DEV Community

Cover image for Capturing process memory from /proc/pid/mem

Posted on


Capturing process memory from /proc/pid/mem


You want to inspect process memory to enable further pivots within an environment.


You have root access to a Linux host, and no Linux Security Modules block access to /proc.


A statically linked binary is especially convenient here - as is learning from how others have solve the problem (e.g. from Sliver's Dump Process Memory command).

This nim code reads metadata from /proc/pid/maps, and dumps to stdout offsets of /proc/pid/mem that are: readable, non executable, and non-file-backed. My experience mirrored the Sliver developer's in that [vvar] and [vdso] errored out when attempting to read them:

import std/os
import std/strutils
import std/strformat

if paramCount() != 1:
  echo &"Usage: {paramStr(0)} <pid>"

let f = open(&"/proc/{paramStr(1)}/mem")

for line in lines(&"/proc/{paramStr(1)}/maps"):
  let parts = line.split(" ")
  # readable memory but not executable code
  if parts[1][0] == 'r' and not parts[1].contains('x'):
    # skip files mapped into memory
    if parts[3] == "00:00":
      # skip memory we will error out accessing
      if not(line.endsWith("[vvar]") or line.endsWith("[vdso]")):
        let addresses = parts[0].split("-")
        let offset_start = addresses[0].parseHexInt()
        let offset_end = addresses[1].parseHexInt()
        var buffer: array[1024, int8]
        var remaining = offset_end-offset_start
        while remaining > 0:
          let n = f.readBytes(buffer, 0, min(remaining, 1024))
          remaining -= n
          discard stdout.writeBytes(buffer, 0, n)      

Enter fullscreen mode Exit fullscreen mode

Oldest comments (0)

Timeless DEV post...

Git Concepts I Wish I Knew Years Ago

The most used technology by developers is not Javascript.

It's not Python or HTML.

It hardly even gets mentioned in interviews or listed as a pre-requisite for jobs.

I'm talking about Git and version control of course.

One does not simply learn git