The /proc filesystem

As in Linux operative systems, the memory is virtualized in order to correctly manage and isolate the real hardware from the processes, so only the kernel gets to manipulate the hardware resources. Therefore, the processes are only meant to mind about their own memory and not to handle shared memory. Doing this, it is possible to even provide memory beyond the hardware’s availability by using a technique called paging.

The virtualization of each process’ memory is achieved by using file descriptors. These files can then be found on the directory “/proc/[pid]”, where “[pid]” is the PID number of a given process.

“The proc file system acts as an interface to internal data structures in the kernel. It can be used to obtain information about the system and to change certain kernel parameters at runtime (sysctl).

…

The directory /proc contains (among other things) one subdirectory for each process running on the system, which is named after the process ID (PID).”

https://www.kernel.org/doc/Documentation/filesystems/proc.txt

The proc file system is then, a system that helps to build the bridge between a process and the resources in the kernel. This system is supported in the directory /proc from which most of the information relative to the process instance (PID) can be found. Inside the /proc/[pid]/ directory you can find several files like:

$ sudo ls /proc/self/
attr      cwd         loginuid      numa_maps schedstat  task
autogroup environ     map_files     oom_adj   sessionid  timers
auxv      exe maps    oom_score     setgroups uid_map    cgroup
fd        mem         oom_score_adj smaps     wchan      clear_refs
.
.
.

So, if you want to know about the status information of a process, the file status can be read with cat.

$ cat /proc/self/status
Name:   cat
State:  R (running)
Tgid:   4515
Ngid:   0
Pid:    4515
…

Among the information inside /proc/[pid]/, the memory usage can be found within the file maps and the actual data used in the process in the file mem.

maps Memory maps to executables and library files

mem Memory held by this process

A great advantage to know how to read the memory in use by a process is the possibility to explore and modify the memory from outside the process. The modifications can be made by manipulating the file /porc/[pid]/mem.

From man proc:

/proc/[pid]/mem

This file can be used to access the pages of a process’s memory

through open(2), read(2), and lseek(2).

In order to understand what is inside the mem, the file maps have all the information of the memory structure used in a given process.

The /proc/PID/maps file contains the currently mapped memory regions and their access permissions.

The format is:

address perms offset dev inode pathname

08048000–08049000 r-xp 00000000 03:00 8312 /opt/test

08049000–0804a000 rw-p 00001000 03:00 8312 /opt/test

0804a000–0806b000 rw-p 00000000 00:00 0 [heap]

…

https://www.kernel.org/doc/Documentation/filesystems/proc.txt

The format is then describing:

• Address: this column shows the starting and ending address, separated by a “-” ([starting_add]-[ending_add]), of the mapped region.
• Perms: this column describes the permissions this region of the memory has, as if it is allowed to “r” read, “w” write, or “x” execute. Additionally, there’s a fourth permission describing if this region is “p” private, or “s” shared.
• Offset: is the offset into the mapping.
• Dev: is the device (major: minor)
• Inode: is the inode in the device.
• Pathname: is the name associated file to the memory region. If there is no file associated then it can be described by [heap], [stack], or [vdso]. When empty, the mapping is anonymous.

With this information, as in a pipeline, it is possible to:

1. Search for a region described by a file or a tag (like the heap or stack), and confirm if the region is possible to be modified or whatever action wants to be done.
2. Then you could go to a specific region of the mem file searching for the starting and ending address as strings inside the file.
3. And perform the action needed (as to read or to overwrite).

At last, here’s an example of a script that reads and overwrite a string allocated in the heap by another process.

https://github.com/hb4y/holbertonschool-system_linux/tree/master/0x03-proc_filesystem