How to see the content of RAM memory?

windows linux memory
34,085

Solution 1

You could use a kernel debugger, which would allow for "raw" memory access, like SoftICE for Windows. You can also configure GDB to act as a debugger for the Linux kernel. If a virtual machine is an option, some virtualization software supports saving the machine's state (including RAM) to disk, which can then be further analyzed. It should be noted, however, that most "modern" operating systems use address space layout randomization (ASLR). The true physical memory map of the system is purposely fragmented to help mitigate various security issues and exploits (i.e. stack/heap buffer overflows).

For a given program running in a modern operating system, however, you could obtain a logical memory map for a given process/thread - so long as you have the appropriate debugging symbols and debugger. If you want an overall view, if the software/hardware uses virtual memory, the situation becomes drastically more complex. Again though, if you literally want what's just on the RAM, see the first paragraph.

Solution 2

On Windows, the contents of physical memory can be accessed through the \Device\PhysicalMemory object in the Object Manager. This requires kernel-level access to the system, which means you would need to install a program, most likely a kernel-mode driver, to access this object.

On Linux, the contents of physical memory can be directly accessed as binary data by reading /dev/mem as root. See What is /dev/mem? and the mem(4) man page for more details.

I'm not sure why you need to determine where the operating system and processes are located in physical memory, though...

Share:
34,085

Related videos on Youtube

osta
Author by

osta

Updated on September 18, 2022

Comments

  • osta
    osta over 1 year

    Is there any way to see the content of the RAM memory? From the first byte until the last one. I'd like to see where the OS and all the processes running on it are located in the RAM. Is this possible?

  • user1686
    user1686 over 11 years
    On Windows, you can, in fact, open \Device\PhysicalMemory (equivalent to /dev/kmem), as RAMMap and PhysMem utilities do.
  • Jamie Hanrahan
    Jamie Hanrahan about 9 years
    Not any more. As of Server 2003 and in all later versions, the \DevicePhysicalMemory object cannot be opened from user mode. RAMmap and most of the other sysinternals tools include a kernel mode driver to do that part of their work.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

malloc returns memory or virtual address space
How to check SD Card Class and other specs on Windows/Linux?
Why does my 32bit ubuntu see 8GB of RAM?
Flutter Desktop: how to hide a window (and keep the process alive)?
Flutter release to linux
Is it possible to write Windows/Linux/MacOS-specific code in Flutter?
Less RAM Available than installed on Centos 7
How can I find the amount of memory consumed by a process?
How to copy file from linux to windows server using c
How to limit memory usage within a python process