 
This GDB was configured as "x86_64-redhat-linux-gnu". 
For bug reporting instructions, please see: 
<http://www.gnu.org/software/gdb/bugs/>. 
Attaching to process 24204 
ptrace: Operation not permitted. 
dd: reading `/dev/mem': Operation not permitted 
2056+0 records in 
2056+0 records out 
1052672 bytes (1.1 MB) copied, 0.0903829 s, 11.6 MB/s 
Examining: 4194304 13213696 
Error: Cannot access memory at address 0x400000 
Examining: 15306752 15396864 
Error: Cannot access memory at address 0xe99000 
Examining: 15396864 15429632 
Error: Cannot access memory at address 0xeaf000 
Examining: 34545664 36294656 
Error: Cannot access memory at address 0x20f2000 
Examining: 10833544417280 10833546514432 
Error: Cannot access memory at address 0x61911000 
Examining: 18212460691456 18212461740032 
Error: Cannot access memory at address 0x6b400000 
Examining: 23029163552768 23029163556864 
Error: Cannot access memory at address 0xe51cf000 
Examining: 24071492337664 24071492358144 
Error: Cannot access memory at address 0x1eaba000 
Examining: 140278443610112 140278443614208 
Error: Cannot access memory at address 0x1ecd1000 
Examining: 140278443614208 140278443618304 
Error: Cannot access memory at address 0x1ecd2000 
Examining: 140278443618304 140278443634688 
Error: Cannot access memory at address 0x1faa3000 
Examining: 140278458105856 140278458109952 
Error: Cannot access memory at address 0x1faa4000 
Examining: 140736783110144 140736783196160 
Error: Cannot access memory at address 0xd5f6d000 
Examining: 140736783654912 140736783659008 
Error: Cannot access memory at address 0xd5ff2000 
Examining: 18446744073699065856 18446744073699069952 
Error: Cannot access memory at address 0xff600000

據我所知，內核會保護系統內存，但是，對於一個用戶態進程擁有root用戶不能夠訪問所有內存段看起來不準確。任何幫助表示讚賞。

來源

2014-03-13 jas-

雖然@scott是正確的，這裏的答案是，我沒有考慮在進程運行時內存的快照。

我不得不實現一個循環來執行對分配給/ proc // mem中找到的進程ID的當前內存的比較分析。

這裏是總解決方案的gist。

來源

2014-03-25 12:41:23

 
dd: reading `/dev/mem': Operation not permitted

/dev/mem映射到物理內存和默認情況下，出於安全考慮，禁止在大多數發行版，這樣是不奇怪。假設像

 
Examining: 4194304 13213696 
Error: Cannot access memory at address 0x400000

後者的錯誤是通過訪問/dev/<PID>/mem引起的，則可能需要通過使用PTRACE_ATTACH第一暫停該過程。例如

 
sprintf(mem_file_name, "/proc/%d/mem", pid); 
mem_fd = open(mem_file_name, O_RDONLY); 
ptrace(PTRACE_ATTACH, pid, NULL, NULL); 
waitpid(pid, NULL, 0); 
lseek(mem_fd, offset, SEEK_SET); 
read(mem_fd, buf, _SC_PAGE_SIZE); 
ptrace(PTRACE_DETACH, pid, NULL, NULL);

見https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux

來源

2014-03-13 19:59:28 scottt

gdb轉儲內存和錯誤？

回答

相關問題