当前位置：首页 > news >正文

用Python和C++实战解析/proc/pid/pagemap：手把手教你追踪Linux进程内存物理地址

news 2026/4/30 2:24:50

深入实战：用Python与C++解析Linux进程内存物理地址

在Linux系统调试和性能分析中，理解虚拟地址到物理地址的转换机制至关重要。无论是排查内存泄漏、分析恶意软件行为，还是优化程序性能，掌握如何通过编程方式获取物理地址都是系统开发者和安全研究员的必备技能。本文将带你深入/proc/pid/pagemap的底层实现，通过Python和C++两种语言的实际代码示例，演示如何构建自己的内存地址转换工具。

1. Linux内存管理基础与pagemap机制

现代Linux系统采用虚拟内存管理机制，每个进程运行在自己的虚拟地址空间中。当程序访问一个内存地址时，CPU通过内存管理单元(MMU)自动完成虚拟地址到物理地址的转换。/proc/pid/pagemap这个特殊文件正是暴露了这一转换过程的内部细节。

1.1 虚拟内存与物理内存的映射关系

Linux将虚拟内存和物理内存都划分为固定大小的页（通常为4KB）。关键数据结构包括：

页表(Page Table)：存储虚拟页号到物理页框号的映射关系
页表项(PTE)：每个64位，包含物理页框号和其他标志位
页框(Page Frame)：物理内存的最小管理单元

/proc/pid/pagemap文件中的每个64位条目对应进程虚拟地址空间中的一个页，其结构如下：

位范围	含义	说明
63	Present位	1表示页在物理内存中
62	Dirty位	1表示页已被修改
0-54	物理页框号(PFN)	实际物理内存位置
55-58	保留位	必须为0

1.2 访问pagemap的权限与限制

读取pagemap文件需要特别注意：

权限要求：通常需要root权限或CAP_SYS_ADMIN能力
性能影响：频繁读取可能影响系统性能
稳定性：结果仅代表瞬时状态，可能随时变化
内核版本差异：不同内核版本实现可能有细微差别

注意：生产环境中使用pagemap需谨慎，可能影响系统稳定性

2. Python实现：快速原型开发

Python适合快速验证想法和构建原型。下面我们实现一个完整的物理地址查询工具。

2.1 读取pagemap的基础实现

import os import struct def get_physical_address(pid, virtual_address): """通过pagemap获取虚拟地址对应的物理地址""" page_size = os.sysconf('SC_PAGESIZE') offset = (virtual_address // page_size) * 8 with open(f"/proc/{pid}/pagemap", "rb") as f: f.seek(offset) entry = struct.unpack('Q', f.read(8))[0] if not (entry & (1 << 63)): raise ValueError("Page not present in physical memory") pfn = entry & 0x7FFFFFFFFFFFFF return (pfn * page_size) + (virtual_address % page_size)

2.2 增强版实现：处理边界情况

def get_physical_address_enhanced(pid, virtual_address): page_size = os.sysconf('SC_PAGESIZE') offset = (virtual_address // page_size) * 8 try: with open(f"/proc/{pid}/pagemap", "rb") as f: f.seek(offset) entry_bytes = f.read(8) if len(entry_bytes) != 8: raise ValueError("Failed to read full pagemap entry") entry = struct.unpack('<Q', entry_bytes)[0] if not (entry & (1 << 63)): return None # 页不在物理内存中 pfn = entry & 0x7FFFFFFFFFFFFF if pfn == 0: return None # 零页特殊处理 return (pfn * page_size) + (virtual_address % page_size) except PermissionError: print("Error: Need root privileges to read pagemap") return None except FileNotFoundError: print(f"Error: Process {pid} doesn't exist") return None

2.3 实际应用示例：分析进程内存布局

def analyze_process_memory(pid): """分析进程内存区域及其物理映射情况""" page_size = os.sysconf('SC_PAGESIZE') with open(f"/proc/{pid}/maps", "r") as maps_file: for line in maps_file: parts = line.split() addr_range = parts[0] perms = parts[1] start, end = [int(x, 16) for x in addr_range.split('-')] print(f"Range: {addr_range} Perms: {perms}") # 采样检查每个区域的几个页 for vaddr in range(start, min(start + 4*page_size, end), page_size): phys_addr = get_physical_address_enhanced(pid, vaddr) status = "Mapped" if phys_addr else "Not in RAM" print(f" VA: {hex(vaddr)} -> PA: {hex(phys_addr) if phys_addr else status}")

3. C++实现：高性能系统级工具

对于需要高性能的场景，C++是更好的选择。下面我们实现一个更底层的工具。

3.1 基础C++实现

#include <iostream> #include <fstream> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <cstdint> uint64_t virtual_to_physical(pid_t pid, uint64_t vaddr) { const long page_size = sysconf(_SC_PAGESIZE); const uint64_t page_offset = vaddr / page_size; const uint64_t pagemap_offset = page_offset * sizeof(uint64_t); char pagemap_path[256]; snprintf(pagemap_path, sizeof(pagemap_path), "/proc/%d/pagemap", pid); int fd = open(pagemap_path, O_RDONLY); if (fd == -1) { perror("open pagemap"); return 0; } if (lseek(fd, pagemap_offset, SEEK_SET) == -1) { perror("lseek"); close(fd); return 0; } uint64_t entry; if (read(fd, &entry, sizeof(entry)) != sizeof(entry)) { perror("read"); close(fd); return 0; } close(fd); if (!(entry & (1ULL << 63))) { return 0; // Page not present } uint64_t pfn = entry & ((1ULL << 55) - 1); return (pfn * page_size) + (vaddr % page_size); }

3.2 优化版C++实现

#include <sys/mman.h> #include <vector> class PagemapReader { public: explicit PagemapReader(pid_t pid) : pid_(pid) { char path[256]; snprintf(path, sizeof(path), "/proc/%d/pagemap", pid_); fd_ = open(path, O_RDONLY); if (fd_ == -1) { throw std::runtime_error("Failed to open pagemap"); } page_size_ = sysconf(_SC_PAGESIZE); buffer_.resize(1024 * sizeof(uint64_t)); // 8KB buffer } ~PagemapReader() { if (fd_ != -1) close(fd_); } uint64_t get_physical_address(uint64_t vaddr) { const uint64_t page_offset = vaddr / page_size_; const uint64_t pagemap_offset = page_offset * sizeof(uint64_t); if (lseek(fd_, pagemap_offset, SEEK_SET) == -1) { throw std::runtime_error("Seek failed"); } uint64_t entry; if (read(fd_, &entry, sizeof(entry)) != sizeof(entry)) { throw std::runtime_error("Read failed"); } if (!(entry & (1ULL << 63))) { return 0; // Page not present } uint64_t pfn = entry & ((1ULL << 55) - 1); return (pfn * page_size_) + (vaddr % page_size_); } std::vector<uint64_t> batch_get_physical(const std::vector<uint64_t>& vaddrs) { std::vector<uint64_t> results; results.reserve(vaddrs.size()); for (auto vaddr : vaddrs) { results.push_back(get_physical_address(vaddr)); } return results; } private: pid_t pid_; int fd_ = -1; long page_size_; std::vector<char> buffer_; };

3.3 使用示例：内存分析工具

#include <iostream> #include <iomanip> void analyze_process_memory(pid_t pid) { try { PagemapReader reader(pid); std::ifstream maps(std::string("/proc/") + std::to_string(pid) + "/maps"); std::string line; while (std::getline(maps, line)) { std::istringstream iss(line); std::string addr_range, perms, offset, dev, inode, pathname; iss >> addr_range >> perms >> offset >> dev >> inode >> pathname; size_t dash_pos = addr_range.find('-'); uint64_t start = std::stoull(addr_range.substr(0, dash_pos), nullptr, 16); uint64_t end = std::stoull(addr_range.substr(dash_pos+1), nullptr, 16); std::cout << "Range: " << addr_range << " Perms: " << perms << "\n"; // 检查每个区域的几个样本页 for (uint64_t vaddr = start; vaddr < start + 4096*4 && vaddr < end; vaddr += 4096) { uint64_t phys_addr = reader.get_physical_address(vaddr); std::cout << " VA: 0x" << std::hex << vaddr << " -> PA: 0x" << phys_addr << (phys_addr ? "" : " (not in RAM)") << "\n"; } } } catch (const std::exception& e) { std::cerr << "Error: " << e.what() << "\n"; } }

4. 高级应用与实战技巧

掌握了基础实现后，我们来看一些高级应用场景和优化技巧。

4.1 性能优化策略

处理大量地址转换时，性能至关重要：

批量读取：减少系统调用次数

def batch_read_pagemap(pid, vaddrs): page_size = os.sysconf('SC_PAGESIZE') offsets = [(va // page_size) * 8 for va in vaddrs] unique_offsets = sorted(set(offsets)) results = {} with open(f"/proc/{pid}/pagemap", "rb") as f: for offset in unique_offsets: f.seek(offset) entry = struct.unpack('Q', f.read(8))[0] results[offset] = entry return [results[offsets[i]] for i in range(len(vaddrs))]

内存映射：对于极高性能需求

class MappedPagemapReader { public: MappedPagemapReader(pid_t pid) { char path[256]; snprintf(path, sizeof(path), "/proc/%d/pagemap", pid); fd_ = open(path, O_RDONLY); if (fd_ == -1) throw std::runtime_error("open failed"); struct stat st; if (fstat(fd_, &st) == -1) throw std::runtime_error("fstat failed"); size_ = st.st_size; mapping_ = mmap(nullptr, size_, PROT_READ, MAP_PRIVATE, fd_, 0); if (mapping_ == MAP_FAILED) throw std::runtime_error("mmap failed"); } ~MappedPagemapReader() { if (mapping_ != MAP_FAILED) munmap(mapping_, size_); if (fd_ != -1) close(fd_); } uint64_t get_entry(uint64_t vaddr) const { const long page_size = sysconf(_SC_PAGESIZE); const uint64_t index = (vaddr / page_size) * sizeof(uint64_t); if (index >= size_) return 0; return *reinterpret_cast<uint64_t*>(static_cast<char*>(mapping_) + index); } private: int fd_ = -1; void* mapping_ = MAP_FAILED; size_t size_ = 0; };

4.2 实际调试案例：内存泄漏分析

假设我们有一个疑似内存泄漏的进程，可以这样分析：

定期采样进程的内存映射
记录物理页框号的变化
识别持续增长的物理内存区域

def track_memory_growth(pid, interval=5, samples=10): """跟踪进程物理内存增长情况""" page_size = os.sysconf('SC_PAGESIZE') snapshot = [] for _ in range(samples): current_pfns = set() with open(f"/proc/{pid}/maps", "r") as maps: for line in maps: if not line.strip(): continue parts = line.split() addr_range = parts[0] start, end = [int(x, 16) for x in addr_range.split('-')] # 采样每个区域的几个页 for vaddr in range(start, min(start + 4*page_size, end), page_size): phys = get_physical_address_enhanced(pid, vaddr) if phys: pfn = phys // page_size current_pfns.add(pfn) snapshot.append((time.time(), len(current_pfns))) time.sleep(interval) # 分析增长趋势 times, counts = zip(*snapshot) plt.plot(times, counts) plt.xlabel('Time (s)') plt.ylabel('Unique Physical Pages') plt.title(f'Process {pid} Physical Memory Growth') plt.show()

4.3 安全分析：检测可疑内存操作

安全研究人员可以通过pagemap检测：

未映射区域的可执行代码
可疑的内存共享模式
隐藏的代码注入

void detect_anomalies(pid_t pid) { MappedPagemapReader reader(pid); std::ifstream maps(std::string("/proc/") + std::to_string(pid) + "/maps"); std::unordered_map<uint64_t, int> pfn_counts; // 统计每个PFN被映射的次数 std::string line; while (std::getline(maps, line)) { std::istringstream iss(line); std::string addr_range, perms, offset, dev, inode, pathname; iss >> addr_range >> perms >> offset >> dev >> inode >> pathname; size_t dash_pos = addr_range.find('-'); uint64_t start = std::stoull(addr_range.substr(0, dash_pos), nullptr, 16); uint64_t end = std::stoull(addr_range.substr(dash_pos+1), nullptr, 16); // 检查可执行但非常规文件映射的区域 if ((perms.find('x') != std::string::npos) && (pathname.empty() || pathname.find("memfd:") != std::string::npos)) { std::cout << "Warning: Executable anonymous mapping: " << addr_range << "\n"; } // 统计PFN使用情况 for (uint64_t vaddr = start; vaddr < end; vaddr += 4096) { uint64_t entry = reader.get_entry(vaddr); if (entry & (1ULL << 63)) { // Present uint64_t pfn = entry & ((1ULL << 55) - 1); pfn_counts[pfn]++; } } } // 检测被多个虚拟地址映射的物理页(可能可疑) for (const auto& [pfn, count] : pfn_counts) { if (count > 1) { std::cout << "PFN " << pfn << " mapped " << count << " times\n"; } } }

查看全文

http://www.jsqmd.com/news/722482/