Linux снять дамп памяти

How do I dump physical memory in Linux?

How would one create a dump of the physical memory (RAM) in Linux? What software if any is available for this purpose? I have read that one should not write to a local disk but rather send the data over the network. Anyone know the peculiarities here? Would Ethernet work for this purpose, or are there any commands which minimize the amount of caching before sending to disk? WinHex on Windows has such functionality: I am looking for something similar on Linux.

4 Answers 4

Linux provides two virtual devices for this purpose, ‘ /dev/mem ‘ and ‘ /dev/kmem ‘, though many distributions disable them by default for security reasons. ‘ /dev/mem ‘ is linked to the physical system memory, whereas ‘ /dev/kmem ‘ maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation tool.

That leads to the ForensicsWiki page on Memory Imaging Tools with the Linux/Unix section,

1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access («modprobe crash»).
2. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
3. Idetect (Linux)
4. fmem (Linux)
   fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
5. Goldfish
   Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.

See Also: Linux Memory Analysis.
There is also GDB commonly available on most Linuxes.
And, you are always advised to avoid writing over unknown memory — it can lead to system corruption.

Volatility seems to be working well and is Windows and Linux compatible.

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it. We also now support Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 — 3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake. We support 38 versions of Mac OSX memory dumps from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are also supported.

They do not support capturing though. From the GitHub README: Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available.

Second Look is a good, easy way to dump memory in Linux: http://secondlookforensics.com/.

There also is a recently released kernel module you could try called LiME: http://code.google.com/p/lime-forensics/

As confirmation I was able to dump my CentOS 7.x VM’s memory using this method:

$ head /dev/mem | hexdump -C 00000000 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 |S. S. S. S. | 00000010 53 ff 00 f0 53 ff 00 f0 cc e9 00 f0 53 ff 00 f0 |S. S. S. | 00000020 a5 fe 00 f0 87 e9 00 f0 53 ff 00 f0 46 e7 00 f0 |. S. F. | 00000030 46 e7 00 f0 46 e7 00 f0 57 ef 00 f0 53 ff 00 f0 |F. F. W. S. | 00000040 22 00 00 c0 4d f8 00 f0 41 f8 00 f0 fe e3 00 f0 |". M. A. | 00000050 39 e7 00 f0 59 f8 00 f0 2e e8 00 f0 d4 ef 00 f0 |9. Y. | 00000060 a4 f0 00 f0 f2 e6 00 f0 6e fe 00 f0 53 ff 00 f0 |. n. S. | 00000070 ed ef 00 f0 53 ff 00 f0 c7 ef 00 f0 ed 57 00 c0 |. S. W..| 00000080 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 |S. S. S. S. | * 00000100 59 ec 00 f0 3d 00 c0 9f 53 ff 00 f0 ed 69 00 c0 |Y. =. S. i..| 00000110 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 53 ff 00 f0 |S. S. S. S. | * 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |. | 000afea0 00 00 00 00 00 00 00 00 aa aa aa 00 aa aa aa 00 |. | 000afeb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |. | . . 000b0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |. | * 000c0000 55 aa 40 e9 62 0a 00 00 00 00 00 00 00 00 00 00 |U.@.b. | 000c0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 42 |. IB| 000c0020 4d 00 9c 80 fc 0f 75 06 e8 4f 01 e9 bc 00 80 fc |M. u..O. | 

Given this 55aah occurring in the c0000h-effffh range it’s likely the PNP Expansion Header:

3.3 Devices with PnP Expansion Headers

All IPL devices with option ROMs must contain a valid option ROM header that resides between system memory addresses C0000h and EFFFFh on a 2k boundary and begins with 55AAh. A Device’s booting can only be controlled if it has a PnP Expansion Header. The Expansion Header, whose address resides within the standard option ROM header at offset +1Ah, contains important information used to configure the device. It also contains pointers to code in the device’s option ROM (BCV or BEV) that the BIOS will call to boot from the device. See Appendix A for the structure of the PnP Expansion Header. There are two ways an IPL device with a PnP Expansion Header can be booted. It must contain a BCV or a BEV.

References

Источник

How to dump memory image from linux system?

I know to dump memory images in Windows. (eg-dumpit) But I don’t know how to dump memory images in Linux. I want to get memory images in Linux and from Linux to Linux with ssh connection or something. How can I get in Linux?

Are you trying to get memory from a running process, kernel memory or raw physical memory? All are available but methods for access differ. See /dev/kmem, /dev/mem, /proc/kcore, /proc/$pid/maps and /proc/$pid/mem .

3 Answers 3

Linux

/dev/mem

On older Linux systems, the program dd can be used to read the contents of physical memory from the device file /dev/mem. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system. On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.

/dev/crash

On Red Hat systems (and those running related distros such as Fedora or CentOS), the crash driver can be loaded to create pseudo-device /dev/crash for raw physical memory access (via command «modprobe crash»). This module can also be compiled for other Linux distributions with minor effort (see, for example, http://gleeda.blogspot.com/2009/08/devcrash-driver.html). When the crash driver is modified, compiled, and loaded on other systems, the resulting memory access device is not safe to image in its entirety. Care must be taken to avoid addresses that are not RAM-backed. On Linux, /proc/iomem exposes the correct address ranges to image, marked with «System RAM».

Second Look: Linux Memory Forensics

This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system.

fmem fmem — github repo

fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.

LiME — Linux Memory Extractor

Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.

I found this example of fmem in use, which seems to be the easiest way to dump memory for analysis purposes, you can no longer use /dev/mem after the 2.6.x kernels, as I understand it.

fmem Example

$ ./run.sh . ----Memory areas: ----- reg00: base=0x000000000 ( 0MB), size= 1024MB, count=1: write-back reg01: base=0x0c8800000 ( 3208MB), size= 2MB, count=1: write-combining ----------------------- . Don't forget add "count https://askubuntu.com/questions/147978/how-can-i-dump-all-physical-memory-to-a-file">How can I dump all physical memory to a file?
LiME Example
For analyzing volatile memory there's also this page, titled: Linux Memory Analysis. There's a thorough example in this video tutorial that shows the use of LiME and Volatility to collect a memory dump and then analyze it, extracting the user's Bash history from the memory dump.

  
Using LiME & Volatility to analyze Linux memory

What else?
There's also this U&L Q&A titled: How can I dump the full system memory? which has additional examples and information.