linux memory dump

Linux provides two virtual devices for this purpose, ‘/dev/mem‘ and ‘/dev/kmem‘, though many distributions disable them by default for security reasons. ‘/dev/mem‘ is linked to the physical system memory, whereas ‘/dev/kmem‘ maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.
时间: 2024-08-08 09:36:38

linux memory dump的相关文章

Linux core dump file详解

Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

linux memory addressing

Memory address: logical address segment + offset linear address physical address linux memory addressing is to get physical address from linear address from logical address. a picture from <Understanding the Linux Kernel>: To understand logical/line

How do I find what queries were executing in a SQL memory dump?-----stack

https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-sql-memory-dump/ jamesaskOctober 3, 20108 NOTE:  This post has been updated in a new post due to an issue found with the steps in this post.  The proced

Segment fault及LINUX core dump详解

源自:http://andyniu.iteye.com/blog/1965571 core dump的概念: A core dump is the recorded state of the working memory of a computer program at a specific time, generally when the program has terminated abnormally (crashed). In practice, other key pieces of

linux memory release commands内存清理/释放命令

linux 内存清理/释放命令 You could find reference from here: http://jingyan.baidu.com/article/597a06436a687f312b5243f3.html Basically it looks like this: ---------------------------------- 清理前内存使用情况 free –m 或者 free 清理内存 echo 1 > /proc/sys/vm/drop_caches 清理后内存

Linux core dump 分析及相关调试

core是core dump文件,是linux服务器的一种机制.core是个程序的严重问题,会致使程序直接挂掉,需要恢复. 需要注意的东西 在程序挂掉的过程中,会纪录程序的内存信息和cpu调用堆栈信息,当程序占用大量内存的时候,比如40G,那core文件可能会达到60G多,那写文件会持续数十分钟,这么长时间流量都会损失,并且写大文件对wio的占用特别大,严重影响本台服务器的其他服务,对于在线服务,会用很多超时,或者严重的是一段时间无法提供服务.所以,core文件监控,大小控制也很重要. 产生的原

Segment fault及LINUX core dump详解 (zz)

C 程序在进行中发生segment fault(core dump)错误,通常与内存操作不当有关,主要有以下几种情况: (1)数组越界. (2)修改了只读内存. (3)scanf("%d",n),n不是指针. …… 1. 前言: 有的程序可以通过编译, 但在运行时会出现Segment fault(段错误). 这通常都是指针错误引起的. 但这不像编译错误一样会提示到文件->行, 而是没有任何信息, 使得我们的调试变得困难起来. 2. gdb: 有一种办法是, 我们用gdb的step

LINUX core dump详解(转)

转自:http://blog.163.com/[email protected]/blog/static/8442751200710255441327/ 1. 前言: 有的程序可以通过编译, 但在运行时会出现Segment fault(段错误). 这通常都是指针错误引起的. 但这不像编译错误一样会提示到文件->行, 而是没有任何信息, 使得我们的调试变得困难起来.2. gdb: 有一种办法是, 我们用gdb的step, 一步一步寻找. 这放在短小的代码中是可行的, 但要让你step一个上万行的代

如何展开Linux Memory Management学习?

Linux的进程和内存是两座大山,没有翻过这两座大山对于内核的理解始终是不完整的. 关于Linux内存管理,在开始之前做些准备工作. 首先bing到了Quora的<How can one really learn Linux Kernel Memory Management?>,这也是大部分初学者,或者说大部分Linux内核开发人员的疑问? 正如Vaishali Thakkar所说,最好的方法是读代码,但是面对这么庞杂的代码,往往是无从下手.Vaishali Thakkar推荐从LSF/MM论