• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

COPYINGH A D04-May-200017.6 KiB341281

MakefileH A D20-Oct-2003671 3015

READMEH A D20-Oct-20033.3 KiB6952

memfetch.cH A D03-May-20228.9 KiB327234

mffind.plH A D03-May-20221,021 3719

README

1
2memfetch - Linux on-demand process image dump
3---------------------------------------------
4
5Copyright (C) 2002, 2003 by Michal Zalewski <lcamtuf@coredump.cx>
6Distributed under terms and conditions of GNU Public License version 2.
7
8=============================================================================
9
10Memfetch is a very simple utility that can be used to dump process memory of
11any userspace process running on the system without affecting its execution.
12Why bother? Well, quite often it is desirable to see what code and what data
13actually resides in memory under some pid (/proc entries are not always
14accurate). Debuggers like gdb are pretty good for examining small sections
15of code or memory, but are pretty much useless for massive comparison,
16sophisticated searches and such. It's good to be able to retrieve full
17memory image to run it thru grep, strings, your favorite viewer or any other
18tool. Quite obviously, I developed this code not because it's extremely
19difficult to do it on your own, but because it is a valuable shell utility
20for all kinds of deep hacking activities that simply saves you time.
21
22Memfetch is a convenient screenshot grabber for ssh or screen sessions, by
23the way ;-)
24
25The tool can be also used to retrieve memory dump on fault conditions -
26such as segmentation fault - even if core file won't be generated on
27kernel level (rlimit settings, custom signal handlers, setuid or otherwise
28privileged code, cwd permissions, etc). With its extra option, -s, the
29program will wait until SIGSEGV, SIGPIPE, SIGILL, SIGFPE or SIGBUS is
30delivered to a monitored process before taking a snapshot.
31
32Memory is dumped in a set of files - mfetch.lst describes all files,
33including their mapping addresses and source. map*.bin files are a copy of all
34non-anonymous maps (shared libraries, mostly). This is a useful piece
35of information you won't find in a core dump - while this data is generally
36not supposed to be different from file contents (with exceptions), it's also
37an interesting attack vector... Finally, mem*.bin files are anonymous memory
38blocks, most likely code, stack and heap segments. I think it's much easier
39to parse and more complete this way.
40
41Limitations, bugs and requirements:
42
43  1) Only Linux supported; 2.2 or later is strongly recommended, as
44     map detection won't work properly on 2.0. Thanks to Linus, it is
45     no longer possible to mmap /proc/pid/mem on 2.4, so expect things
46     to work slower. Well done.
47
48  2) /proc filesystem has to be mounted.
49
50  3) You cannot generate a dump of a process that is already traced with
51     a ptrace-based debugger like strace, ltrace or gdb.
52
53  4) Do not use -s option on a hostile code; -s is intended for debugging
54     fault conditions in casual code, and can be easily detected by any
55     baseline anti-debugging routine.
56
57  5) There's a dumb kernel 2.2 and 2.4 bug - literal \n is not
58     escaped in any way in /proc/pid/maps. Not a big deal, but it's there
59     and may be used to trick this program into "seeing things".
60
61  6) Because ptrace() interface stinks, you cannot use -s in conjunction
62     with threads.
63
64  7) On Linux 2.2, dumping threds using mmap() can cause wonderful system
65     hanging in some cases. Use -m option (slower) to avoid this.
66
67Please send your comments, bug-reports, enhancements and, as always,
68chocolate, to lcamtuf@coredump.cx
69