-----BEGIN PGP SIGNED MESSAGE----- Please come to #!electronicsouls, we believe you may be skilled enough to fill in for dvorak while he is on holiday. The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Suckers make me lick." On Fri, 29 Nov 2002 23:05:20 -0800 Michal Zalewski <lcamtufat_private> wrote: > >Fetchmem is a trivial Linux application, the kind of a command-line >tool I >was missing for a while - so maybe some readers will also find it >useful. >It's there not because it's advanced, simply because I had to code >this in >C for some specific tasks one time too many. > >In short, it can be used to dump entire process memory on demand >without >disrupting its execution - either immediately or at a nearest fault >condition such as SIGSEGV - so the data can be examined directly >using >tools like diff, strings, grep, your favorite viewer, etc. This >way, >you're not forced to stick with inferior data examination and comparison >capabilities of your debugger - debuggers are generally designed >to >simplify manual viewing of small portions of data at a time - and >you can >automate many audit tasks. It can be used to verify a binary is >what it >claims to be, can be used to detect runtime infections, spoofed >/proc/pid/exe and so on. Curious ones can use it to look what an >application, such as a daemon, retains in memory between sessions. >Since >memory dumps are considerably more complete than core files, it >is >possible to detect some fairly obscure tricks such as modifying >read-only >shared maps, for example libc, using ptrace. > >It is also possible to defer process dumps until SIGSEGV or a similar >condition is encountered, so the tool is also useful for certain >debugging >tasks when the process won't dump core (rlimits, higher privileges >used, >cwd writability issues, custom signal handlers). > >Enough said. The tool can be downloaded from >http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend. > >-- >------------------------- bash$ :(){ :|:&};: -- > Michal Zalewski * [http://lcamtuf.coredump.cx] > Did you know that clones never use mirrors? >--------------------------- 2002-11-29 22:47 -- > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3ozTAMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltX8IAn2VqFarK1FlV QoIdyZB1vHWy6AXZAKCe7++mJFf78t+OYhNPGyae9oYPhw== =1CIE -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 08:19:10 PST