Nifty RAM Dump/Sort script

24 04 2009

Hello again! Second post in one day! Whooo! Just a quick one though because I want to go home! It’s 5 o’clock!

I’ve been charged recently with helping to track down somebody else’s (grr!) memory leak in a piece of software. The program was eating about 30% of our server’s 2Gb of RAM. It seemed to make sense to do some kind of RAM dump.

As with most things linux oriented, as soon as you know how to access the relevant doohickies, the entire thing’s a piece of cake, so I wrote a little script so I could do the entire process again. It really is simple, but it’s such a useful little doobrie that I had to post it.

WARNING: I have not written any error checking into this, so you may want to write some break points or something into it before running.

Stage 1: The script frees any unused memory by synchronising any loose data then passing a number to /proc/sys/vm/drop_caches.

Stage 2: It then uses dd as root to take a byte-for-byte copy of the current contents of the RAM from /dev/mem.

Stage 3: It then parses any ascii characters from it and passes it through various sorting procedures to come up with a list of strings found in the RAM sorted from least found to most commonly found.

Anyway… Here’s the script (special thanks to WordPress for utterly destroying any semblance of formatting):

#!/bin/bash
IMGFILE="ramdump-`date +%d%m%y`.img"
TXTFILE="ramdump-`date +%d%m%y`.txt"
echo "************************************************"
echo "* n00bsys0p's RAM dumper and sorter *"
echo "* written 04/2009 *"
echo "* Use it for whatever the hell you want *"
echo "* and don't blame me if you ruin your *"
echo "* computer by being a retard *"
echo "************************************************"
echo "Stage 1 (Freeing unused RAM). Requires root privileges."
if [ $UID == 0 ]; then
echo "Already root, continuing"
fi
su -c "sync; echo 3 > /proc/sys/vm/drop_caches"
echo "Stage 2 (RAM dump). Also requires root privileges..."
if [ $UID == 0 ]; then
echo "Already root, continuing"
fi
su -c "dd if=/dev/mem of=$IMGFILE && chmod a+rw $IMGFILE"
echo -e "\n\
RAM Dumped to $IMGFILE.\n\
Stage 3 (Sort $IMGFILE). This may take a very long time..."
strings $IMGFILE | sort -fd | uniq -c | sort -n > $TXTFILE
echo -e "\n\
RAM dump sorted in $TXTFILE.\n\
Items are listed and numbered by order of occurrence."

Hope it’s useful to someone.

n00b

Advertisements

Actions

Information

8 responses

12 05 2009
Cameron

This is awesome, can you come up with something like this for a Windows system? (I know, *boo-hiss*)

12 05 2009
n00bsys0p

Hi Cameron,

Thanks for the comment, it’s nice to be appreciated 😀

To be perfectly honest, I wouldn’t know where to start doing this in Windows. I have a strong feeling it would require knowing not only Windows back to front, but a low level programming language quite well in order to achieve this. The simple fact is that Windows doesn’t let even an administrative user have access to such a thing as the contents of the RAM. There have been studies done which have used msramdump to good effect. The boffins at Princeton pioneered this here.

Here’s the video embedded:

If anybody can prove me wrong – feel free to do so – it would be interesting to see how one would go about it. If you find a way of doing it without any proprietary software leave me a comment here!

28 05 2009
foldericon

Hi there!
Do you think it could work on cygwin?
Will try tomorrow, but don’t know anything about ram-privileges in cygwin.
if it will not work, I will be wiser 😉

29 05 2009
n00bsys0p

Hi, Foldericon
I’m afraid I haven’t got a clue! I’ve not used Cygwin at all! Let me know what your findings are.

Thanks!

20 07 2009
ov3rcl0ck

I always used to use cat like so
sudo cat /dev/mem > dump.txt
but dd is probably a better choice in this situation.

5 08 2009
n00bsys0p

Y’know, cat didn’t even cross my mind! Haha! Thanks, it’s always nice to learn something new.

28 07 2009
Brian Bepristis

Awesome Script thank you very much.

5 08 2009
n00bsys0p

No problem. Glad to be of help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: