mxmlnkn · December 20, 2021 09:18
diff --git a/pmemdump.sh b/pmemdump.sh
 #!/bin/bash

 function pmemdump()
 {
    # Adapted from:
    #   https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file
    # Example output for /proc/xxx/maps:
    #     d7d90000-d7ed0000 rwxp 00000000 00:00 0
    #     d8ab0000-d8bf0000 rwxp 00000000 00:00 0
    #     f4111000-f43b9000 rw-s 00000000 00:05 429195289                          /SYSV00000000 (deleted)
    #     f4585000-f46f5000 rw-s 00000000 00:05 428310640                          /SYSV00000000 (deleted)
    #     f4858000-f4b00000 rw-s 00000000 00:05 429293717                          /SYSV00000000 (deleted)
    #     f4b00000-f4b21000 rw-p 00000000 00:00 0
    #     f4b21000-f4c00000 ---p 00000000 00:00 0
    #     f4c90000-f4e00000 rw-s 00000000 00:05 428015716                          /SYSV00000000 (deleted)
    #     f4e00000-f4e21000 rw-p 00000000 00:00 0
    #     f4e21000-f4f00000 ---p 00000000 00:00 0
    #     f4f19000-f4f1a000 r--p 00000000 08:21 2622450                            /lib/i386-linux-gnu/libnss_dns-2.28.so
    #     f4f1a000-f4f1e000 r-xp 00001000 08:21 2622450                            /lib/i386-linux-gnu/libnss_dns-2.28.so
    #     f4f1e000-f4f1f000 r--p 00005000 08:21 2622450                            /lib/i386-linux-gnu/libnss_dns-2.28.so

    local pid=$1

    local folder=$pid-dump-$( date +%Y-%m-%dT%H-%M-%S.%N )
    mkdir -- "$folder"

    # The idea behind the cleaner dump is that only in-memory files have a size attached to the memory region
    # in contrast to actual application memory, which has size 0 (as the size actually used size is unknown by the OS).
    # Also print only the first row with address ranges
    cat /proc/$pid/maps > "$folder/map"
    sed -n -r 's|([0-9a-f]+)-([0-9a-f]+) .* 0 .*|0x\1 0x\2|p' "$folder/map" |
    while read start stop; do
        dd if=/proc/$pid/mem bs=$( getconf PAGESIZE ) skip=$(( start )) count=$(( stop - start )) \
           iflag=skip_bytes,count_bytes of="$folder/mem_$start-$stop.bin"
    done
 }

 pmemdump "$@"
	#!/bin/bash

	function pmemdump()
	{
	# Adapted from:
	# https://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file
	# Example output for /proc/xxx/maps:
	# d7d90000-d7ed0000 rwxp 00000000 00:00 0
	# d8ab0000-d8bf0000 rwxp 00000000 00:00 0
	# f4111000-f43b9000 rw-s 00000000 00:05 429195289 /SYSV00000000 (deleted)
	# f4585000-f46f5000 rw-s 00000000 00:05 428310640 /SYSV00000000 (deleted)
	# f4858000-f4b00000 rw-s 00000000 00:05 429293717 /SYSV00000000 (deleted)
	# f4b00000-f4b21000 rw-p 00000000 00:00 0
	# f4b21000-f4c00000 ---p 00000000 00:00 0
	# f4c90000-f4e00000 rw-s 00000000 00:05 428015716 /SYSV00000000 (deleted)
	# f4e00000-f4e21000 rw-p 00000000 00:00 0
	# f4e21000-f4f00000 ---p 00000000 00:00 0
	# f4f19000-f4f1a000 r--p 00000000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so
	# f4f1a000-f4f1e000 r-xp 00001000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so
	# f4f1e000-f4f1f000 r--p 00005000 08:21 2622450 /lib/i386-linux-gnu/libnss_dns-2.28.so

	local pid=$1

	local folder=$pid-dump-$( date +%Y-%m-%dT%H-%M-%S.%N )
	mkdir -- "$folder"

	# The idea behind the cleaner dump is that only in-memory files have a size attached to the memory region
	# in contrast to actual application memory, which has size 0 (as the size actually used size is unknown by the OS).
	# Also print only the first row with address ranges
	cat /proc/$pid/maps > "$folder/map"
	sed -n -r 's\|([0-9a-f]+)-([0-9a-f]+) .* 0 .*\|0x\1 0x\2\|p' "$folder/map" \|
	while read start stop; do
	dd if=/proc/$pid/mem bs=$( getconf PAGESIZE ) skip=$(( start )) count=$(( stop - start )) \
	iflag=skip_bytes,count_bytes of="$folder/mem_$start-$stop.bin"
	done
	}

	pmemdump "$@"