On Fri, Jun 21, 2002 at 11:54:48AM -0700, Kohlenberg, Toby wrote: > The problem I have yet to hear a decent solution for is how to get a > dump of what is in memory off a running system when you don't > necessarily have root control over the system. Yikes; this is a difficult situation. /dev/kmem and /dev/mem on the machines I've seen are always restricted to root-only access. Any user process that tries to access memory will fail. So, I think you are stuck either getting the root password, or cracking root through a vulnerability. One other possibility that comes to mind is the sleep state or software suspend state available in some operating systems. If you can throw the machine into this state somehow, it will save much or all of its state to hard drive where analysis is going to be easier. Some machines have interactive debugging turned on for their kernels. You could hit some magic key sequence, depending upon the debugger, and gain quick and easy access to the kernel. I don't know if Solaris has one, but if the free software versions are any indication of availability, it won't be available by default -- someone has to take an explicit action to get this kernel installed, and if you are asking to make an image of the system without root password, I'd wager you don't have access to a kernel debugger either. :( One final possibility is hardware-level access. If you could insert probes into the memory lines, you could read keys that way. I seem to recall reading about an MIT student who did something similar to unclock the X-Box. It might be more than you care to deal with. :) Good luck Toby -- http://www.wirex.com/
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 09:54:57 PDT