Open in app

Sign in

Write

Sign in

Viewing Process Memory Mappings In Linux

Shehu Awwal
Shehu Awwal
Published in
3 min readSep 26, 2019

I already assumed you know what Virtual Memory is, The Kernel Space and the User Space, If not read on them.

I decided to document these ways from SecurityTube videos and share them along the way in case I decided to refer back or so, Credit goes to PentesterAcademy.

I will be using a C Program sample here and also may be a /bin/bash because of viewing shared and private libraries in the mappings.

Simple C Program, All we need is just to run and leave it.

/*
Author: Shehu Awwal
Codename: 0xsh3hu
Website: http://shehuawwal.com
*/#include <stdio.h>
int main(){
    int num;
    printf("Enter a Value: \n");
    scanf("%d", &num);
    printf("You entered %d\n", num);}

All right, let’s compile and run the program and leave it without entering any input

$ gcc hello.c -o hello
$ ./hello

And let’s grep for hello with ps to find the process id for hello.

$ ps aux | grep hello

I already assumed yo know what I am trying to achieve if not, You can make use of the comment box.

0x1: Using Pmap Command In Linux

As you can see from the pictures above we have the starting address only, We don’t have the location or pathname. You can make use of command below to look for other options that pmap provides.

$ pmap -h

0x2: Using /proc To Look At The Memory Mappings

$ cat /proc/<process id>/maps
$ cat /proc/2597/maps

As you can see from the above picture unlike pmaps, It shows the starting and ending address of the region in the process, Permissions, Offset, Inode and others, I will explain them at the end.

0x3: Using GDB Or Any Other Debugger Like Radare

I haven’t tried Radare with it but it should, Sometimes I always feel Radare has been over hyped even though I know it worth it with some of the features it offered, But let’s go with GDB.

gdb -q ./hello or you can attach the process ID but make sure you're root$gdb -q ./hello or
# gdb -q -p 2597 -That's the process ID.
gdb > break main
gdb > run
gdb > info proc registers

Look at the image below.

Instead of doing more explainations, Let me just add references:

References:

[+] https://stackoverflow.com/questions/1401359/understanding-linux-proc-id-maps

[+] https://web.archive.org/web/20161122032625/http://www.trilithium.com/johan/2005/08/linux-gate/

[+] https://www.thegeekstuff.com/2012/03/linux-processes-memory-layout/

[+] https://linux.die.net/man/1/pmap
[+] https://gist.github.com/CMCDragonkai/10ab53654b2aa6ce55c11cfc5b2432a4

Programming
Linux
Kerne
Process
C

--

--

Shehu Awwal
Shehu Awwal

Written by Shehu Awwal

416 Followers
Editor for

Hacker — Passionate About InfoSec, Linux, Clouds, Containers, Virtualization, Distributed Systems And Architectures And New Trends.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams