Struct Process

pub struct Process { /* private fields */ }

represents a process handle for memory operations.

Implementations

impl Process

pub fn open_exe_name<S: AsRef<str>>(name: S) -> Result<Process, ProcessError>

open a process given its executable name.

this will use the first process with the given name.

example

let process = Process::open_exe_name("bash").unwrap();

pub fn open_pid(pid: i32) -> Result<Process, ProcessError>

open a process from its pid.

determines availability of process_vm_* syscalls and chooses the right mode.

pub fn set_mode(&mut self, mode: MemoryMode)

switch between Syscall and File mode at runtime.

pub fn is_running(&self) -> bool

check if the process is still running and valid

pub fn pid(&self) -> i32

get the pid of the target process.

pub fn read<T: AnyBitPattern>(&self, address: usize) -> Result<T, MemoryError>

read a value T from the specified address.

the type must implement bytemuck::AnyBitPattern. in Syscall mode uses process_vm_readv, in File mode uses FileExt::read_at.

pub fn read_vec<T: AnyBitPattern>( &self, address: usize, count: usize, ) -> Result<Vec<T>, MemoryError>

read a vec of T with count elements from the specified address.

the type must implement bytemuck::AnyBitPattern. in Syscall mode uses process_vm_readv, in File mode uses FileExt::read_at.

pub fn write<T: NoUninit>( &self, address: usize, value: &T, ) -> Result<(), MemoryError>

write a value T to the specified address.

returns number of bytes written.

the type must implement bytemuck::NoUninit. in Syscall mode uses process_vm_writev, in File mode uses FileExt::write_at.

pub fn write_vec<T: NoUninit>( &self, address: usize, value: &[T], ) -> Result<(), MemoryError>

write a vec of T to the specified address.

returns number of bytes written.

the type must implement bytemuck::NoUninit. in Syscall mode uses process_vm_writev, in File mode uses FileExt::write_at.

pub fn read_bytes( &self, address: usize, count: usize, ) -> Result<Vec<u8>, MemoryError>

reads count bytes starting at address, using File mode.

process_vm_readv does not work for very large reads, which is why File mode is always used. it will not switch the mode for other reads and writes.

pub fn write_bytes( &self, address: usize, value: &[u8], ) -> Result<(), MemoryError>

writes count bytes starting at address, using File mode.

process_vm_writev does not work for very large writes, which is why File mode is always used. it will not switch the mode for other reads and writes.

pub fn read_terminated_string( &self, address: usize, ) -> Result<String, MemoryError>

reads a c-style null-terminated string starting at address until a 0 byte.

pub fn read_string( &self, address: usize, length: usize, ) -> Result<String, MemoryError>

reads a utf-8 encoded string starting at address with a given length.

pub fn write_string<S: AsRef<str>>( &self, address: usize, value: S, ) -> Result<(), MemoryError>

writes any string-like starting at address

pub fn find_library<S: AsRef<str>>( &self, lib_name: S, ) -> Result<LibraryInfo, ProcessError>

parses /proc/{pid}/maps to locate the base address of a loaded library with name matching library.

pub fn all_libraries(&self) -> Result<Vec<LibraryInfo>, ProcessError>

pub fn elf_size(&self, library: &LibraryInfo) -> Result<usize, MemoryError>

returns the size of an elf library

pub fn dump_library( &self, library: &LibraryInfo, ) -> Result<Vec<u8>, MemoryError>

dump a complete elf library.

this will return a complete copy of the library, as it is loaded into memory.

it will fail if the library is not a valid elf, or the library offset is not 0.

pub fn scan_pattern<S: AsRef<str>>( &self, pattern: S, library: &LibraryInfo, ) -> Result<usize, MemoryError>

scan a pattern in library at address, using pattern.

the pattern accepted is a normal ida pattern.

example

let process = Process::open_exe_name("bash").unwrap();
process.scan_pattern("12 34 ? ? 56 78", 0x12345678);

this scans the ida pattern 12 34 ? ? 56 78.