lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.42.0211292247280.616-100000@nimue.bos.bindview.com>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: fetchmem 0.01b

Fetchmem is a trivial Linux application, the kind of a command-line tool I
was missing for a while - so maybe some readers will also find it useful.
It's there not because it's advanced, simply because I had to code this in
C for some specific tasks one time too many.

In short, it can be used to dump entire process memory on demand without
disrupting its execution - either immediately or at a nearest fault
condition such as SIGSEGV - so the data can be examined directly using
tools like diff, strings, grep, your favorite viewer, etc. This way,
you're not forced to stick with inferior data examination and comparison
capabilities of your debugger - debuggers are generally designed to
simplify manual viewing of small portions of data at a time - and you can
automate many audit tasks. It can be used to verify a binary is what it
claims to be, can be used to detect runtime infections, spoofed
/proc/pid/exe and so on. Curious ones can use it to look what an
application, such as a daemon, retains in memory between sessions. Since
memory dumps are considerably more complete than core files, it is
possible to detect some fairly obscure tricks such as modifying read-only
shared maps, for example libc, using ptrace.

It is also possible to defer process dumps until SIGSEGV or a similar
condition is encountered, so the tool is also useful for certain debugging
tasks when the process won't dump core (rlimits, higher privileges used,
cwd writability issues, custom signal handlers).

Enough said. The tool can be downloaded from
http://lcamtuf.coredump.cx/memfetch.tgz . Have a good weekend.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-11-29 22:47 --




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ