Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dumping entire process memory to a file

Status
Not open for further replies.

778778

Technical User
Aug 29, 2002
20
GB

People,

How to dump a process' memory (code, data - everything connected to as process) to a binary file?

What utility shall I use and from where to get it?

I've read that pcat is something that can be useful, but I do not have it installed.

Regards
 
Are you fimilar with the /proc file system?

Is the information your looking for in there?

eg:
ps -ef | grep send
root 799 1 0 Jul24 ? 00:00:00 sendmail: accepting connections

ls /proc/799
cmdline cwd environ exe fd maps mem root stat statm status

More /proc/799/*
<SNIP>
::::::::::::::
cmdline
::::::::::::::
sendmail: accepting connections

*** cwd: directory ***

::::::::::::::
environ
::::::::::::::
ons


******** exe: Not a text file ********


*** fd: directory ***

::::::::::::::
maps
::::::::::::::
08048000-080b4000 r-xp 00000000 03:01 102940 /usr/sbin/sendmail
080b4000-080b8000 rw-p 0006b000 03:01 102940 /usr/sbin/sendmail
080b8000-08102000 rwxp 00000000 00:00 0
40000000-40016000 r-xp 00000000 03:01 128361 /lib/ld-135099 /lib/libnss_nisplus-2.2.4.so
40383000-40385000 r-xp 00000000 03:01 97152 /usr/lib/sasl/liblogin.so.0.0.5
40385000-40386000 rw-p 00001000 03:01 97152 /usr/lib/sasl/liblogin.so.0.0.5
40386000-40388000 r-xp 00000000 03:01 97153 /usr/lib/sasl/libplain.so.1.0.14
40388000-40389000 rw-p 00001000 03:01 97153 /usr/lib/sasl/libplain.so.1.0.14
bffd0000-c0000000 rwxp fffd1000 00:00 0
::::::::::::::
mem
::::::::::::::

*** root: directory ***

::::::::::::::
stat
::::::::::::::
799 (sendmail) S 1 799 799 0 -1 320 121444 9543 7 1493 0 1 0 0 9 0 0 360000 7141 4665344 417 4294967295 134512640 134951737 32
21224792 3221216688 1075977022 0 0 4102 90625 3222546150 0 0 17 0
::::::::::::::
statm
::::::::::::::
422 417 298 41 0 376 119
::::::::::::::
status
::::::::::::::
Name: sendmail
State: S (sleeping)
Pid: 799
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
Groups: 0
VmSize: 4556 kB
VmLck: 0 kB
VmRSS: 1668 kB
VmData: 512 kB
VmStk: 192 kB
VmExe: 432 kB
VmLib: 3244 kB
SigPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 8000000000001006
SigCgt: 0000000000016201
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
<END SNIP>

Good Luck,
Laurie.
 

Laurie,

Thank you for your answer. I did find the /proc/<pid>/maps file, and I did gather the memory map from there.
I used gdb to attach to process, and &quot;dump binary memory&quot; command to dump it to file.

The memory was in 3 areas: 0x08048000 -- 0x08??????
0x40000000 -- 0x???????? and 0xBFFED000 -- 0xC0000000

I did successfully dump the first and the third memory, but the sdecond one showed only zeros on the hex editor. Nevermind, I finished what I needed.
Maybe there was an easier way for dumping the memory, but, I am a bit novice to Linux ;)))))

Regards.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top