/proc filesystem — maps — mem

I always asked myself how a machine’s internal communications worked and how were processes organized, and well, I found out that it’s pretty complex but if you know where are things located it won’t be that hard to understand.

I thought every process was a static type of process, but to my amazement, some folders are created at booting and destroyed once the machine is turned off. This article will give you a closer look at how processes are presented in a GNU/Linux-based Operating System (OS) and will describe how does the /procfilesystem works. In the end, I’ll leave you a link where you will find a repository’s code where you can try this at home without breaking your machine.

The /proc filesystem acts as an interface to the internal data structure. The /proc folder it’s an “illusionary” filesystem that actually does not exist in the disk memory until the machine is turned on. The kernel creates the folder and provides information about the system’s processes.

A process refers to a program in execution, in other words, it’s a running instance of a program. Programs are made up of instructions, data, other programs, or input from a system user, so this is what we call an instance.

In GNU/Linux systems there two types of processes:

  • Foreground processes: These are also known as interactive processes, this means they are initialized and controlled through a terminal session. Users usually are who initialize them by typing in the terminal
  • Background processes: These are known as non-interactive or automatic processes. These processes don’t expect any input from a user and are usually “hidden” from the user.

An example of a foreground process is when you open a program in your system. This creates a process for the specific program in your system and the /proc filesystem will create a folder with the newly created process.

An example of a background process is your WiFi internet connection. When you turn your computer on you don’t give the instruction to the machine to connect to your WiFi network, this is done automatically by the machine every time you turn it on.

When you take a look at the /proc folder you will see it has files and directories. Go open up your terminal and type the following command:

$ cd /proc

You will prompt your terminal to take you to the /proc directory. If you are following correctly, when you type in your terminal cd, you’re giving it a command, in other words, initializing a foreground process.

Once you’re located in the /proc folder type the following:

:/proc$ ls

This will list all the directories and files located in the /proc directory. You will see a lot of numbers (those are usually process’s directories) and files. Some important files/directories are:

1 : Directory with the information of process number 1.

cpuinfo : This file contains information on the processor, type, model, and performance.

devices : List of device drivers configured in the kernel.

dma : stands for direct memory access, refers to the ability of devices or other entities in a computing system to modify main memory contents without going through the CPU.

meminfo : Information about memory usage, physical and swap.

So now you can see how important is the /proc filesystem. The /proc directory not only gives you information but you can also change certain parameters at runtime (sysctl/system control).

Every process has specific entries in the /proc . These entries give specific data about the process. If you want to know about the status of a process you can read the file by typing:

:/proc/PID$ cat status

*PID = Process ID

That way you can check all the information that a process runs while is running in the system.

If you want to know about the mapped memory regions and permissions of a process type:

:/proc/PID$ cat maps

maps describes a region of contiguous virtual memory in a process and it has the following fields:

address perms offset dev inode pathname

0x557fa..-0x5573e.. r-p 00000000 103:02 3284664 /usr/libexec/colord

This shows us the memory space that a process is occupying in memory. With this information, we know the exact location of the process.

address : is the space in memory that it occupies ( 0x557fa..-0x5573e ).

perms : are the permissions that the file has, r= read, w = write, x = execute, s = shared, p = private ( r-p ).

offset : is the offset into the mapping ( 00000000 ).

dev : is the device ( 103:02 ).

inode : is the inode of the device ( 3284664 ).

pathname : shows the name associated with the mapping of the file.

If the mapping is not associated with the file:

[HEAP] = the heap of the program.

[STACK]= the stack of the main process.

[vdso] = the “virtual dynamic shared object”, this is the kernel system call handler.

If we want to access a process and modify the entire virtual memory of a process we can access it through/proc/PID/mem. This file gives us access to the pages of a process’s memory through open(2) , read(2) , and lseek(2) .

If we ever want to change the virtual memory of a process what we have to do first is access the PID of a process by checking the information provided by the maps file. Read what’s inside the memory address, split the fields, check if it has permissions to read or write, open the mem filename, find the address, read what’s inside the address, compare the string to what you’re going to modify is located in theaddress , write the file with the new line, and close the file.

If you later go and search in the address location of that virtual memory process, you’ll find yourself with a modified file.

Here is a code example you can use to modify the virtual memory of a running process in the system using the information provided by the /proc filesystem (before you attempt anything read the README.md file):



Life just keeps on happening in the eternal present. Keep building your present.