How to Dump Linux Memory

Written by contributing writer
  • Share
  • Tweet
  • Share
  • Pin
  • Email
How to Dump Linux Memory
Computer keyboard (computer image by blaine stiger from Fotolia.com)

A Linux computer's memory contents can be dumped to disk for examination for educational or forensic purposes. Linux provides two virtual devices for this purpose, /dev/mem and /dev/kmem, though many distributions disable them by default for security reasons. /dev/mem is linked to the physical system memory, whereas /dev/kmem maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation tool.

Skill level:
Moderately Easy

Other People Are Reading

Things you need

  • Computer running Linux

Show MoreHide

Instructions

    Dumping memory on Linux

  1. 1

    Recompile the kernel and enable the /dev/mem and /dev/kmem devices, if necessary. Many modern distributions disable them, or at least disable kmem, as many rootkits install themselves via /dev/kmem and it has few other uses besides kernel programming education and research. Recompile with CONFIG_DEVKMEM set to "y" to enable /dev/kmem. Be sure to understand the security implications of what you're doing to your system.

  2. 2

    Acquire root privileges. You can either log in as root, or use the su command to become root. Having access to the complete contents of system memory raises obvious security issues, since the contents contain the state of all running programs, so access is restricted to the superuser.

  3. 3

    Dump the memory contents to disk using "dd". Other similar utilities can be used, as well. A command like "dd if=/dev/kmem of=/root/kmem" will copy virtual memory contents to the regular file /root/kmem. Make sure you have enough free disk space to hold the copy.

Tips and warnings

  • Consider using kgdb insetad of dumping memory. This is an extension of gdb, the Gnu debugger, to work with the Linux kernel. It gives you many more options and much more flexibility than just examining a dump file directly.
  • /dev/kcore provides the contents of memory as a core-format file.
  • Enabling /dev/kmem on your system opens up a security vulnerability; many rootkits are known to use /dev/kmem as their installation vector. Make sure your computer is adequately secured from the Internet before attempting this.
  • Writing to /dev/mem or /dev/kmem will overwrite random and probably important system memory, likely leading to a system crash and possibly destroying data on your hard drive.

Don't Miss

Filter:
  • All types
  • Articles
  • Slideshows
  • Videos
Sort:
  • Most relevant
  • Most popular
  • Most recent

No articles available

No slideshows available

No videos available

By using the eHow.co.uk site, you consent to the use of cookies. For more information, please see our Cookie policy.