mem-dump

mem-dump loads an ELF binary into the memory, sets a breakpoint at the entrypoint of the ELF binary, and dumps all the registers and memory after reaching the entrypoint.

Note: This only works on x86_64 linux system.

Usage

./mem-dump [-o OUTPUT-FILENAME] PROG [ARGS...]

Dumps to file mem.dump by default.

Examples

./mem-dump ./mem-dump

./mem-dump echo nice

./mem-dump -o echo.dump echo nice

How it works

1. Parses command-line arguments to figure out output filename.
2. Checks to see if the binary needs to searched in PATH environment variable, if yes, then finds it.
3. Parses the ELF binary to figure out binary’s entrypoint.
4. Forks, and the child calls ptrace(PTRACE_TRACEME, ...).
5. Child then calls execve(PROC, ARGS...).
6. Parent parses the child’s /proc/<pid>/maps file, to find the entrypoint in the memory of the process.
7. Adds 0xCC software interupt at the found memory address.
8. Continues the child until 0xCC.
9. Corrects everythings back in the child.
10. Dumps registers, and memory.
11. Kills the child.

Inspirations

• Option parsing

  strace

• Resolving the binary pathname

  strace

• Parsing /proc/<pid>/maps

  libprocmaps

• Rest ptrace related usage

  strace and https://blog.tartanllama.xyz/writing-a-linux-debugger-setup/