A crate to read memory from another process. Code originally taken from the rbspy project. This crate has now returned home to the rbspy GitHub organization. :)
This example re-executes itself as a child process in order to have a separate process to use for demonstration purposes. If you need to read memory from a process that you are spawning, your usage should look very similar to this:
use std::convert::TryInto;
use std::env;
use std::io::{self, BufReader, BufRead, Read, Result};
use std::process::{Command, Stdio};
use read_process_memory::{
Pid,
ProcessHandle,
CopyAddress,
copy_address,
};
fn main() -> Result<()> {
if env::args_os().len() > 1 {
// We are the child.
return in_child();
}
// Run this executable again so we have a child process to read.
let mut child = Command::new(env::current_exe()?)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.arg("child")
.spawn()?;
// Get a ProcessHandle to work with.
let handle: ProcessHandle = (&child).try_into().unwrap();
// The child process will print the address to read from on stdout.
let mut stdout = BufReader::new(child.stdout.take().unwrap());
let mut addr_string = String::new();
stdout.read_line(&mut addr_string)?;
let address = usize::from_str_radix(addr_string.trim(), 16).unwrap();
// Try to read 10 bytes from that address
let bytes = copy_address(address, 10, &handle)?;
println!("Read: {:?}", bytes);
// Tell the child to exit by closing its stdin.
drop(child.stdin.take());
// And wait for it to exit.
child.wait()?;
Ok(())
}
fn in_child() -> Result<()> {
// Allocate a 10-byte Vec for the parent to read.
let readable_bytes: Vec<u8> = vec![
0xc0, 0x72, 0x80, 0x79, 0xeb, 0xf1, 0xbc, 0x87, 0x06, 0x14,
];
// Print the address of the Vec to stdout so the parent can find it.
println!("{:x}", readable_bytes.as_ptr() as usize);
// Now wait to exit until the parent closes our stdin, to give
// it time to read the memory.
let mut buf = Vec::new();
// We don't care if this succeeds.
drop(io::stdin().read_to_end(&mut buf));
Ok(())
}Here's a summary, with some C pseudocode, of how the read-process-memory
crate works under the hood on each of the platforms it supports. The three
inputs are:
PID: the process ID to read fromLENGTH: how much memory to readADDRESS: the address to read from
Uses process_vm_readv
void* TARGET = (void*) 0x123412341324;
struct iovec local;
local.iov_base = calloc(LENGTH, sizeof(char));
local.iov_len = LENGTH;
struct iovec remote;
remote[0].iov_base = TARGET;
remote[0].iov_len = LENGTH;
process_vm_readv(PID, local, 2, remote, 1, 0);Uses vm_read_overwrite
mach_port_name_t task;
task_for_pid(mach_task_self(), PID, &task)
vm_size_t read_len = LENGTH;
char result[LENGTH];
vm_read_overwrite(task, TARGET, LENGTH, &result, &read_len)Uses ptrace. This one stops the process to read from it.
// attach
int wait_status = 0;
attach_status = ptrace(PT_ATTACH, PID, null, 0);
waitpid(PID, &wait_status, 0);
WIFSTOPPED(wait_status)
char result[LENGTH];
desc = PtraceIoDesc {
piod_op: PIOD_READ_D,
piod_offs: TARGET;
piod_addr: &result;
piod_len: LENGTH,
};
// read data
ptrace(PT_IO, PID, &desc, 0);
// detach
ptrace(PT_DETACH, PID, null, 0);Uses ReadProcessMemory:
char result[LENGTH];
ReadProcessMemory(PID, ADDRESS, &result, LENGTH, null);
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent