1

I am looking for a utility to dump the memory of a running process that I can then examine for strings.

In the past I have used pcat from The Coroner's Toolkit, but I am having a hard time finding a version that will work on RHEL 6.4 64bit. Given that TCT is in its twilight, is there a better utility to do this?

Edit: I am looking for a utility. I will use scripts to get what is needed if necessary, but I was hoping for a standalone tool that I could get from the standard repo that will allow an untrained user to grab the process's memory.

useSticks
  • 111
  • 1
    One of the answers in the duplicate mentions gcore, did you try that one? – terdon Jan 15 '14 at 16:37
  • gcore appears to have the memory in it that I am interested in. Add it as an answer and I will accept. Thanks! – useSticks Jan 15 '14 at 17:10
  • There's no reason to add it, your question has been closed as a duplicate of the other one and one of the answers there mentions gcore (I'd never heard of it). Glad you sorted it out. – terdon Jan 15 '14 at 17:12

1 Answers1

2

With $p the pid of the process:

while IFS='- ' read a b z; do
  dd bs=4096 skip="$((0x${a%???}))" count="$((0x${b%???}-0x${a%???}))" \
    if="/proc/$p/mem" 2> /dev/null > "$a-$b"
done < "/proc/$p/maps"

You may want to suspend the process first to get a consistent result.

That dumps every memory region in separate files which you can use string on.

Some systems prevent processes to inspect the memory of other processes (even from the same user) by default (see the kernel documentation for more info).

On those systems, you'll have to run the above as root or disable that restriction (not recommended on a permanent basis):

sysctl -w kernel.yama.ptrace_scope=0
Stéphane Chazelas
  • 544,893
  • Unfortunately, this does not work for me. I attempted to use this in a script on a Ubuntu box and it created lots of empty files.

    Debugging led to messages about "cannot skip to specified offset" and "No such process" re@ /proc/{pid}/mem.

     – useSticks Jan 15 '14 at 15:44
  • @useSticks, what about after issuing a sysctl -w kernel.yama.ptrace_scope=0 – Stéphane Chazelas Jan 15 '14 at 16:26
  • I received an error of kernel.yama.ptrace_scope is an unknown key on both the Ubuntu test and RHEL target machines. Thanks for your help though – useSticks Jan 15 '14 at 17:11