Why?
You want to inspect process memory to enable further pivots within an environment.
When?
You have root access to a Linux host, and no Linux Security Modules block access to /proc.
How?
A statically linked binary is especially convenient here - as is learning from how others have solve the problem (e.g. from Sliver's Dump Process Memory command).
This nim code reads metadata from /proc/pid/maps, and dumps to stdout offsets of /proc/pid/mem that are: readable, non executable, and non-file-backed. My experience mirrored the Sliver developer's in that [vvar] and [vdso] errored out when attempting to read them:
import std/os import std/strutils import std/strformat if paramCount() != 1: echo &"Usage: {paramStr(0)} <pid>" quit(1) let f = open(&"/proc/{paramStr(1)}/mem") for line in lines(&"/proc/{paramStr(1)}/maps"): let parts = line.split(" ") # readable memory but not executable code if parts[1][0] == 'r' and not parts[1].contains('x'): # skip files mapped into memory if parts[3] == "00:00": # skip memory we will error out accessing if not(line.endsWith("[vvar]") or line.endsWith("[vdso]")): let addresses = parts[0].split("-") let offset_start = addresses[0].parseHexInt() let offset_end = addresses[1].parseHexInt() f.setFilePos(offset_start) var buffer: array[1024, int8] var remaining = offset_end-offset_start while remaining > 0: let n = f.readBytes(buffer, 0, min(remaining, 1024)) remaining -= n discard stdout.writeBytes(buffer, 0, n) f.close() 
Top comments (0)