So I was on a locked down Linux system this week with the inability to import any tools and I had to prove that strings could be identified in memory of certain processes.
Fortunately CentOS was installed which had gdb along with it so I took to writing a script to automate this work for me. (I had to test the processes in a number of different scenarios)
Basically the process memory map is stored at /proc/${pid}/maps, then you use the address and gdb in batch mode to dump the memory to a file.
You then grep the binary files for the string and keep your fingers crossed.
I couldn’t take the script off site due so have had to rewrite it so here it is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | #!/bin/bash # phillips321.co.uk # Version=0.1 # Fix for loop using whole line OLDIFS=${IFS} IFS=' ' if [[ $# != 2 ]] ; then echo '[+] usage: $0 processname string' echo "[+] example: $0 gedit "Hello World"" exit 1 fi # Find process id for process if pid=`pgrep $1` ; then echo "[+] Process ${1} identified as pid ${pid}" else echo "[+] Process not found, try pgrep ${1} yourself" exit 1 fi # create folder and go inside it mkdir -p "${1}-${pid}" cd ${1}-${pid} # copy process maps in order to identify memory addresses cp /proc/${pid}/maps . # loop through memory locations using gdb and dump memory to file for line in `cat maps` do echo "[+] Now working on ${line}" start=`echo -n ${line} | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | cut -d" " -f1` #mem start location stop=`echo -n ${line} | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | cut -d" " -f2` #mem end location gdb -q -silent -batch -pid ${pid} -ex "dump memory ${pid}-${start}-${stop}.dump 0x${start} 0x${stop}" done # look for string in dumps if [[ ${2} != "" ]] ; then string=${2} echo "[+] Looking for ${string} in dump files" if result=`grep ${string} *.dump` ; then for line in ${result} do filename=`echo -n ${line} | cut -d' ' -f3` echo "[+] Found in ${filename} - Creating ${filename}.txt" cat ${filename} | tr '[\000-\011\013-\037\177-\377]' '.' | egrep -n --color ${2} > ${filename}.txt done else echo "[+] String not found :-(" fi fi cd .. IFS=${OLDIFS} |
And here’s what the code looks like when you run it.
1 2 3 | root@kali:~/testing# ./dumpmem.sh leafpad "Hello World" [+] Looking for Hello World in dump files [+] Found in 11683-b938a000-b9669000.dump - Creating 11683-b938a000-b9669000.dump.txt" |
Then it’s a simple case of using the *.txt file in your report 🙂
Leave a Reply
You must be logged in to post a comment.