{"id":1221,"date":"2015-01-23T17:53:18","date_gmt":"2015-01-23T17:53:18","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=1221"},"modified":"2015-01-23T17:53:18","modified_gmt":"2015-01-23T17:53:18","slug":"quickly-finding-strings-in-process-memory-space","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2015\/01\/23\/quickly-finding-strings-in-process-memory-space\/","title":{"rendered":"Quickly finding strings in process memory space"},"content":{"rendered":"<p>So I was on a locked down Linux system this week with the inability to import any tools and I had to prove that strings could be identified in memory of certain processes.<\/p>\n<p>Fortunately CentOS was installed which had gdb along with it so I took to writing a script to automate this work for me. (I had to test the processes in a number of different scenarios)<\/p>\n<p>Basically the process memory map is stored at \/proc\/${pid}\/maps, then you use the address and gdb in batch mode to dump the memory to a file.<\/p>\n<p>You then grep the binary files for the string and keep your fingers crossed.<\/p>\n<p>I couldn&#8217;t take the script off site due so have had to rewrite it so here it is:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/>32<br \/>33<br \/>34<br \/>35<br \/>36<br \/>37<br \/>38<br \/>39<br \/>40<br \/>41<br \/>42<br \/>43<br \/>44<br \/>45<br \/>46<br \/>47<br \/>48<br \/>49<br \/>50<br \/>51<br \/>52<br \/>53<br \/>54<br \/>55<br \/>56<br \/>57<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co0\">#!\/bin\/bash<\/span><br \/>\n<span class=\"co0\"># phillips321.co.uk<\/span><br \/>\n<span class=\"co0\"># Version=0.1<\/span><br \/>\n<br \/>\n<span class=\"co0\"># Fix for loop using whole line<\/span><br \/>\n<span class=\"re2\">OLDIFS<\/span>=<span class=\"co1\">${IFS}<\/span><br \/>\n<span class=\"re2\">IFS<\/span>=<span class=\"st_h\">'<br \/>\n'<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span><span class=\"br0\">&#91;<\/span> <span class=\"re4\">$#<\/span> <span class=\"sy0\">!<\/span>= <span class=\"nu0\">2<\/span> <span class=\"br0\">&#93;<\/span><span class=\"br0\">&#93;<\/span> ; <span class=\"kw1\">then<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st_h\">'[+] usage: $0 processname string'<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] example: $0 gedit &quot;<\/span>Hello World<span class=\"st0\">&quot;&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">exit<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"co0\"># Find process id for process<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"re2\">pid<\/span>=<span class=\"sy0\">`<\/span>pgrep <span class=\"re4\">$1<\/span><span class=\"sy0\">`<\/span> ; <span class=\"kw1\">then<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] Process <span class=\"es3\">${1}<\/span> identified as pid <span class=\"es3\">${pid}<\/span>&quot;<\/span><br \/>\n<span class=\"kw1\">else<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] Process not found, try pgrep <span class=\"es3\">${1}<\/span> yourself&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">exit<\/span> <span class=\"nu0\">1<\/span><br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"co0\"># create folder and go inside it<\/span><br \/>\n<span class=\"kw2\">mkdir<\/span> <span class=\"re5\">-p<\/span> <span class=\"st0\">&quot;<span class=\"es3\">${1}<\/span>-<span class=\"es3\">${pid}<\/span>&quot;<\/span><br \/>\n<span class=\"kw3\">cd<\/span> <span class=\"co1\">${1}<\/span>-<span class=\"co1\">${pid}<\/span><br \/>\n<br \/>\n<span class=\"co0\"># copy process maps in order to identify memory addresses<\/span><br \/>\n<span class=\"kw2\">cp<\/span> <span class=\"sy0\">\/<\/span>proc<span class=\"sy0\">\/<\/span><span class=\"co1\">${pid}<\/span><span class=\"sy0\">\/<\/span>maps .<br \/>\n<br \/>\n<span class=\"co0\"># loop through memory locations using gdb and dump memory to file<\/span><br \/>\n<span class=\"kw1\">for<\/span> line <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">cat<\/span> maps<span class=\"sy0\">`<\/span><br \/>\n<span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] Now working on <span class=\"es3\">${line}<\/span>&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"re2\">start<\/span>=<span class=\"sy0\">`<\/span><span class=\"kw3\">echo<\/span> <span class=\"re5\">-n<\/span> <span class=\"co1\">${line}<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">sed<\/span> <span class=\"re5\">-n<\/span> <span class=\"st_h\">'s\/^\\([0-9a-f]*\\)-\\([0-9a-f]*\\) .*$\/\\1 \\2\/p'<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">cut<\/span> <span class=\"re5\">-d<\/span><span class=\"st0\">&quot; &quot;<\/span> -f1<span class=\"sy0\">`<\/span> <span class=\"co0\">#mem start location<\/span><br \/>\n&nbsp; &nbsp; <span class=\"re2\">stop<\/span>=<span class=\"sy0\">`<\/span><span class=\"kw3\">echo<\/span> <span class=\"re5\">-n<\/span> <span class=\"co1\">${line}<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">sed<\/span> <span class=\"re5\">-n<\/span> <span class=\"st_h\">'s\/^\\([0-9a-f]*\\)-\\([0-9a-f]*\\) .*$\/\\1 \\2\/p'<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">cut<\/span> <span class=\"re5\">-d<\/span><span class=\"st0\">&quot; &quot;<\/span> -f2<span class=\"sy0\">`<\/span> <span class=\"co0\">#mem end location<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw2\">gdb<\/span> <span class=\"re5\">-q<\/span> <span class=\"re5\">-silent<\/span> <span class=\"re5\">-batch<\/span> <span class=\"re5\">-pid<\/span> <span class=\"co1\">${pid}<\/span> <span class=\"re5\">-ex<\/span> <span class=\"st0\">&quot;dump memory <span class=\"es3\">${pid}<\/span>-<span class=\"es3\">${start}<\/span>-<span class=\"es3\">${stop}<\/span>.dump 0x<span class=\"es3\">${start}<\/span> 0x<span class=\"es3\">${stop}<\/span>&quot;<\/span><br \/>\n<span class=\"kw1\">done<\/span><br \/>\n<br \/>\n<br \/>\n<span class=\"co0\"># look for string in dumps<\/span><br \/>\n<span class=\"kw1\">if<\/span> <span class=\"br0\">&#91;<\/span><span class=\"br0\">&#91;<\/span> <span class=\"co1\">${2}<\/span> <span class=\"sy0\">!<\/span>= <span class=\"st0\">&quot;&quot;<\/span> <span class=\"br0\">&#93;<\/span><span class=\"br0\">&#93;<\/span> ; <span class=\"kw1\">then<\/span><br \/>\n&nbsp; &nbsp; <span class=\"re2\">string<\/span>=<span class=\"co1\">${2}<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] Looking for <span class=\"es3\">${string}<\/span> in dump files&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">if<\/span> <span class=\"re2\">result<\/span>=<span class=\"sy0\">`<\/span><span class=\"kw2\">grep<\/span> <span class=\"co1\">${string}<\/span> <span class=\"sy0\">*<\/span>.dump<span class=\"sy0\">`<\/span> ; <span class=\"kw1\">then<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw1\">for<\/span> line <span class=\"kw1\">in<\/span> <span class=\"co1\">${result}<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=\"re2\">filename<\/span>=<span class=\"sy0\">`<\/span><span class=\"kw3\">echo<\/span> <span class=\"re5\">-n<\/span> <span class=\"co1\">${line}<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">cut<\/span> <span class=\"re5\">-d<\/span><span class=\"st_h\">' '<\/span> -f3<span class=\"sy0\">`<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] Found in <span class=\"es3\">${filename}<\/span> - Creating <span class=\"es3\">${filename}<\/span>.txt&quot;<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw2\">cat<\/span> <span class=\"co1\">${filename}<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">tr<\/span> <span class=\"st_h\">'[\\000-\\011\\013-\\037\\177-\\377]'<\/span> <span class=\"st_h\">'.'<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">egrep<\/span> <span class=\"re5\">-n<\/span> <span class=\"re5\">--color<\/span> <span class=\"co1\">${2}<\/span> <span class=\"sy0\">&gt;<\/span> <span class=\"co1\">${filename}<\/span>.txt<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw1\">done<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">else<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;[+] String not found :-(&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">fi<\/span><br \/>\n<span class=\"kw1\">fi<\/span><br \/>\n<br \/>\n<span class=\"kw3\">cd<\/span> ..<br \/>\n<span class=\"re2\">IFS<\/span>=<span class=\"co1\">${OLDIFS}<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And here&#8217;s what the code looks like when you run it.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"bash codecolorer\">root<span class=\"sy0\">@<\/span>kali:~<span class=\"sy0\">\/<\/span>testing<span class=\"co0\"># .\/dumpmem.sh leafpad &quot;Hello World&quot;<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> Looking <span class=\"kw1\">for<\/span> Hello World <span class=\"kw1\">in<\/span> dump files<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> Found <span class=\"kw1\">in<\/span> <span class=\"nu0\">11683<\/span>-b938a000-b9669000.dump - Creating <span class=\"nu0\">11683<\/span>-b938a000-b9669000.dump.txt<span class=\"st0\">&quot;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Then it&#8217;s a simple case of using the *.txt file in your report \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I was on a locked down Linux system this week with the inability to import any tools and I had to prove that strings could be identified in memory of certain processes. Fortunately CentOS was installed which had gdb along with it so I took to writing a script to automate this work for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[426,427,5,349,383],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1221"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1221"}],"version-history":[{"count":3,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1221\/revisions"}],"predecessor-version":[{"id":1224,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1221\/revisions\/1224"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}