Access and view the memory of a different process by using its process ID (PID)

Question

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main() {
    
    char* ptr = "Hello from allocate_memory!";
    
    printf("Allocated memory address: %p\n", (void*)ptr);
    printf("String written to memory: %s\n", ptr);
    
    // Keep the program running to examine memory
    while(1);
    return 0;
}

#include <stdio.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <signal.h>

#define MEM_DUMP_RANGE 0x10000

int main() {
    pid_t pid = fork();
    if (pid == 0) {
        
        // Child process
        printf("Child process ID: %d\n", getpid());
        execl("./allocate_memory", "allocate_memory", NULL);

    } else {

        // Parent process
        printf("Parent process ID: %d\n", getpid());
        printf("Child process ID: %d\n", pid);

        // wait(NULL);

        // Open file for reading
        char filename[20];
        sprintf(filename, "/proc/%d/mem", pid);
        int fd = open(filename, O_RDONLY);
        if (fd == -1) {
            perror("open");
            return 1;
        }

        // Read memory
        unsigned char* buffer = malloc(MEM_DUMP_RANGE);
        read(fd, buffer, MEM_DUMP_RANGE);

        // Dump memory to file
        FILE* file = fopen("memory_dump_file_proc.txt", "w");
        if (file == NULL) {
            perror("fopen");
            return 1;
        }
        for (unsigned long addr = 0; addr < MEM_DUMP_RANGE; addr++) {
            fprintf(file, "%02x ", buffer[addr]);
            if ((addr + 1) % 16 == 0) fprintf(file, "\n");
        }
        fclose(file);

        // Search for string
        char* search_str = "Hello from allocate_memory!";
        for (unsigned long addr = 0; addr < MEM_DUMP_RANGE; addr++) {
            if (memcmp(&buffer[addr], search_str, strlen(search_str)) == 0) {
                printf("Found string at address: %lx\n", addr);

                // Kill child process
                kill(pid, SIGKILL);
                printf("Child process killed\n");
                return 0;
            }
        }

        close(fd);
        free(buffer);
    }
    return 0;
}

I want to read the memory of another process using C, but the output file only contains zeros or newline characters.

Need to see actual Memory where is something written

0x00CED010  30 36 35 32 39 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  065290..............................
0x00CED034  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ....................................

Answer 1

We cannot read /proc/…/mem from offset 0 when there is nothing mapped at address 0. You could get addresses where something is mapped from /proc/…/maps; usually the first two entries correspond to the program text and data segments, so you could use e. g.

        void *add;
        sprintf(filename, "/proc/%d/maps", pid);
        FILE *fp = fopen(filename, "r");
        if (!fp) return perror(filename), 1;
        fscanf(fp, "%*[^\n]%p", &add),  // skip text line, read data address
        fclose(fp);
        off_t offset = lseek(fd, (off_t)add, SEEK_SET);
        if (offset < 0) perror("lseek");

before the read.

Note that you shall kill the child process also if the string wasn't found, so move that part out of the for loop and change the return 0 there to break.