This code locates the variable on the heap, and replaces it's value.
it's curious that print uses syscall SYS_write but write is not triggering that syscall.
$findme="olsijdf9823";
$len=length($findme);
$pid=$$; #"self";
$heap=`cat /proc/$pid/maps | grep heap | cut -d ' ' -f 1`;
$stack=`cat /proc/$pid/maps | grep stack | cut -d ' ' -f 1`;
print("my pid is $pid\n");
#while(){sleep 1;}
if ($heap =~ /([a-f0-9]+)-([a-f0-9]+)/) {
$start_heap = hex($1);
$end_heap = hex($2);
}
if ($stack =~ /([a-f0-9]+)-([a-f0-9]+)/) {
$start_stack = hex($1);
$end_stack = hex($2);
}
open(MEM, "+<", "/proc/$pid/mem") or die "no permissions";
for $addr ($start_heap..$end_heap) {
seek(MEM, $addr, 0);
read(MEM, $buff, $len, 0);
#print(sprintf("0x%x %s\n", $addr, $buff));
if ($buff eq $findme) {
print("found\n");
seek(MEM, $addr, 0);
print(MEM "hacked\x00");
}
}
close(MEM);
`sync`;
print "---> $findme \n";
#EOF
Execution:
$ perl test.pl
my pid is 127249
found
---> hacked9823
Other detail is that \x00 is not an string terminator on perl, probably its a structure with a length item.