Script to dump the process memory of a given process on a Linux system to a file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# Version dump_proc_mem 0.0.1 | |
# Author Jan Gru | |
# Copyright Copyright (c) Jan Gru | |
# License GNU General Public License | |
# Checks, if root permissions | |
if [ $(id -u) -ne 0 ] | |
then echo "Error: needing root permissions!" >&2 | |
exit 1 | |
fi | |
# Shows help, if no PID is given | |
if [ -z "$1" ] | |
then | |
echo "Usage:" | |
echo "\tdump_proc_mem <PID>" | |
echo | |
echo "Example:" | |
echo "\t./dump_proc_mem 1137 > 1337.dmp" | |
exit 0 | |
else | |
PID=$1 | |
fi | |
# Temporary file to append memory to | |
TMP="/tmp/$(date --iso-8601=seconds)_${PID}.dump" | |
# Reads memory addresses from /proc/<PID>/maps | |
memory_addresses=$(grep rw-p /proc/${PID}/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1\t\2/p') | |
# Inform user about acquisition | |
echo "$(date --iso-8601=seconds)\tStarting acquision of process ${PID}" >&2 | |
echo "$(date --iso-8601=seconds)\tProc cmdline: \"$(cat /proc/$PID/cmdline)\"" >&2 | |
# Loops over the retrieved memory areas and dumps their content to a temporary file | |
echo "${memory_addresses}" | while read start stop; | |
do | |
echo "$(date --iso-8601=seconds)\tDumping $start - $stop" >&2 | |
gdb --batch --pid ${PID} -ex "append memory ${TMP} 0x$start 0x$stop" >/dev/null 2>&1 | |
done | |
# Calculates the hash of the retrieved contents | |
echo "$(date --iso-8601=seconds)\tResulting SHA512: $(sha512sum ${TMP} | cut -d' ' -f1 -)" >&2 | |
# Cat the dumped content to stdout | |
cat $TMP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment