Quote:
Originally Posted by Gayle29uk
Running on Linux. /proc was enough of a hint for me to find this on kerneltrap.org which appears as if it may do the trick.
Thanks queball, now to find out if what I want to do is even possible (I don't think so but hey, it's worth a shot).
|
If it helps, /proc/<pid>/mem is process memory, and /proc/<pid>/maps gives a clue as to what's interesting. You need to have ptrace'd that pid to access mem (plus you can always access your own process memory (/proc/self/mem)).
The following perl script will dump a process's memory to files into the current directory. Embarassingly I wouldn't know how to search a large file using perl, but by dumping each memory mapped region you can use for example grep and hexdump.
Code:
#!/usr/bin/perl
use strict;
use warnings;
require 'syscall.ph';
use Fcntl 'SEEK_SET';
sub attach($) {
my ($pid) = @_;
my $result;
print "Attaching to process $pid.\n";
$result = syscall(&SYS_ptrace, 16, # PTRACE_ATTACH
$pid, 0, 0);
die $! if $result;
print "Attached. Waiting for process to stop.\n";
$result = wait;
die "wait returned $result." if ($result != $pid);
print "Process stopped.\n";
}
my $pid = int ($ARGV[0]) or die "usage: dumpmem.pl pid";
attach $pid;
print "Accessing /proc.\n";
my ($MAPS, $MEM);
open MAPS, "</proc/$pid/maps" or die $!;
open MEM, "</proc/$pid/mem" or die $!;
sub dumpmem($$) {
my ($start, $end) = @_;
sysseek(MEM, $start, SEEK_SET) or die $!;
my $DUMP;
open DUMP, sprintf (">%08x", $start);
my $data;
while ($start<$end) {
$start+=(sysread MEM, $data, 1024 or die $!);
syswrite DUMP, $data, 1024 or die $!;
}
}
print "Dumping memory.\n";
while (<MAPS>) {
/([0-9a-f]{8})-([0-9a-f]{8})/i or die "Malformed map: $_";
dumpmem (hex $1, hex $2);
}