HomeAboutMailing ListList Chatter /0/0 98.80.143.34

interesting linux tricks - stuff you never wanted to know about linux memory

2023-11-08 by: flushy@flushy.net
From: flushy@flushy.net
------------------------------------------------------

https://gist.github.com/gonoph/0ea32c6eb2f4bc16c76962f54d437ae3

Linux exposes the /proc filesystem, which has some interesting things.

One of those is the /proc/ directory, which contains some neat 
stuff from a running process of with pid .

You can look at the files there, some being the environ file - which 
contains all the environment variables of that process. One is the 
cmdline - which is the full command line that started that process. 
There's cgroup, cwd (current working directory), exe (link to the actual 
binary), mounts, fd/ (open file descriptors) - all sorts of stuff.

Two of them are "mem" and "maps"

"mem" is a file that represents the entire virtual memory of the 
process.

* Not all of it is readable, nor "mapped" to real memory.
* Unix (and all modern OSs) use something called virtual memory mapping.

Basically, there exists a theoretical universe of memory, it's vast and 
almost infinite, but there exists a finite amount of real, actual 
memory, that is manifested as memory chips. The OS will "map" virtual 
memory space to real, actual memory. Additionally, the kernel will map 
this virtual memory space into a "process" virtual memory space that's 
unique to a running process / program, and it will do other tricks.

These tricks are stuff like:

* mark some of it "read only"
* some of it "read/write"
* some of it only "execute only" - which is weird if you think about it.
* some of those mappings are shared
* others are unique to that process and only viewable by that user
* some of it can be swapped to disk (another type of memory mapping)
* other parts can be marked exclusive (viewable only by that process)

So, if you know where to look, you can actually view this memory for any 
process that your current login (user) owns. Well.. most of it. Some of 
it still might be marked exclusive, or be protected. But most of it it 
is not.

My shell script linked above takes that "maps" file, parse out the 
different mappings, and then uses a program called "hexdump" to view the 
different memory chunks that are being mapped. The following is an 
example, and you're only looking at the 1st mapped part, which is 
basically the start of the executable (you can tell by the words ELF - 
which is another topic for discussion).

Later on in this output, if you piped it through "less", you'll start to 
see content from shared libraries that are mapped in, and eventually, 
you'll find yourself looking at the runtime memory (sometimes called 
heap) of the running process.

If you find this interesting, I have other tricks to show as well!

$ ./peek.sh 101980 | head
Reading memory range 5654c2c36000-5654c2c38000
+ hexdump -C -n 8192 -s 94922044825600
5654c2c36000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  
|.ELF............|
5654c2c36010  03 00 3e 00 01 00 00 00  90 2b 00 00 00 00 00 00  
|..>......+......|
5654c2c36020  40 00 00 00 00 00 00 00  58 86 00 00 00 00 00 00  
|@.......X.......|
5654c2c36030  00 00 00 00 40 00 38 00  0d 00 40 00 1e 00 1d 00  
|....@.8...@.....|
5654c2c36040  06 00 00 00 04 00 00 00  40 00 00 00 00 00 00 00  
|........@.......|
5654c2c36050  40 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  
|@.......@.......|
5654c2c36060  d8 02 00 00 00 00 00 00  d8 02 00 00 00 00 00 00  
|................|
5654c2c36070  08 00 00 00 00 00 00 00  03 00 00 00 04 00 00 00  
|................|

--b