gdb dump memory & errors?

Question

I am attempting to bind to a process, create a memory snapshot, then use /proc/pid/maps & /proc/pid/mem to look at items passing through memory for the running process.

A python script is used in gdb to perform the operations which seems to work fine. Some information:

1. The process I wish to view memory segments on is running a regular unprivileged user.
2. The gdb instance which binds to the process is run as a root/privileged user.
3. The python script running gdb performs the following:
   • Creates a snapshot of /dev/mem (i.e. dd if=/dev/mem of=/tmp/mem.bin)
   • Examines the /proc/pid/maps & /proc/pid/mem to extract start and end memory addresses to search
   • It then relies on gdb and runs the following: (gdb) memory dump /tmp/mem.bin [start] [end]

The problem is that every memory segment examined returns errors:

%> # gdb -x mem.py --pid 24204
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 24204
ptrace: Operation not permitted.
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.0903829 s, 11.6 MB/s
Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000
Examining: 15306752 15396864
Error: Cannot access memory at address 0xe99000
Examining: 15396864 15429632
Error: Cannot access memory at address 0xeaf000
Examining: 34545664 36294656
Error: Cannot access memory at address 0x20f2000
Examining: 10833544417280 10833546514432
Error: Cannot access memory at address 0x61911000
Examining: 18212460691456 18212461740032
Error: Cannot access memory at address 0x6b400000
Examining: 23029163552768 23029163556864
Error: Cannot access memory at address 0xe51cf000
Examining: 24071492337664 24071492358144
Error: Cannot access memory at address 0x1eaba000
Examining: 140278443610112 140278443614208
Error: Cannot access memory at address 0x1ecd1000
Examining: 140278443614208 140278443618304
Error: Cannot access memory at address 0x1ecd2000
Examining: 140278443618304 140278443634688
Error: Cannot access memory at address 0x1faa3000
Examining: 140278458105856 140278458109952
Error: Cannot access memory at address 0x1faa4000
Examining: 140736783110144 140736783196160
Error: Cannot access memory at address 0xd5f6d000
Examining: 140736783654912 140736783659008
Error: Cannot access memory at address 0xd5ff2000
Examining: 18446744073699065856 18446744073699069952
Error: Cannot access memory at address 0xff600000

I am aware that the kernel does protect system memory, however for a userland process to have root user not able to access ALL memory segments seems to be inaccurate. Any help is appreciated.

Answer 1

While @scott is correct, the answer here was that I didn't account for a snapshot of the memory at the time of the process running.

I had to implement a loop to perform the a comparative analysis of the current memory allocated to the process id found in /proc//mem.

Here is a gist of the total solution.

Answer 2

dd: reading `/dev/mem': Operation not permitted

/dev/mem maps to physical memory and is disabled for security reasons by default on most distros so that is no surprising. Assuming the latter errors like

Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000

is caused by accessing /dev/<PID>/mem, you may need to pause the process first by using PTRACE_ATTACH. e.g.

sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDONLY);
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
lseek(mem_fd, offset, SEEK_SET);
read(mem_fd, buf, _SC_PAGE_SIZE);
ptrace(PTRACE_DETACH, pid, NULL, NULL);

See https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux