fetchmem 0.01b

[Michal Zalewski <lcamtuf () ghettot org>]

Fetchmem is a trivial Linux application, the kind of a command-line tool I
was missing for a while - so maybe some readers will also find it useful.
It's there not because it's advanced, simply because I had to code this in
C for some specific tasks one time too many.

In short, it can be used to dump entire process memory on demand without
disrupting its execution - either immediately or at a nearest fault
condition such as SIGSEGV - so the data can be examined directly using
tools like diff, strings, grep, your favorite viewer, etc. This way,
you're not forced to stick with inferior data examination and comparison
capabilities of your debugger - debuggers are generally designed to
simplify manual viewing of small portions of data at a time - and you can
automate many audit tasks. It can be used to verify a binary is what it
claims to be, can be used to detect runtime infections, spoofed
/proc/pid/exe and so on. Curious ones can use it to look what an
application, such as a daemon, retains in memory between sessions. Since
memory dumps are considerably more complete than core files, it is
possible to detect some fairly obscure tricks such as modifying read-only
shared maps, for example libc, using ptrace.

It is also possible to defer process dumps until SIGSEGV or a similar
condition is encountered, so the tool is also useful for certain debugging
tasks when the process won't dump core (rlimits, higher privileges used,
cwd writability issues, custom signal handlers).

Enough said. The tool can be downloaded from
http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-11-29 22:47 --



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html