How can we distinguish different part of process memory?

Question

I am trying to dump the memory of process and distinguish the different part, such as code page, guard page, stack, and heap. I can dump the process memory by call a adding system call, and in this system call I use memmove to dump the process memory to my buffer. Then print the buffer in my user level function. But I can not figure out the different part of this memory. Now my embryonic idea is to find some special pointers that point the boundary of these parts. But I am confused what pointers can do this? Or I should try to compute the size of these part, and print (Next part is Code/Guard Page)? I can make sure that there will be a 4k page table for guard page table, but I do not know how to get size of other parts, like code page or stack.

I also want to let my user level function can dump other process's memory by giving the pid as parameter But I am confused how to start. How can I find other process's page table and entry them in my kernel level dump function?

I am trying to achieve something similar. Can you elaborate on how you used memmove to dump the process memory to my buffer? Did you have to use walkpgdir? Could you please list the steps or paste that part of the code. — Arunbalaji Rengarajan, Feb 23 '18 at 08:34

score 0 · Answer 1 · edited Dec 03 '17 at 22:34

0

The problem you face is that memory is memory. A process can have multiple heaps and multiple stacks. They just look like memory.

On some systems you can examine the executable file to find how the application is structured in memory. However, modern loads frequently randomize the loading of a process in memory.

edited Dec 03 '17 at 22:34

Tony Tannous

14,154
10
50
86

answered Dec 02 '17 at 02:05

user3344003

20,574
3
26
62

How can we distinguish different part of process memory?

1 Answers1