Linux 101: How to hack your process’ memory
The /proc file system is an vital part of the Linux operating system, but for many, it’s not well understood. As we know, everything is a file in Linux. This doesn’t mean all information on Linux is actually a text file, it means that all the internal data structures on Linux can be accessed via a file representing this data. Files are the name space for addressing parts of the operating system. In this case, these files are virtual, being created as you view them.
The /proc filesystem is a way for us to access information concerning processes in the convenient file format. /proc is the way that ps gets all of it’s information. It’s basically just a convenient method for grabbing /proc data for us. We can use /proc to access a few different things:
- Access hardware info (/proc/cpuinfo, /proc/meminfo, /proc/partitions, /proc/pci)
- Access system info (/proc/uptime, /proc/filesystems, /proc/net/, /proc/sys)
- Access process info (/proc/<num>/maps, /proc/<num>/mem)
There are some interesting things you can find in 1 and 2, but the process information is especially interesting, because you can actually use this to hack into a running processes memory, and change it! We could use this to directly change variables in a running process. I’ll show you how.
To do this, we need to know about 2 files, the /proc/<num>/maps file, and the /proc/<num>/mem file. To access any process’s information, you simply have to find the process’s id, then go to the corresponding id, in /proc. So say we want to access the proc file of this cron:
Cron’s process info would be in /proc/979/. Let’s take a look:
There’s a lot of information here, but something interesting to note — we can’t read the symbolic links! We also can’t read many of these files:
This, of course, is to protect the processes from giving up information that could leave them vulnerable to an unprivileged process getting information it shouldn’t have access to.
Now, let’s try to access the information in maps, using sudo so we can actually see the information:
Now we get a bunch of information that looks like a jumbled mess. This is, however, very useful. This is the format of the information:
- virtual memory addresses used
- permissions for address access
- offset into the mapping
- device storing this file
- inode on the device for this address space
- pathname to the file associated with this address space
This is actually really useful. Did you notice the [heap] ?. If we were to open the /proc/979/mem file, we could find the process heap by going to the starting address of the heap, and we could read the entire heap, and write or rewrite anything we want!
Now we have all the info we need to write a basic process hacker. Let’s start with the process we want to hack:
So, if you don’t already know, when malloc is used in C, the memory is automatically allocated in the heap of the process. So we can be confident if we look in the heap, we’ll find our variable there. This program will print out the malloced variable as long as it’s running, so we can see if the variable gets changed.
This is the program we will use to hack into the heap:
There’s a lot of error checking, but the important parts are finding the heap, and parsing the line, opening the mem_file, and finding the index of the string we’re looking for. Once we do that, we just rewrite it with the string of our choice. Let’s run the program and see what happens.
First, we need to run our test_program.c, and find the process id:
Now, we run our program with 17510 as the id and “Good, safe variable” as our read variable, and any variable we want to swap it for. Also we have to run this as sudo, or else we won’t be able to access anything:
sudo ./read_write_heap.py 17510 "Good, safe variable" "Boom! Hacked"
Wow! We hacked ourselves! As we can see, the variable was successfully replaced with our new string at the same address.
This probably isn’t the safest solution if you need to change the value of one of your running processes, but its definitely a fun one. And now you have one more trick to use if you need to teach someone the value of running a program without sudo!
