Full Disclosure mailing list archives
Re: fetchmem 0.01b
From: es () hush com
Date: Sat, 30 Nov 2002 06:34:55 -0800
-----BEGIN PGP SIGNED MESSAGE----- Please come to #!electronicsouls, we believe you may be skilled enough to fill in for dvorak while he is on holiday. The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Suckers make me lick." On Fri, 29 Nov 2002 23:05:20 -0800 Michal Zalewski <lcamtuf () ghettot org> wrote:
Fetchmem is a trivial Linux application, the kind of a command-line tool I was missing for a while - so maybe some readers will also find it useful. It's there not because it's advanced, simply because I had to code this in C for some specific tasks one time too many. In short, it can be used to dump entire process memory on demand without disrupting its execution - either immediately or at a nearest fault condition such as SIGSEGV - so the data can be examined directly using tools like diff, strings, grep, your favorite viewer, etc. This way, you're not forced to stick with inferior data examination and comparison capabilities of your debugger - debuggers are generally designed to simplify manual viewing of small portions of data at a time - and you can automate many audit tasks. It can be used to verify a binary is what it claims to be, can be used to detect runtime infections, spoofed /proc/pid/exe and so on. Curious ones can use it to look what an application, such as a daemon, retains in memory between sessions. Since memory dumps are considerably more complete than core files, it is possible to detect some fairly obscure tricks such as modifying read-only shared maps, for example libc, using ptrace. It is also possible to defer process dumps until SIGSEGV or a similar condition is encountered, so the tool is also useful for certain debugging tasks when the process won't dump core (rlimits, higher privileges used, cwd writability issues, custom signal handlers). Enough said. The tool can be downloaded from http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-11-29 22:47 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3ozTAMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltX8IAn2VqFarK1FlV QoIdyZB1vHWy6AXZAKCe7++mJFf78t+OYhNPGyae9oYPhw== =1CIE -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- fetchmem 0.01b Michal Zalewski (Nov 29)
- <Possible follow-ups>
- Re: fetchmem 0.01b es (Nov 30)