I want to dump the specified java object from ART memory(/proc/{pid}/mem)
Python code
def read_mem_vma(pid):
vma_range_list = []
f = open(f'/proc/{pid}/maps')
for line in f:
if 'rw' in line:
range_ = tuple(int(s, 16) for s in line.split()[0].split('-'))
vma_range_list.append(range_)
return vma_range_list
def travel_mem(pid):
art_java_object_header_size = 10
vma_range_list = read_mem_vma(pid)
f = open(f'/proc/{pid}/mem', 'rb')
for start, end in vma_range_list:
for addr in range(start, end, 4):
f.seek(addr)
header_bytes = f.read(art_java_object_header_size)
if is_java_obj_header(header_bytes):
parser_java_obj(header_bytes, f, 'class Student')
def is_java_obj_header(header_bytes):
# return header_bytes[xx] == magic_number
pass
def parser_java_obj(header_bytes, f, which):
# if header_bytes[xx] == which:
# obj_data_len = header_bytes[offset]
# obj_data_bytes = f.read(obj_data_len)
# struct.unpack() ...
# return {"name": "jack", "no": 110}
pass
if __name__ == '__main__':
pid = 'target_app_pid'
travel_mem(pid)
I know that the key is the object header and the memory layout of the object. How to improve these codes? Which documentation can I refer to?
Don't consider Hooking or Injecting.
My python code was run in adeb(debian fs).any language is welcome.
