Procmod

Procmod is a tool for modifying running processes in Linux.

An example on how to use it, is show below.

Lets imagine we have the following Java file:

public class Test       {
        private int x = 100;

        public int getX(){
                return x;
        }

        public static void main(String [] args){
                Test t = new Test();

                while(true){
                        try {
                                Thread.sleep(1000);
                                System.out.println("X: "+t.getX());
                        } catch(Exception e){

                        }
                }
        }
}

And we want to modify the value 100, from outside of the JVM.

Compile and run the test file.

javac Test.java
java Test

We now want to dump the heap of the JVM, we do this through the following command:

  jmap -dump:file=/tmp/heap.bin `ps ax  | grep "java [T]est" | awk '{ print $1 }'`

We then want to find the actual memory address of the object in memory.

To do this, we use the jhat command, which allows you to browse the heap dump,
via a web interface.

jhat /tmp/heap.bin

Using the webbrowser browse to 127.0.0.1:7000.

Then click on “class Test [0x7d6e4ae80]”. Then on the page that appears scroll down
to the ‘References to this object:’ section. Then click on “Test@0x7d6e4b8f0 (20 bytes) : ??”.

You can then see the values of the object’s properties.

At the top you will see something like “instance of Test@0x7d6e4b8f0 (20 bytes)”.

We now know the memory address is 0x7d6e4b8f0.

We know the value we want to replace is 100. As this is stored as an integer,
on x86, we know it’ll be represented as little endian, (LSB first).

We use the ProcMod program to search for this integer, and replace it with an alternative.
ProcMod accepts a hexadecimal input, so we first convert 100 to hex, which is 0x64. As an integer this
will be 0x64000000 in hex.

We know the object is 20 bytes, so we want to search from 0x7d6e4b8f0 to 0x7d6e4b8f0+20=0x7D6E4B904

So we now run ProcMod in the following way:

./procmod -p `ps ax  | grep "java [T]est" | awk '{ print $1 }'` -f "64000000" -r "ff000000" -l `printf %u 0x7d6e4b8f0` -t `printf %u 0x7D6E4B904` -h

If you switch back to the running Test program, you’ll see the output has changed from 100 to 255.

ProcMod can be obtained from https://github.com/anfractuosity/procmod

Leave Comment

Click here to cancel reply

Error Please check your entries!