Fetchmem is a trivial Linux application, the kind of a command-line tool I was missing for a while - so maybe some readers will also find it useful. It's there not because it's advanced, simply because I had to code this in C for some specific tasks one time too many. In short, it can be used to dump entire process memory on demand without disrupting its execution - either immediately or at a nearest fault condition such as SIGSEGV - so the data can be examined directly using tools like diff, strings, grep, your favorite viewer, etc. This way, you're not forced to stick with inferior data examination and comparison capabilities of your debugger - debuggers are generally designed to simplify manual viewing of small portions of data at a time - and you can automate many audit tasks. It can be used to verify a binary is what it claims to be, can be used to detect runtime infections, spoofed /proc/pid/exe and so on. Curious ones can use it to look what an application, such as a daemon, retains in memory between sessions. Since memory dumps are considerably more complete than core files, it is possible to detect some fairly obscure tricks such as modifying read-only shared maps, for example libc, using ptrace. It is also possible to defer process dumps until SIGSEGV or a similar condition is encountered, so the tool is also useful for certain debugging tasks when the process won't dump core (rlimits, higher privileges used, cwd writability issues, custom signal handlers). Enough said. The tool can be downloaded from http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-11-29 22:47 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Nov 29 2002 - 23:43:22 PST