Dump memory of a process

mathk picture mathk · Jul 27, 2010 · Viewed 11.9k times · Source

When reading the /proc/$PID/maps you get the mapped memory regions. Is ther a way to dump one of this regions?

$ cat /proc/18448/maps
...[snip]...
0059e000-005b1000 r-xp 00000000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
005b1000-005b2000 r--p 00012000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
005b2000-005b3000 rw-p 00013000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
...[snip]...

Thanks

Answer

Matt Joiner picture Matt Joiner · Jul 27, 2010

Nah! Call ptrace() with PTRACE ATTACH. Then open /proc/<pid>/mem, seek to the region offset, and read the length of the region as given in /proc</pid>/maps.

Here's a program I wrote that does it in C. Here's a module I wrote that does it in Python (and the ptrace binding). For the finish, a program that dumps all regions of a process to files.

Enjoy!