pub struct ProcessMemory { /* private fields */ }Implementations§
Source§impl ProcessMemory
impl ProcessMemory
pub fn attach_process(pid: u32) -> Option<ProcessMemory>
Sourcepub fn new_process(
file_name: &str,
arguments: &Vec<String>,
) -> Option<ProcessMemory>
pub fn new_process( file_name: &str, arguments: &Vec<String>, ) -> Option<ProcessMemory>
This spawns a process suspended and has to be manually resumed via public self.resume()
On Linux, this creates a new process via fork() which maps to clone(2) depending on libc ptrace the fork and replace the current image with a new one in create_reference_process
On Windows, this calls CreateProcess with the flag CREATE_SUSPENDED
On macOS, this calls posix_spawn(2) with the flag POSIX_SPAWN_START_SUSPENDED
Accepts a file path, as well as arguments to the new process
Sourcepub fn write_memory(&self, _address: usize, data: &Vec<u8>, offset: bool)
pub fn write_memory(&self, _address: usize, data: &Vec<u8>, offset: bool)
Write the buffer (vector, identifier: data) at the address in the process
If the offset bool is set to true, then only an offset is given to this function, relative to the first mapping/module in the process.
Example, the first module is loaded at 0x00400000
offset is set to true, and _address = 5
Memory would be written at 0x00400005
If offset is false, it takes an immediate - direct address.
Sourcepub fn read_memory(&self, _address: usize, size: usize, offset: bool) -> Vec<u8> ⓘ
pub fn read_memory(&self, _address: usize, size: usize, offset: bool) -> Vec<u8> ⓘ
Read memory from the process and return a vector. If the offset bool is set to true, then only an offset is given to this function, relative to the first mapping/module in the process.
Example, the first module is loaded at 0x00400000
offset is set to true,
and _address = 5
Memory would be read from 0x00400005
If offset is false, it takes an immediate - direct address.
For example, _address = 0x00400005
Sourcepub fn resume(&self)
pub fn resume(&self)
Resume the process by resuming the first thread (Windows) or sending a continue signal (Unix)
Sourcepub fn base(&self) -> usize
pub fn base(&self) -> usize
Retrieve the first mapping/module loaded into memory for the process
Sourcepub fn raw_descriptor(&self) -> usize
pub fn raw_descriptor(&self) -> usize
Retrieve a raw handle/task port, or the PID for Linux as ptrace(2) does not use file descriptors
Sourcepub fn early_close(&mut self)
pub fn early_close(&mut self)
This will close the handles/task ports or detach from a ptrace(2) session, making the ProcessMemory object effectively useless with the exception of retaining data.