Scanmem. Tavis Ormandy. $Id: scanmem.t2t,v 1.1 2008/03/10 12:36:50 taviso Exp $ %! Target: %! Options: --toc --encoding=iso-8859-1 %! Style: main.css %! PreProc: %! PostProc: == Scanmem == --------------------------------------------------------------------------- [[img/scanmem.thumb.jpg] img/scanmem.png] scanmem is a simple interactive debugging utility for linux, used to locate the address of a variable in an executing process. This can be used for the analysis or modification of a hostile process on a compromised machine, reverse engineering, or as a "pokefinder" to cheat at video games. === Features === --------------------------------------------------------------------------- - Interactive command mode, with online help. - Specify target value exactly, or using abstract "higher" and "lower". - Supports variable width targets. - Set variable to any value. - Modify variables once, or continually over user specified period. - Detailed information about mappings, allow users to eliminate regions. === Example === --------------------------------------------------------------------------- You can use scanmem to cheat at nethack (on systems where nethack is not installed sgid), here is an example session finding and setting my gold to an arbitrary value. ``` $ scanmem --pid `pidof nethack` info: attaching to pid 17907. info: maps file located at /proc/17907/maps opened. info: 17 suitable regions found. Please enter current value, or "help" for other commands. 0> ``` The 0 in the scanmem prompt indicates there are no known matches, so I enter my current gold level (12 pieces) and ask it to search for possible matches. ``` 0> 12 info: searching 0xbfff9000 - 0xc0000000...........ok info: searching 0x401c2000 - 0x401e3000...........ok info: searching 0x401c1000 - 0x401c2000...........ok info: searching 0x401b6000 - 0x401b8000...........ok info: searching 0x401b5000 - 0x401b6000...........ok info: searching 0x40189000 - 0x4018a000...........ok info: searching 0x40188000 - 0x40189000...........ok info: searching 0x40181000 - 0x40183000...........ok info: searching 0x4017f000 - 0x40181000...........ok info: searching 0x40070000 - 0x40071000...........ok info: searching 0x40068000 - 0x40070000...........ok info: searching 0x40030000 - 0x40031000...........ok info: searching 0x40029000 - 0x4002a000...........ok info: searching 0x4001f000 - 0x40020000...........ok info: searching 0x40016000 - 0x40017000...........ok info: searching 0x081d4000 - 0x0820a000...........ok info: searching 0x081b7000 - 0x081d4000...........ok info: we currently have 38 matches. 38> ``` There are 38 possible matches, I wait until my gold level changes and enter the new value (15 pieces) ``` 38> 15 info: we currently have 1 matches. info: match identified, use "set" to modify value. info: enter "help" for other commands. 1> list [00] 0x081d6d88 { 15} (unassociated, typically .bss) 1> set 10000 info: setting *0x081d6d88 to 10000... 1> ``` Excellent, only one possible match. I use the set command to set it to 10,000. The resulting nethack screen is below. ``` Taviso the Digger St:17 Dx:9 Co:15 In:14 Wi:13 Ch:9 Lawful Dlvl:1 $:10000 HP:7(15) Pw:1(1) AC:9 Exp:1 Burdened ``` scanmem is distributed with a man page that describes all of the commands. A flash demo of scanmem in action is available [here smdemo.html]. === Download === --------------------------------------------------------------------------- You can download the latest version of scanmem from [here files/scanmem/scanmem-0.07.tar.gz] ([sig files/scanmem/scanmem-0.07.tar.gz.asc]). ``` MD5(scanmem-0.07.tar.gz)= a28baa2cf69b58b2773e379a49dae11c ``` === License === --------------------------------------------------------------------------- scanmem is distributed under the [GNU General Public License http://www.gnu.org/copyleft/gpl.html] version 2 or higher. === Contact === --------------------------------------------------------------------------- All bug reports, suggestions or feedback is appreciated. You can contact me at taviso@sdf.lonestar.org %!include: ''statistics.js'' %!include(xhtml): footer.t2t % vim:tw=75