Exploring RAM contents

Question

I am using a redis Database and would like to explore the contents of the RAM the application is using.

I feel the explanation of why I want to do this will make more sense then the question I would ask.

Redis is a simple key value store that stores binary data. I think it would be a good place to explore things like encoding and it would be interesting to me to do things like skimming over the RAM looking for binary sets of data, doing things like looking for simple patterns; maybe explore the idea of writing a baby query language that searched in RAM.

I had gotten this idea after reading the chapter in SICP about query languages.

Any thoughts on where to start? Initially, I want to ask "Give me the address space this application is running in, please" to the system.

Answer 1

cat /proc/[pid]/maps according to the proc manpages.

Looks like what you want. If you need the pid, grab that from ps or whatever other tool.

That addresses finding the address space in use. One of the fellows at defcon last year implemented createremotethread on linux. So you could do that...then read arbitrary memory that way.

Credit to psusi for pointing out that pmap -x [pid] is easier to read.

Answer 2

You can use gdb to access the memory of a process.

Also, you should have a look at the "/proc" filesystem - it contains pseudo files for every process; some of them may contain interesting information

Answer 3

Use a debugger, that's what they're for.

If you want to roll your own, it all goes through ptrace.

You can see a process's memory map (the table of contents for the memory) in /proc/$pid/maps and read the whole memory contents from /proc/$pid/mem. You can't just open that latter file normally, see How do I read from /proc/$pid/mem under Linux?