Dump memory of a process

Question

When reading the /proc/$PID/maps you get the mapped memory regions. Is ther a way to dump one of this regions?

$ cat /proc/18448/maps
...[snip]...
0059e000-         


        

Answer 1

You can attach gdb to the process then dump memory region of length X words starting at location L with this: x/Xw L.

Attaching gdb when you start your process is simple: gdb ./executable then run. If you need to attach to a running process, start gdb then gdb attach pid where pid is is the process ID you care about.

Answer 2

Nah! Call ptrace() with PTRACE ATTACH. Then open /proc/<pid>/mem, seek to the region offset, and read the length of the region as given in /proc</pid>/maps.

Here's a program I wrote that does it in C. Here's a module I wrote that does it in Python (and the ptrace binding). For the finish, a program that dumps all regions of a process to files.

Enjoy!

Answer 3

Using dd(1):

sudo dd if=/dev/mem bs=1 skip=$(( 16#0059e000 - 1 )) \
        count=$(( 16#005b1000 - 16#0059e000 + 1)) | hexdump -C