Write other process' memory

3 files changed, 44 insertions, 12 deletions

diff --git a/src/main.c b/src/main.c
index ee33aac..667ca4c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -8,6 +8,20 @@
 #include "util.h"
 #include "vm.h"
 
+void hex2bytes(char *hex)
+{
+  size_t len = strlen(hex);
+  char bytes[len + 1];
+
+  for (size_t i = 0; i < len; ++i) {
+    char hdig[3] = { hex[i*2], hex[i*2+1], '\0' };
+    sscanf(hdig, "%hhx", &bytes[i]);
+  }
+
+  memcpy(hex, bytes, len);
+  hex[len] = '\0';
+}
+
 int main(int argc, char *argv[])
 {
   if (argc < 2) {
@@ -23,7 +37,7 @@ int main(int argc, char *argv[])
   waitpid(pid, NULL, __WALL);
   LOG("Attached to process %d\n", pid);
 
-  char *byte_seq = "secret text";
+  char *byte_seq = "DEADBEEF";
   size_t byte_seq_len = strlen(byte_seq);
   MemscanResult *head = memscan(pid, (uint8_t*)byte_seq, byte_seq_len);
   MemscanResult *cur = head;
@@ -39,7 +53,18 @@ int main(int argc, char *argv[])
            cur->mapping->name);
     cur = cur->next;
   }
+
   printf("\n\n");
+
+  char *buf = "CAFEBABE";
+  size_t len = strlen(buf);
+  cur = head;
+  while (cur) {
+    void *address = cur->mapping->begin + cur->offset;
+    memwrite(pid, address, (uint8_t*)buf, len);
+    cur = cur->next;
+  }
+
   ptrace(PTRACE_DETACH, pid, NULL, NULL);
   LOG("Detached from process %d\n", pid);
 
diff --git a/src/vm.c b/src/vm.c
index 82f67fd..b33a7bf 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -1,3 +1,4 @@
+#include <sys/ptrace.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -63,15 +64,6 @@ VMMapping* parse_vmmap (int pid)
     } else {
       head = cur = new_mapping;
     }
-
-    LOG("%p-%p %c%c%c%c %s\n",
-        cur->begin,
-        cur->end,
-        cur->r ? 'r' : '-',
-        cur->w ? 'w' : '-',
-        cur->x ? 'x' : '-',
-        cur->s ? 's' : 'p',
-        cur->name);
   }
 
   return head;
@@ -91,7 +83,7 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len)
 {
   char fmem_path[1024] = {0};
   sprintf(fmem_path, "/proc/%d/mem", pid);
-  FILE *fmem = fopen(fmem_path, "rb+");
+  FILE *fmem = fopen(fmem_path, "rb");
   VMMapping *vmmaps_head = parse_vmmap(pid);
   VMMapping *cur_vmmap = vmmaps_head;
   MemscanResult *cur = NULL, *head = NULL;
@@ -101,7 +93,6 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len)
       cur_vmmap = cur_vmmap->next;
       continue;
     }
-    LOG("Scanning [%p]\n", cur_vmmap->begin);
 
     size_t region_size = cur_vmmap->end - cur_vmmap->begin;
     uint8_t region_data[region_size];
@@ -135,6 +126,20 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len)
 
     cur_vmmap = cur_vmmap->next;
   }
+  fclose(fmem);
 
   return head;
 }
+
+void memwrite(int pid, void *address, uint8_t *data, size_t data_len)
+{
+  char fmem_path[1024] = {0};
+  sprintf(fmem_path, "/proc/%d/mem", pid);
+  FILE *fmem = fopen(fmem_path, "rb+");
+
+  fseek(fmem, (off_t)address, SEEK_SET);
+  fwrite(data, 1, data_len, fmem);
+  fclose(fmem);
+
+  LOG("Data written successfully at address %p\n", address);
+}
diff --git a/src/vm.h b/src/vm.h
index 4a994f9..3f3cc09 100644
--- a/src/vm.h
+++ b/src/vm.h
@@ -1,6 +1,7 @@
 #ifndef _VM_H_
 #define _VM_H_
 #include <stdint.h>
+#include <sys/types.h>
 
 typedef struct VMMapping {
   void *begin;
@@ -24,4 +25,5 @@ VMMapping* parse_vmmap (int pid);
 
 MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len);
 
+void memwrite(int pid, void *address, uint8_t *data, size_t data_len);
 #endif // _VM_H_