So I was on a locked down Linux system this week with the inability to import any tools and I had to prove that strings could be identified in memory of certain processes.

Fortunately CentOS was installed which had gdb along with it so I took to writing a script to automate this work for me. (I had to test the processes in a number of different scenarios)

Basically the process memory map is stored at /proc/${pid}/maps, then you use the address and gdb in batch mode to dump the memory to a file.

You then grep the binary files for the string and keep your fingers crossed.

I couldn’t take the script off site due so have had to rewrite it so here it is:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/bash
# phillips321.co.uk
# Version=0.1

# Fix for loop using whole line
OLDIFS=${IFS}
IFS='
'

if [[ $# != 2 ]] ; then
    echo '[+] usage: $0 processname string'
    echo "[+] example: $0 gedit "Hello World""
    exit 1
fi

# Find process id for process
if pid=`pgrep $1` ; then
    echo "[+] Process ${1} identified as pid ${pid}"
else
    echo "[+] Process not found, try pgrep ${1} yourself"
    exit 1
fi

# create folder and go inside it
mkdir -p "${1}-${pid}"
cd ${1}-${pid}

# copy process maps in order to identify memory addresses
cp /proc/${pid}/maps .

# loop through memory locations using gdb and dump memory to file
for line in `cat maps`
do
    echo "[+] Now working on ${line}"
    start=`echo -n ${line} | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | cut -d" " -f1` #mem start location
    stop=`echo -n ${line} | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | cut -d" " -f2` #mem end location
    gdb -q -silent -batch -pid ${pid} -ex "dump memory ${pid}-${start}-${stop}.dump 0x${start} 0x${stop}"
done


# look for string in dumps
if [[ ${2} != "" ]] ; then
    string=${2}
    echo "[+] Looking for ${string} in dump files"
    if result=`grep ${string} *.dump` ; then
        for line in ${result}
        do
            filename=`echo -n ${line} | cut -d' ' -f3`
            echo "[+] Found in ${filename} - Creating ${filename}.txt"
            cat ${filename} | tr '[\000-\011\013-\037\177-\377]' '.' | egrep -n --color ${2} > ${filename}.txt
        done
    else
        echo "[+] String not found :-("
    fi
fi

cd ..
IFS=${OLDIFS}

And here’s what the code looks like when you run it.

1
2
3
root@kali:~/testing# ./dumpmem.sh leafpad "Hello World"
[+] Looking for Hello World in dump files
[+] Found in 11683-b938a000-b9669000.dump - Creating 11683-b938a000-b9669000.dump.txt"

Then it’s a simple case of using the *.txt file in your report 🙂

Leave a Reply