Dump memory of running process
#!/bin/bash | |
function pmemdump() | |
{ | |
# Adapted from: | |
# https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file | |
# Example output for /proc/xxx/maps: | |
# d7d90000-d7ed0000 rwxp 00000000 00:00 0 | |
# d8ab0000-d8bf0000 rwxp 00000000 00:00 0 | |
# f4111000-f43b9000 rw-s 00000000 00:05 429195289 /SYSV00000000 (deleted) | |
# f4585000-f46f5000 rw-s 00000000 00:05 428310640 /SYSV00000000 (deleted) | |
# f4858000-f4b00000 rw-s 00000000 00:05 429293717 /SYSV00000000 (deleted) | |
# f4b00000-f4b21000 rw-p 00000000 00:00 0 | |
# f4b21000-f4c00000 ---p 00000000 00:00 0 | |
# f4c90000-f4e00000 rw-s 00000000 00:05 428015716 /SYSV00000000 (deleted) | |
# f4e00000-f4e21000 rw-p 00000000 00:00 0 | |
# f4e21000-f4f00000 ---p 00000000 00:00 0 | |
# f4f19000-f4f1a000 r--p 00000000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so | |
# f4f1a000-f4f1e000 r-xp 00001000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so | |
# f4f1e000-f4f1f000 r--p 00005000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so | |
local pid=$1 | |
local folder=$pid-dump-$( date +%Y-%m-%dT%H-%M-%S.%N ) | |
mkdir -- "$folder" | |
# The idea behind the cleaner dump is that only in-memory files have a size attached to the memory region | |
# in contrast to actual application memory, which has size 0 (as the size actually used size is unknown by the OS). | |
# Also print only the first row with address ranges | |
cat /proc/$pid/maps > "$folder/map" | |
sed -n -r 's|([0-9a-f]+)-([0-9a-f]+) .* 0 .*|0x\1 0x\2|p' "$folder/map" | | |
while read start stop; do | |
dd if=/proc/$pid/mem bs=$( getconf PAGESIZE ) skip=$(( start )) count=$(( stop - start )) \ | |
iflag=skip_bytes,count_bytes of="$folder/mem_$start-$stop.bin" | |
done | |
} | |
pmemdump "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment