我这里为大家演示如何访问远程进程的地址空间,有两个程序local.c和remote.c,local.c将读写remote.c程序中的变量(这些程序假设sizeof(int)==4
)
local.c程序如下:
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/syscall.h>
int main()
{
char buf[4];
struct iovec local[1];
struct iovec remote[1];
int pid;
void *addr;
printf("Enter remote pid\n");
scanf("%d",&pid);
printf("Enter remote address\n");
scanf("%p", &addr);
local[0].iov_base = buf;
local[0].iov_len = 4;
remote[0].iov_base = addr;
remote[0].iov_len = 4;
if(syscall(SYS_process_vm_readv,pid,local,1,remote,1,0) == -1) {
perror("");
return -1;
}
printf("read : %d\n",*(int*)buf);
*(int*)buf = 4321;
if(syscall(SYS_process_vm_writev,pid,local,1,remote,1,0) == -1) {
perror("");
return -1;
}
return 0;
}
remote.c
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/syscall.h>
int main()
{
int a = 1234;
printf("%d %p\n",getpid(),&a);
while(a == 1234);
printf ("'a' changed to %d\n",a);
return 0;
}
如果您在Linux机器上运行此命令,
[ajith@localhost Desktop]$ gcc remote.c -o remote -Wall
[ajith@localhost Desktop]$ ./remote
4574 0x7fffc4f4eb6c
'a' changed to 4321
[ajith@localhost Desktop]$
[ajith@localhost Desktop]$ gcc local.c -o local -Wall
[ajith@localhost Desktop]$ ./local
Enter remote pid
4574
Enter remote address
0x7fffc4f4eb6c
read : 1234
[ajith@localhost Desktop]$
使用类似的方法,您可以读取堆栈帧到io-vectors,但是您需要知道堆栈帧结构格式以从堆栈帧解析本地变量的值。堆栈帧包含函数参数、返回地址、本地变量等。