I had a conversation with a friend the other day about this topic, he wasn't aware that this was indeed possible on OSX. As a side note, if your operating system supports debugging, and more specifically, attaching and detaching a debugger to an already running process then the operating system has to have some support for this. Just as a reference, here's a rundown of the functions you can use to read or write bytes to other processes on Linux, Windows and Mac OS X.
On Linux, you need to look no further than open(), read(), write() and close(). You just find the PID you are looking for under the special "/proc" file system, in there, change to the directory that corresponds to your PID. Inside, there is a file named "mem". If you have access, you can just open this file and read and write to it.
On Windows, given a PID, get a process handle using the OpenProcess() function. From there, you can reserve space in the other process by using VirtualAllocEx(). You can use WriteProcessMemory() and ReadProcessMemory() to write and read to this other process.
On Mac OS X, you first obtain a Mach task using task_for_pid(), once you have that, you only need to use vm_read() and vm_write() to read and write to the other process.
All of the above assume that the operating system is clamping your access to other processes based on your credentials otherwise you get something like this.
No comments:
Post a Comment