Last active
June 14, 2020 16:58
-
-
Save copethomas/dac15d10b44daa4f63a77bdb016621c1 to your computer and use it in GitHub Desktop.
A small script to dump the memory of a process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Name: mem_dump.sh | |
# Description: A small script to dump the memory of a process | |
# Author: Thomas Cope | |
# --- | |
if [[ $# -ne 2 ]] | |
then | |
cat << EOF | |
./mem_dump.sh pid dryrun | |
PID = PID you want to dump | |
dryrun = "yes" to just print the GDB commands or "no" to run gdb to dump the memory | |
Example: | |
./mem_dump.sh 1234 no | |
EOF | |
exit 1 | |
fi | |
crit() { echo "./mem_dump.sh : error : $1" && exit 2; } | |
command -v gdb > /dev/null 2>&1 | |
[[ $? -ne 0 ]] && crit "GDB is required and was not found" | |
[[ -z $1 ]] && crit 'Please specify the PID of the process as $1' | |
[[ ! -d /proc/$1 ]] && crit "Pid $1 not found" | |
export dryrun=$2 | |
dumpit() { | |
startAddr=$(echo "$2" | awk -F "-" '{print $1}') | |
endAddr=$(echo "$2" | awk -F "-" '{print $2}'|cut -d " " -f1) | |
dumpFile="/tmp/mem_dump_pid_$1_${startAddr}-${endAddr}.mem" | |
if [[ $dryrun == "yes" ]] | |
then | |
echo "dump memory $dumpFile 0x$startAddr 0x$endAddr" | |
else | |
gdb --batch -pid $1 -ex "dump memory $dumpFile 0x$startAddr 0x$endAddr" 2&>1 >/dev/null | |
if [ -f "$dumpFile" ]; then | |
echo "Memory dump pid:$1 data:${startAddr}-${endAddr} OK! Please see: $dumpFile" | |
else | |
crit "Failed to dump $1" | |
fi | |
fi | |
} | |
echo "Dumping Stack..." | |
dumpit "$1" "$(grep '\[stack\]' /proc/$1/maps)" | |
echo "Dumping Heap..." | |
dumpit "$1" "$(grep '\[heap\]' /proc/$1/maps)" | |
echo "Dumping Program..." | |
while read p; do | |
dumpit "$1" "$p" | |
done < <(grep $(readlink -f /proc/$1/exe) /proc/$1/maps) | |
echo Done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment