Analysing Linux series: The /proc Filesystem
Every time we run Software in Linux a process is created and an ID is assigned to that process (starting from 1 and in most system going till 32768, and then the numbers starts recycling back, when processes are freed), the /proc folder contains all the information about the actual running processes, facts about the /proc filesystem:
- It's a root folder
- This folder is not stored on the hard drive, but on the RAM
- Interacting with the files in there allows us to obtain information about running processes
- Software with Sudo rights can modify information of other running processes (be careful to what software you give admin rights)
Let's focus today on how the memory is handled by a process, in this case, we are going to use a basic program created in C that displays a string stored in the heap part of the VRAM, to realize this task we are going to have interest in the following /proc files.
/proc/{PID}/maps
This is a file that contains information about how is the memory of the actual process currently mapped (what addresses of the mem file have what information).
/proc/{PID}/mem
This file contains the memory held by this process, how to access this file is defined in the maps file, be careful we can not just cat this file since some parts of the file can not be read.
First, we create a null pointer, and put the information "hello world on the heap so that we can start printing it infinitely."
This is the result of the program, every 2 seconds we are going to see the message [#line] hello world (*address of the heap where hello world is stored)
Now let's analyze the process id using the command
ps aux | grep heap_use
This will give us the following result:
The PID 2913 correspond to the grep command that we used with ps aux, while 2791 is the PID that we have interest in using, so as we want to manage information related to the memory let's see in the file /proc/2791/maps how is the memory being managed.
we have interest in the line with the [heap]\n word at the end, we can read the information as that the heap starts at the address 0x0869000 and ends at the address 0x088a000, and this process allows us to read and write from the heap without a problem. So, how do we access that memory?
We can do it using the file /proc/2791/mem but not every address of the file has reading/writing permission, so now we are going to need a little help from python to be able to read the information.
What we are doing in the script is opening the mem file in binary mode, then we are positioning the cursor in the heap_start and read all the heap
Now let's execute our file and let's see what the process memory tell us about it
sudo ./read_write_heap.py | less # sudo permiss are needed
There are a bunch of bytes but at some point of the output there are the "hello world" bytes represented, that's nice, we can check the heap of a running process, now what about if we try to modify it. For this we have to search for the bytes that the hello word represents and change for other stuff we want to add, we can use this code to accomplish it.
In this code we start by reading everything in the heap, then we find the desired word, after that we just replace the bytes, notice that we didn't add the null terminator, this is a bad practice since we don't know what's going to be in the memory, the output of the code can be found in the running process:
As we can see even if the string is larger than the previous one as C is searching for the Null byte terminator, we can make changes in the running process. Ok everything looks good for a demo, but now let's create a complete code that can automate this changes for us and give us good knowledge about error handling, let's start with getting the heap value from the maps.
We are doing the same that we describe in words, but now in code, if we detect [heap]\n at the end of a line, then the first pair of addresses are converted from a string into a number. That will get us the memory address, but how do we write now? let's check the write_inheap function.
Now to write into the heap we are handling the case that the search string is not in the heap, and also we are making sure that the replacement bytes plus the Null byte are not going to overlap the heap size, then we position the cursor write, and add the Null byte.
The complete python and C code can be found in this repository:
Security is important, have in mind to what kind of programs you give sudo permissions in your computer while installing, and try to not store private information in your programs in plain form, since everybody with the interest can get to know about it, at least let's make it a challenge.
A full description about every component of the /proc filesystem can be found here