linux process dump memory

linux process dump memory

Dump a linux process's memory to file

cat /proc/[pid]/maps
This will be in the format (example):
00400000-00421000 r-xp 00000000 08:01 592398 /usr/libexec/dovecot/pop3-login 00621000-00622000 rw-p 00021000 08:01 592398 /usr/libexec/dovecot/pop3-login 00622000-0066a000 rw-p 00622000 00:00 0 [heap] 3e73200000-3e7321c000 r-xp 00000000 08:01 229378 /lib64/ld-2.5.so 3e7341b000-3e7341c000 r--p 0001b000 08:01 229378 /lib64/ld-2.5.so

Pick one batch of memory (so for example 00621000-00622000) then use gdb to attach to the process and dump that memory:
gdb --pid [pid]
(gdb) dump memory /root/output 0x00621000 0x00622000
Then analyse /root/output with the strings command, less you want the PuTTY all over your screen :)

http://joshua14.homelinux.org/blog/?p=827
http://www.linuxjournal.com/article/4681?page=0,0