This code locates the variable on the heap, and replaces it's value. it's curious that print uses syscall SYS_write but write is not triggering that syscall. 
$findme="olsijdf9823";
$len=length($findme);

$pid=$$; #"self";
$heap=`cat /proc/$pid/maps | grep heap | cut -d ' ' -f 1`;
$stack=`cat /proc/$pid/maps | grep stack | cut -d ' ' -f 1`;
print("my pid is $pid\n");

#while(){sleep 1;}

if ($heap =~ /([a-f0-9]+)-([a-f0-9]+)/) {
  $start_heap = hex($1);
  $end_heap = hex($2);
}

if ($stack =~ /([a-f0-9]+)-([a-f0-9]+)/) {
  $start_stack = hex($1);
  $end_stack = hex($2);
}


open(MEM, "+<", "/proc/$pid/mem") or die "no permissions";

for $addr ($start_heap..$end_heap) {
  seek(MEM, $addr, 0);
  read(MEM, $buff, $len, 0);
  #print(sprintf("0x%x %s\n", $addr, $buff));
  if ($buff eq $findme) {
    print("found\n");
    seek(MEM, $addr, 0);
    print(MEM "hacked\x00");
  }
}

close(MEM);
`sync`;

print "---> $findme \n";
#EOF

[download]
Execution: 
$ perl test.pl
my pid is 127249
found
---> hacked9823

[download]
Other detail is that \x00 is not an string terminator on perl, probably its a structure with a length item.

Replies are listed 'Best First'.
Re: altering it's own heap
by Fletch (Bishop) on Feb 11, 2023 at 19:50 UTC

    The somewhat dated (but still illustrative (heh)) Illustrated Perlguts along with the current perlguts explains how scalars (SV*) look under the hood holding the various types of values.

    Adendum: And yes as the above will show perl stores strings with a length so that you can have a NUL as a valid character in a perl string without causing problems.

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

[reply]
[d/l]
[reply]

Back to Meditations