Skip to content

Instantly share code, notes, and snippets.

@mxmlnkn mxmlnkn/pmemdump.sh
Last active Aug 4, 2019

Embed
What would you like to do?
Dump memory of running process
#!/bin/bash
function pmemdump()
{
# Adapted from:
# https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file
# Example output for /proc/xxx/maps:
# d7d90000-d7ed0000 rwxp 00000000 00:00 0
# d8ab0000-d8bf0000 rwxp 00000000 00:00 0
# f4111000-f43b9000 rw-s 00000000 00:05 429195289 /SYSV00000000 (deleted)
# f4585000-f46f5000 rw-s 00000000 00:05 428310640 /SYSV00000000 (deleted)
# f4858000-f4b00000 rw-s 00000000 00:05 429293717 /SYSV00000000 (deleted)
# f4b00000-f4b21000 rw-p 00000000 00:00 0
# f4b21000-f4c00000 ---p 00000000 00:00 0
# f4c90000-f4e00000 rw-s 00000000 00:05 428015716 /SYSV00000000 (deleted)
# f4e00000-f4e21000 rw-p 00000000 00:00 0
# f4e21000-f4f00000 ---p 00000000 00:00 0
# f4f19000-f4f1a000 r--p 00000000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so
# f4f1a000-f4f1e000 r-xp 00001000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so
# f4f1e000-f4f1f000 r--p 00005000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so
local pid=$1
local folder=$pid-dump-$( date +%Y-%m-%dT%H-%M-%S.%N )
mkdir -- "$folder"
# The idea behind the cleaner dump is that only in-memory files have a size attached to the memory region
# in contrast to actual application memory, which has size 0 (as the size actually used size is unknown by the OS).
# Also print only the first row with address ranges
cat /proc/$pid/maps > "$folder/map"
sed -n -r 's|([0-9a-f]+)-([0-9a-f]+) .* 0 .*|0x\1 0x\2|p' "$folder/map" |
while read start stop; do
dd if=/proc/$pid/mem bs=$( getconf PAGESIZE ) skip=$(( start )) count=$(( stop - start )) \
iflag=skip_bytes,count_bytes of="$folder/mem_$start-$stop.bin"
done
}
pmemdump "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.