home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.next.programmer
- Path: sparky!uunet!cis.ohio-state.edu!zaphod.mps.ohio-state.edu!cs.utexas.edu!sdd.hp.com!decwrl!csus.edu!news
- From: eps@futon.SFSU.EDU (Eric P. Scott)
- Subject: Re: Extracting cmdline and env of other processes
- Message-ID: <1992Nov6.105127.22090@csus.edu>
- Sender: news@csus.edu
- Reply-To: eps@cs.sfsu.edu
- Organization: San Francisco State University
- References: <Bx6zu0.DAC@malihh.hanse.de>
- Date: Fri, 6 Nov 1992 10:51:27 GMT
- Lines: 87
-
- In article <Bx6zu0.DAC@malihh.hanse.de> clu@malihh.hanse.de
- (Carsten Lutz) writes:
- >I'm looking for a way to get the commandlines and environments ( at start-
- >time ) of other processes. Has anyone done this before or knows what the
- >best way to do this is ? 'ps' has to do this in some way 'cause it's able
- >to display both cmdline and environment.
-
- [Answered for 2.1]
-
- ps uses the indispensible table() call for TBL_ARGUMENTS to
- obtain this information. Unfortunately, the return is somewhat
- bizarre and lacking in useful information; the attached program
- illustrates. The strings comprising the argument list and the
- environment are run together, separated only by their terminating
- NULs. There is no argc, argv, or envp. The last 4 bytes will
- always be zero, and can be ignored. Up to 3 zeroed padding bytes
- will preceed those as needed to longword-align the first argument.
-
- ps finds the beginning of the argument list by searching
- backwards for some number of consecutive 0 bytes. It's easily
- fooled, e.g. if I type
-
- sleep 30 "" "" "" "rm -rf *"&
-
- and do a ps, guess what it appears to be doing!
-
- By default, ps stops when it finds a string containing "="; the
- -e option suppresses this behavior. Try
-
- sleep 30 = these are hidden arguments&
-
- Then do a ps and a ps -e
-
- >One way I could imagine is to find the stacks of other processes via /dev/kmem.
- >Undermost on this stacks there must be the commandlines and the environments
- >( both arguments to main() ) somewhere around. Is there a better way ?
- >mach-hackers wanted !
-
- You mean task_by_unix_pid() to obtain the task kernel port,
- task_threads() to obtain the thread ports, thread_get_state()
- against thread 0 for the registers, vm_region() to find the stack
- bottom, and vm_read() to examine the address space? Good luck!
-
- You might be better off trying to locate the __DATA segment; the
- first 3 longwords are usually _environ, _NXArgc, and _NXArgv.
- Of course, any of those (or what they point to) can be smashed
- by the user program, so there are no guarantees in any case.
-
- [No, I haven't bothered figuring out exactly what TBL_ARGUMENTS
- does.]
-
- -=EPS=-
- ------- compile with cc -s -object -O -bsd
- #include <stdio.h>
- #include <sys/table.h>
-
- main(argc, argv)
- int argc;
- char *argv[];
- {
- char *malloc();
- register char *p, *q;
- register int s;
-
- if (argc<2||argc>3) {
- usage:
- (void)fprintf(stderr, "Usage: %s pid [bytes]\n", *argv);
- exit(1);
- }
- s=argc>2 ? atoi(argv[2]) : 1024;
- if (s<=0) goto usage;
- if (!(p=malloc(s))) {
- (void)fprintf(stderr, "%s: malloc failure\n", *argv);
- exit(1);
- }
- bzero(p, s);
- if (table(TBL_ARGUMENTS, atoi(argv[1]), p, 1, s)<0) {
- perror("table");
- exit(1);
- }
- q=p+s;
- do {
- putchar((*p<' '||*p>'~') ? '.' : *p);
- } while (++p<q);
- putchar('\n');
- exit(0);
- }
-
