With Proctal you can read the contents in memory straight from your
terminal. The read command is able to read text,
integers, IEEE754 floating point numbers, CPU instructions and more.
The command accepts type options. You can find out all about them here.
Here's how you would read a 32-bit integer that is located at memory address 7FFE79DEA90C of a program whose PID is 12345.
$ proctal read --pid=12345 --address=7FFE79DEA90C --type=integer --integer-bits=32 128
This will output the integer value in ASCII.
You can pass the --pause option to keep the program paused while reading.
But what if you had an array of 32-bit integers in memory? One
way to read all the elements would be to execute the
read command at the corresponsing address of
each element. But a better way is to take advantage of the
--array option. It takes the number of
elements as its value.
Here's how you would read an array of 5 32-bit integers.
$ proctal read --pid=12345 --address=7FFE79DEA90C --type=integer --integer-bits=32 --array=5 128 214 -2 100000 -1996472313
The command also accepts the --show-address
option. This makes it print the address of the value. But
you might be wondering how that could be useful when you
already have to specify the address in the command. This can be
useful when you're printing an array of instructions and you're
interested in seeing their addresses.
Here's how that would look like:
$ proctal read --pid=12345 --address=400570 --type=x86 --array=5 --show-address 400570 sub rsp, 0x18 400574 mov dword ptr [rsp + 0xc], 0 40057C call 0x400530 400581 mov edi, 0x400764 400586 mov esi, eax
Showing bytes in memory
The --show-bytes option will additionally print
a sequence of numbers in hexadecimal that represent the bytes
of the value in memory, from the smallest address to the
The following example builds upon the example with --show-address to additionally show the bytecode of the instructions.
$ proctal read --pid=12345 --address=400570 --type=x86 --array=5 --show-address --show-bytes 400570 sub rsp, 0x18 48 83 EC 18 400574 mov dword ptr [rsp + 0xc], 0 C7 44 24 0C 00 00 00 00 40057C call 0x400530 E8 AF FF FF FF 400581 mov edi, 0x400764 BF 64 07 40 00 400586 mov esi, eax 89 C6
This example allows you to see how integers look like in memory:
$ proctal read --pid=12345 --address=98F213B6 --type=integer --integer-bits=32 --array=4 --show-bytes 12 0C 00 00 00 -81 AF FF FF FF -96 A0 FF FF FF 2147483647 FF FF FF 7F
Printing in binary
The --binary option makes the command print the
values in binary.
When using this option, the --show-address and --show-bytes options have no effect.