mem-dump

mem-dump loads an ELF binary into the memory, sets a breakpoint at the entrypoint of the ELF binary, and dumps all the registers and memory after reaching the entrypoint.

Note: This only works on x86_64 linux system.

Usage

./mem-dump [-o OUTPUT-FILENAME] PROG [ARGS...]

Dumps to file mem.dump by default.

Examples

./mem-dump ./mem-dump

./mem-dump echo nice

./mem-dump -o echo.dump echo nice

How it works

Parses command-line arguments to figure out output filename.
Checks to see if the binary needs to searched in PATH environment variable, if yes, then finds it.
Parses the ELF binary to figure out binary’s entrypoint.
Forks, and the child calls ptrace(PTRACE_TRACEME, ...).
Child then calls execve(PROC, ARGS...).
Parent parses the child’s /proc/<pid>/maps file, to find the entrypoint in the memory of the process.
Adds 0xCC software interupt at the found memory address.
Continues the child until 0xCC.
Corrects everythings back in the child.
Dumps registers, and memory.
Kills the child.

Inspirations

Option parsing
strace
Resolving the binary pathname
strace
Parsing /proc/<pid>/maps
libprocmaps
Rest ptrace related usage
strace and https://blog.tartanllama.xyz/writing-a-linux-debugger-setup/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mem-dump

Usage

Examples

How it works

Inspirations

FilesExpand file tree

README.org

Latest commit

History

README.org

File metadata and controls

mem-dump

Usage

Examples

How it works

Inspirations