Re: fetchmem 0.01b

[es () hush com]

-----BEGIN PGP SIGNED MESSAGE-----

Please come to #!electronicsouls, we believe you may be skilled enough
to fill in for dvorak while he is on holiday.

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Suckers make me lick."

On Fri, 29 Nov 2002 23:05:20 -0800 Michal Zalewski <lcamtuf () ghettot org> wrote:
> Fetchmem is a trivial Linux application, the kind of a command-line
> tool I
> was missing for a while - so maybe some readers will also find it
> useful.
> It's there not because it's advanced, simply because I had to code
> this in
> C for some specific tasks one time too many.
>
> In short, it can be used to dump entire process memory on demand
> without
> disrupting its execution - either immediately or at a nearest fault
> condition such as SIGSEGV - so the data can be examined directly
> using
> tools like diff, strings, grep, your favorite viewer, etc. This
> way,
> you're not forced to stick with inferior data examination and comparison
> capabilities of your debugger - debuggers are generally designed
> to
> simplify manual viewing of small portions of data at a time - and
> you can
> automate many audit tasks. It can be used to verify a binary is
> what it
> claims to be, can be used to detect runtime infections, spoofed
> /proc/pid/exe and so on. Curious ones can use it to look what an
> application, such as a daemon, retains in memory between sessions.
> Since
> memory dumps are considerably more complete than core files, it
> is
> possible to detect some fairly obscure tricks such as modifying
> read-only
> shared maps, for example libc, using ptrace.
>
> It is also possible to defer process dumps until SIGSEGV or a similar
> condition is encountered, so the tool is also useful for certain
> debugging
> tasks when the process won't dump core (rlimits, higher privileges
> used,
> cwd writability issues, custom signal handlers).
>
> Enough said. The tool can be downloaded from
> http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend.
>
> --
> ------------------------- bash$ :(){ :|:&};: --
> Michal Zalewski * [http://lcamtuf.coredump.cx]
>    Did you know that clones never use mirrors?
> --------------------------- 2002-11-29 22:47 --
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3ozTAMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltX8IAn2VqFarK1FlV
QoIdyZB1vHWy6AXZAKCe7++mJFf78t+OYhNPGyae9oYPhw==
=1CIE
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html