Proctal

Documentation

Searching values

You have two options.

Value search

The search command matches values in memory.
You can pass type options to specify what type of values you want to search for.
These options let you specify filters that compare against the value in memory.

  • --eq matches values that equal to the given value.

  • --ne matches values that do not equal to the given value.

  • --gt matches values that are greater than the given value.

  • --gte matches values that are greater than or equal to the given value.

  • --lt matches values that are lesser than the given value.

  • --lte matches values that are lesser than or equal to the given value.

The --region option lets you specify which memory regions to dump. It takes the following values:

  • stack contents on the stack of every thread

  • heap contents on the heap

  • program-code instructions from the executable (does not include shared libraries)

These options let you specify whether the memory regions have to be readable, writeable or executable:

  • --read

  • --write

  • --execute

The --review option makes the command read the output of a previous run and allow you to use filters that compare against the previous values. Both runs must use the same type options.
The following options specify filters that compare against the values from the previous run:

  • --inc matches values that were incremented by the given value.

  • --inc-up-to matches values that were incremented up to the given value.

  • --dec matches values that were decremented by the given value.

  • --dec-up-to matches values that were decremented up to the given value.

  • --changed matches values that have changed.

  • --unchanged matches values that have not changed.

  • --increased matches values that have increased.

  • --decreased matches values that have decreased.

The --address-start option specifies where to start searching for values in memory and the --address-stop option specifies where to stop.
Here's how you would find all 32-bit integers greater than 0 and less than or equal to 100 in readable and writable memory regions of a program whose PID is 12345.

$ proctal search --pid=12345 --type=integer --integer-bits=32 --read --write --gt=0 --lte=100

And here's how you would search for all the values that increased after a previous search.

$ proctal search --pid=12345 --type=integer --integer-bits=32 --read --write --gt=0 --lte=100 > results1
$ proctal search --pid=12345 --type=integer --integer-bits=32 --increased --review < results1

The --pause option prevents the program from executing code while the command is running.

Pattern matching

The pattern command allows you to search for a sequence of bytes that match a given pattern.
Here's how you would search for potential function calls in x86:

$ proctal pattern --pid=12345 --region=program-code 'E8 ?? ?? ?? ??'

The --region option lets you specify which memory regions to dump. It takes the following values:

  • stack contents on the stack of every thread

  • heap contents on the heap

  • program-code instructions from the executable (does not include shared libraries)

These options let you specify whether the memory regions have to be readable, writeable or executable:

  • --read

  • --write

  • --execute

The --address-start option specifies where to start searching for patterns in memory and the --address-stop option specifies where to stop.
The --pause option prevents the program from executing code while the command is running.

Previous Next