1

I've been playing with ptrace to see if I can modify the value of simple global integers in a C program. I know that I can use PEEKDATA and POKEDATA to accomplish this. However, these need information about where the variable is stored in memory in order to function. All the tutorials I've googled for seem to suggest the most popular way to do this is by using nm or objdump manually to obtain this address. Is there a way to do this more programmatically without knowing anything about the variable address or even the variable name beforehand (as below):

int i=0; //Assume i is defined globally and is the first integer defined in the code
//Code to modify i (this is what I'm looking for)
//More code here
//Print modified value of i
//Restore value of i later on

I also thought about intercepting system calls that could take integers as arguments, and while this would work, I was wondering if there was a more robust way of accomplishing this.

honk
  • 9,137
  • 11
  • 75
  • 83
user979616
  • 273
  • 1
  • 6
  • 15
  • 1
    What are you trying to achieve? – Ed Heal Jan 31 '16 at 19:42
  • "I also thought about intercepting system calls that could take integers as arguments, and while this would work". Really? That would work in all cases and not just some specific crafted case? What does a system call that takes integers have to do with `i` or any global variable in general? – kaylum Jan 31 '16 at 19:45
  • In particular, modifying some simple variable (an int most likely), of a running process. I'd like to do this with as little knowledge of the child process as possible (so that it can be run on many processes) and in as automated a fashion as possible. – user979616 Jan 31 '16 at 19:45
  • 1
    If you don't know the variable name and you don't know the variable address, what exactly is the criteria for identifying the target variable? – kaylum Jan 31 '16 at 19:47
  • "without knowing anything about the variable address or even the variable name beforehand" --- If you find something, how would you know if it is, in fact, the thing you were looking for if you know neither its address or its name? – e0k Jan 31 '16 at 19:47
  • @kaylum This is what I thought. Technically, you'd be modifying an integer, but you have no way to be certain that this corresponds to a variable in the program. – user979616 Jan 31 '16 at 19:48
  • @eok I'd like to be able to specify a name, but also if possible just identify the first global integer without knowing it's name. Sorry if I've been somewhat unclear. – user979616 Jan 31 '16 at 19:49
  • @user979616 When the program runs, there are no such things as variables. There's only memory. – user253751 Jan 31 '16 at 20:47
  • @immibis I suppose what I'm asking is if there is a way to search the data section for a global integer defined in a program (either by name or just by finding the first occurrence of an integer in the data section? – user979616 Jan 31 '16 at 21:16
  • 1
    @user979616 Memory *only* holds integers - so pick *anything*, and it's an integer! And the "names" *are* addresses. You could try looking through the debugging/other information for human-readable names, which is the same thing `nm` and `objdump` do. – user253751 Jan 31 '16 at 21:22
  • @immibis So in essence, what I'm asking seems to be two mutually exclusive things. I can either a) Know something about the memory layout of an executable beforehand, find one of its integer variables at a given address and modify it or B) read some bytes of an arbitrary process in memory (perhaps in the data section) and modify it, but have idea whether or not it was intended to be an integer variable (as everything in memory is just a sequence of bytes). – user979616 Jan 31 '16 at 22:37
  • @user979616 Yes. (Assuming there isn't something major that I don't know about) – user253751 Jan 31 '16 at 23:25

0 Answers0