altering it's own heap

This code locates the variable on the heap, and replaces it's value. it's curious that print uses syscall SYS_write but write is not triggering that syscall.

$findme="olsijdf9823";
$len=length($findme);

$pid=$$; #"self";
$heap=`cat /proc/$pid/maps | grep heap | cut -d ' ' -f 1`;
$stack=`cat /proc/$pid/maps | grep stack | cut -d ' ' -f 1`;
print("my pid is $pid\n");

#while(){sleep 1;}

if ($heap =~ /([a-f0-9]+)-([a-f0-9]+)/) {
  $start_heap = hex($1);
  $end_heap = hex($2);
}

if ($stack =~ /([a-f0-9]+)-([a-f0-9]+)/) {
  $start_stack = hex($1);
  $end_stack = hex($2);
}


open(MEM, "+<", "/proc/$pid/mem") or die "no permissions";

for $addr ($start_heap..$end_heap) {
  seek(MEM, $addr, 0);
  read(MEM, $buff, $len, 0);
  #print(sprintf("0x%x %s\n", $addr, $buff));
  if ($buff eq $findme) {
    print("found\n");
    seek(MEM, $addr, 0);
    print(MEM "hacked\x00");
  }
}

close(MEM);
`sync`;

print "---> $findme \n";
#EOF
[download]

Execution:

$ perl test.pl
my pid is 127249
found
---> hacked9823
[download]

Other detail is that \x00 is not an string terminator on perl, probably its a structure with a length item.

Comment on altering it's own heap Select or Download Code

Replies are listed 'Best First'.
Re: altering it's own heap by Fletch (Bishop) on Feb 11, 2023 at 19:50 UTC
The somewhat dated (but still illustrative (heh)) Illustrated Perlguts along with the current perlguts explains how scalars (`SV`) look under the hood holding the various types of values. Adendum:* And yes as the above will show perl stores strings with a length so that you can have a NUL as a valid character in a perl string without causing problems. The cake is a lie. The cake is a lie. The cake is a lie.	[reply] [d/l]
Re^2: altering it's own heap by Anonymous Monk on Feb 12, 2023 at 15:02 UTC
Just link the current version perlhack https://metacpan.org/release/RURBAN/illguts-0.49	[reply]


good chemistry is complicated, and a little bit messy -LW
	PerlMonks