From: utzoo!decvax!cca!ima!johnl
Newsgroups: net.unix-wizards
Title: Re: kernel memory tomfoolery - (nf)
Article-I.D.: ima.274
Posted: Mon Jan  3 03:25:32 1983
Received: Tue Jan  4 01:38:52 1983

#R:houxq:-23200:ima:9200001:000:1248
ima!johnl    Jan  2 19:03:00 1983

If you really want to look at kmem (and your system allows you to do so)
then the usual procedure is:

     -- use nlist() to extract symbols from /unix, to find out where
	in memory stuff is.  Note that this can fail if the system was
	booted from somewhere else.
     -- The system data structures are mostly defined by include files
	in /usr/include/sys.  There is no substitute for reading kernel
	code to find out what stuff actually means.  If you have no
	sources, sorry, you lose.
     -- Open /dev/kmem, seek to the right place, and copy stuff in.
     -- Do what you will.

Look at the source code for the "ps" command for an extended example of
this sort of thing.  The convoluted and ugly code you find there is
typical of what happens when you deal with kmem.  The Berklix "renice"
command is an example of patching kmem; it lowers a process' priority.

The most legitimate uses of kmem reading appear to be programs like "ps"
and "iostat."  Kmem patching seems useful only for hacks like renice and
somewhat for debugging kernel code.  It is my strong impression that
system managers that allow significant use of kmem patching usually live
to regret it.

John Levine, decvax!yale-co!jrl, ucbvax!cbosgd!ima!johnl, Levine@YALE (arpa).