The following shell session inspects the virtual addresses of a shared library in two daemon processes.
Note that this shell session was run as root (hence the #
terminal prompt).
Look for PIDs for NetworkManager
and sshd
:
# ps aux | grep '/usr/sbin/' | grep -E 'NetworkManager|sshd'
root 497 0.0 0.4 406400 15788 ? Ssl 15:57 0:00 /usr/sbin/NetworkManager --no-daemon
root 556 0.0 0.1 15852 6952 ? Ss 15:57 0:00 /usr/sbin/sshd -D
First look at virtual memory mapped into NetworkManager
(497) with arbitrary offset:
# cat /proc/497/maps | grep 'libc-'
7f622ab5c000-7f622ab7e000 r--p 00000000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f622ab7e000-7f622acc6000 r-xp 00022000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f622acc6000-7f622ad12000 r--p 0016a000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f622ad12000-7f622ad13000 ---p 001b6000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f622ad13000-7f622ad17000 r--p 001b6000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f622ad17000-7f622ad19000 rw-p 001ba000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
# ./cabinet_inspector 7f622ab5c069 497
inspecting cabinet for 0x7f622ab5c069 of pid=497
[405] inspect_cabinet():
paddr: 0x115a3c069
pf_paddr: 0x115a3c000
pte_paddr: 0x10d2c7000
pmd_paddr: 0x10d623000
pud_paddr: 0x10c215000
p4d_paddr: 0x10c215000
pgd_paddr: 0x10c90a000
dirty: no
refcount: 57
[proc] pagemap:
paddr: 0x115a3c069
pf_paddr: 0x115a3c000
exclusively mapped: no
file-page: yes
swapped: no
present: yes
Then look at virtual memory mapped into sshd
(556) with a different arbitrary
offset:
# cat /proc/556/maps | grep 'libc-'
7f0e57aa1000-7f0e57ac3000 r--p 00000000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f0e57ac3000-7f0e57c0b000 r-xp 00022000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f0e57c0b000-7f0e57c57000 r--p 0016a000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f0e57c57000-7f0e57c58000 ---p 001b6000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f0e57c58000-7f0e57c5c000 r--p 001b6000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
7f0e57c5c000-7f0e57c5e000 rw-p 001ba000 08:01 3146365 /usr/lib/x86_64-linux-gnu/libc-2.28.so
# ./cabinet_inspector 7f0e57aa1420 556
inspecting cabinet for 0x7f0e57aa1420 of pid=556
[405] inspect_cabinet():
paddr: 0x115a3c420
pf_paddr: 0x115a3c000
pte_paddr: 0x10df82000
pmd_paddr: 0x10df95000
pud_paddr: 0x10dc25000
p4d_paddr: 0x10dc25000
pgd_paddr: 0x10dc32000
dirty: no
refcount: 57
[proc] pagemap:
paddr: 0x115a3c420
pf_paddr: 0x115a3c000
exclusively mapped: no
file-page: yes
swapped: no
present: yes
Note that although we used two different virtual addresses for libc
in both
NetworkManager
and sshd
, they are mapped to the same physical page frame
(check pf_paddr
)!