Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Dump memory of a process

Tags:

c

linux

bash

memory-dump

When reading the /proc/$PID/maps you get the mapped memory regions. Is ther a way to dump one of this regions?

$ cat /proc/18448/maps
...[snip]...
0059e000-005b1000 r-xp 00000000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
005b1000-005b2000 r--p 00012000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
005b2000-005b3000 rw-p 00013000 08:11 40         /usr/local/lib/libgstlightning.so.0.0.0
...[snip]...

Thanks

like image 559
mathk Avatar asked Jul 27 '10 09:07

mathk

People also ask

How do I dump all memory in a process?

Pick one batch of memory (so for example 00621000-00622000) then use gdb as root to attach to the process and dump that memory: $ gdb --pid [pid] (gdb) dump memory /root/output 0x00621000 0x00622000 Then analyse /root/output with the strings command, less you want the PuTTY all over your screen.

How do I get a dump of all processes running?

Launch Process Explorer using "Run as Administrator" so that it will have permission to see all processes. 3. Find the hung process (es) and right-click to select "Create Dump -> Create Full Dump". Note Process Explorer creates a 32-bit dump of 32-bit processes, even when the 64-bit version of Process Explorer is running.

How to create a rule for dump collection of memory?

And a pop-up will come, to create a rule for dump collection. Select Memory and Handle Leak, then Next. You should see the list of processes now: please select the worker process from the list which you’re having the memory problem. Press Next.

What is the size of a process dump file?

Each process dump will take space in the disk approximately the same size the process uses in memory (column Commit Size in Task Manager). For example, if the w3wp.exe process memory usage is ~2 GB, then the size of each dump file will be around 2 GB.

3 Answers

Nah! Call ptrace() with PTRACE ATTACH. Then open /proc/<pid>/mem, seek to the region offset, and read the length of the region as given in /proc</pid>/maps.

Here's a program I wrote that does it in C. Here's a module I wrote that does it in Python (and the ptrace binding). For the finish, a program that dumps all regions of a process to files.

Enjoy!

like image 166
Matt Joiner Avatar answered Sep 25 '22 20:09

Matt Joiner

You can attach gdb to the process then dump memory region of length X words starting at location L with this: x/Xw L.

Attaching gdb when you start your process is simple: gdb ./executable then run. If you need to attach to a running process, start gdb then gdb attach pid where pid is is the process ID you care about.

like image 20
nmichaels Avatar answered Sep 25 '22 20:09

nmichaels

Using dd(1):

sudo dd if=/dev/mem bs=1 skip=$(( 16#0059e000 - 1 )) \
        count=$(( 16#005b1000 - 16#0059e000 + 1)) | hexdump -C
like image 30
jackIT Avatar answered Sep 25 '22 20:09

jackIT
Sign in to Comment

Related questions

referencing struct fields in c with square brackets and an index instead of . and ->?
Do sleep functions sleep all threads or just the one who call it?
Setting break via cmd line on running GDB
Using logical operators with macros
Showing GTK debug log messages
When defining a variable in C for example, where is the memory address for that variable stored?
How do I detect unused macro definitions & typedefs?
Implementing min() and max() in Clang without double evaluation
What is the best way to communicate a kernel module with a user space program?
system("cd <path>") in a C program
HTTP Request using Sockets in C
How do I create a sparse file programmatically, in C, on Mac OS X?
Tool to explain C code [closed]
Very simple map implemention in C (for caching purpose)?
Best Way to Store a va_list for Later Use in C/C++
Can C's fgets be coaxed to work with a string *not* from a file?
How to round floating point numbers to the nearest integer in C?
OpenCL user defined inline functions
Given a pointer to member a within a struct, write a routine that returns a pointer to the struct
Why am I able to change the contents of const char *ptr?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!