/Dev/MEM: full image of physical memory. It can be used to access the physical memory.
/Dev/kmem: The full image of the virtual memory seen by the kernel. Can be used to access the contents of the kernel.
/Dev/MEM is used to access physical Io devices, for example, X is used to access the physical memory of the graphics card or access gpio in embedded systems. Use
The method is generally open and then MMAP can use the address after map to access the physical memory. This is actually the implementation
A space-driven approach.
/Dev/kmem can be used to view kernel variables or rootkit variables. You can use the/dev/MEM device file and MMAP system call to map physical memory described by linear addresses to processes.
And then you can directly access the memory. For example, the actual address of the standard VGA 16-color mode is a000: 0000, and the linear address is a0000. Set display
If the storage size is 0x10000, perform the following operations: mem_fd = open ("/dev/mem", o_rdwr );
Vga_mem = MMAP (0, 0x10000, prot_read | prot_write, map_shared, mem_fd, 0xa0000 );
Close (mem_fd); then you can directly access vga_mem. Of course, if you want to operate a VGA video card, you need to obtain I/O
Port access permissions for direct I/O operations to set the mode/color palette/select the plane, etc. In the industrial control field, there is also a common method for efficient transmission between the kernel and Applications data: 1) assuming the system has 64 m physical memory, you can use LILO to notify the kernel to use only 6 m while retaining 1 m physical memory for data exchange (using the mem = 63 m mark ).
2) then open the/dev/MEM device and map the 1 m address space starting from 63m m to the address space of the process. Use/dev/kmem to view what the kernel variable learned from lwn.net
The instance code is as follows:
# Include <stdio. h>
# Include <stdlib. h>
# Include <string. h>
# Include <stdarg. h>
# Include <fcntl. h>
# Include <unistd. h>
# Include <errno. h> # include <sys/types. h>
# Include <sys/STAT. h>
# Include <sys/poll. h>
# Include <sys/Mman. h> int page_size;
# Define page_size
# Define page_mask (~ (PAGE_SIZE-1) void get_var (unsigned long ADDR ){
Off_t PTR = ADDR &~ (Page_mask );
Off_t offset = ADDR & page_mask;
Int I = 0;
Char * map;
Static int KFD =-1; KFD = open ("/dev/kmem", o_rdonly );
If (KFD <0 ){
Perror ("open"); exit (0 );
} Map = MMAP (null, page_size, prot_read, map_shared, KFD, offset); If (MAP = map_failed ){
Perror ("MMAP ");
Exit (-1 );
}
/* Assume it is a string */
Printf ("% s \ n", MAP + PTR); return;
} Int main (INT argc, char ** argv ){
File * FP;
Char addr_str [11] = "0x ";
Char var [51];
Unsigned long ADDR;
Char ch;
Int R;
If (argc! = 2 ){
Fprintf (stderr, "Usage: % s system. Map \ n", argv [0]);
Exit (-1 );
} If (FP = fopen (argv [1], "R") = NULL ){
Perror ("fopen ");
Exit (-1 );
} Do {
R = fscanf (FP, "% 8 S % C % 50s \ n", & addr_str [2], & Ch, VAR );
If (strcmp (VAR, "modprobe_path") = 0)
Break;
} While (r> 0 );
If (r <0 ){
Printf ("cocould not find modprobe_path \ n ");
Exit (-1 );
}
Page_size = getpagesize ();
ADDR = strtoul (addr_str, null, 16 );
Printf ("found modprobe_path at (% s) % 08lx \ n", addr_str, ADDR );
Get_var (ADDR );
} Run #./TMAP/boot/system. Map
Found modprobe_path at (0xc03aa900) c03aa900/sbin/modprobe
Differences
1./dev/MEM: full image of physical memory. It can be used to access the physical memory.
2./dev/kmem: full image of the virtual memory seen by the kernel. Can be used to access
Content.
Function
1. The former is used to access physical Io devices, for example, X is used to access the physical memory or embedded memory of the video card.
To access gpio. The usage is generally open and then MMAP can be followed by map
Address to access the physical memory. This is actually a way to implement user space-driven.
2. The latter can be used to view the kernel variables or be used as rootkit. Reference
1 and 2 describe the problem of checking the kernel variable.
Reference
1. http://lwn.net/Articles/147902/
2. http://lkml.org/lkml/2005/8/11/301
Linux
You can open/dev/MEM at 2.4 and then read it.
After enabling/dev/MEM in 2.6, you can only read the content in the first part of 0x101000 (UBUNTU ).
It is about 1 MB plus 4 kb. The "open not permitted" error will occur when you read the following content.
The solution is to use MMAP (). Routine is as follows:
F = open ("/dev/mem", o_rdonly );
My_mem = MMAP (0, 0x1000, prot_read, map_shared, F, 0x34f000 );
If (my_mem = map_failed)
Printf ("map failed % s \ n", strerror (errno ));
Use my_mem to get the memory content after 0x101000.