1

Hello I try to dump the memory of a process in Android/Linux. Right now I read the memory maps to get a memory region's address space and then I read every single word like this:

ptrace(PTRACE_ATTACH, pid, NULL, NULL);
wait(NULL);

read each word in this memory region:
word = ptrace(PTRACE_PEEKDATA, pid, (void *)address, NULL);

ptrace(PTRACE_CONT, pid, NULL, NULL);
ptrace(PTRACE_DETACH, pid, NULL, NULL);

Isn't there a more efficient solution reading directly a whole memory page by specifying the start/end of a memory address space to read?

micha
  • 65
  • 11
  • Exactly what are you trying to achieve? A complete dump of the process can be done by reading the "file" `/proc/pid/mem` – Mats Petersson Dec 23 '15 at 11:52
  • 1
    I want a dump of all writeable memory pages. I achieved now a dump of the heap using _open_, _lseek_ and _read_. But when I try to access the other memory regions like stack I still get an I/O error. – micha Dec 29 '15 at 11:33

1 Answers1

2

There are two possible ways to read memory more efficiently from another process.

If your kernel supports it (I have no idea about Android kernels) you can use process_vm_readv.

Another way is to open the /proc/.../mem file of the target process and read from it. gdb uses this method, though I think only because process_vm_readv is "new" (in gdb's terms).

Tom Tromey
  • 21,507
  • 2
  • 45
  • 63
  • _process_vm_readv_ is not available in Android -> results in _error: undefined reference to 'process_vm_readv'_ But thanks for your advice I managed it now to read the heap from _/proc/pid/mem_ using open, lseek and read. – micha Dec 29 '15 at 11:26