Dump memory of a process
Solution 1
Nah! Call ptrace()
with PTRACE ATTACH
. Then open /proc/<pid>/mem
, seek to the region offset, and read the length of the region as given in /proc</pid>/maps
.
Here's a program I wrote that does it in C. Here's a module I wrote that does it in Python (and the ptrace binding). For the finish, a program that dumps all regions of a process to files.
Enjoy!
Solution 2
You can attach gdb to the process then dump memory region of length X words starting at location L with this: x/Xw L
.
Attaching gdb when you start your process is simple: gdb ./executable
then run
. If you need to attach to a running process, start gdb then gdb attach pid
where pid is is the process ID you care about.
Solution 3
Using dd(1):
sudo dd if=/dev/mem bs=1 skip=$(( 16#0059e000 - 1 )) \
count=$(( 16#005b1000 - 16#0059e000 + 1)) | hexdump -C
Comments
-
mathk almost 2 years
When reading the /proc/$PID/maps you get the mapped memory regions. Is ther a way to dump one of this regions?
$ cat /proc/18448/maps ...[snip]... 0059e000-005b1000 r-xp 00000000 08:11 40 /usr/local/lib/libgstlightning.so.0.0.0 005b1000-005b2000 r--p 00012000 08:11 40 /usr/local/lib/libgstlightning.so.0.0.0 005b2000-005b3000 rw-p 00013000 08:11 40 /usr/local/lib/libgstlightning.so.0.0.0 ...[snip]...
Thanks
-
mathk almost 14 yearsThanks, :) I haven't thought about it
-
Matthew Slattery almost 14 yearsYou can use a command line argument to attach to a running process:
gdb -p <pid>
. -
nmichaels almost 14 yearsGood to know. I've only used gdb seriously for remote targets.