vmadump - Dump the shared VMA of a process
DOWNLOAD
The tool can be downloaded here.
SYNOPSIS
vmadump [ -h ] [ -d level ] [ -o offset ] [ -s size ] [ -p pattern ] [ -P pid ] [ -F ]
DESCRIPTION
vmadump(1) maps shared virtual memory areas of a source process (-P option) as a set of contiguous memory regions and dumps a given part (-o and -s) of the resulting whole area to the standard output. The areas to map from the source process are identified by patterns (one or more -p options).
OPTIONS
vmadump(1) accepts the following options:
- -h, --help
Display the help of the command.
- -d, --debug = level
Sets the debug mode to level. The higher the value, the more traces you get on standard error.
- -p, --pattern = pattern
Specify the pattern of the memory region names to map from the source process. This option can appear multiple times if several patterns are required. The pattern accepts the following wildcards:
- * : Match 0 or n characters
- + : Match 1 or n characters
- ? : Match 0 or 1 character
- . : Match 1 character
- $ : Match 0 or n digits
- ! : Match 1 or n digits
- % : Match 0 or 1 digit
- : : Match 1 digit
- \ : Inhibit the following char
- -F, --force
The tool tries to map the memory areas at the same virtual address as the source process. This option triggers an error if the mapping address can't be the same. This option is quite useless (available for fun)...
- -P, --pid = pid
Process identifier of the source process from which the memory areas are mapped.
- -o, --offset = offset
Offset in bytes of the area to dump.
- -s, --size = size
Size in bytes of the area to dump.
EXIT CODE
The exit code of vmadump(1) is 0 on success and 1 upon error.
EXAMPLE
Let's consider a process (pid 3101) mapping several shared memory areas tagged with '/tmp/hpfs/ccsrt_0x1231map_digits. The permission field contains 's':
# cat /proc/3101/maps
[...]
5598ce37f000-5598ce3a0000 rw-p 00000000 00:00 0 [heap]
7fa963400000-7fa963800000 rw-s 00000000 00:3b 51560 /tmp/hpfs/ccsrt_0x1231map_5
7fa963800000-7fa963a00000 rw-s 00000000 00:3b 51559 /tmp/hpfs/ccsrt_0x1231map_4
7fa963a00000-7fa964000000 rw-s 00000000 00:3b 51558 /tmp/hpfs/ccsrt_0x1231map_3
7fa964000000-7fa964400000 rw-s 00000000 00:3b 51557 /tmp/hpfs/ccsrt_0x1231map_2
7fa964400000-7fa964600000 rw-s 00000000 00:3b 51556 /tmp/hpfs/ccsrt_0x1231map_1
7fa96463b000-7fa964660000 r--p 00000000 08:01 28314672 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7fa964660000-7fa9647d8000 r-xp 00025000 08:01 28314672 /usr/lib/x86_64-linux-gnu/libc-2.31.so
[...]
To dump 5400000 bytes from offset 4194302 into the output file named 'foo' of the areas tagged with the pattern '/tmp/hpfs/ccsrt_0x1231map_!' ('!' is the wildcard for 1 or more digits), vmadump(1) is called as follow:
# vmadump -P 3101 -p /tmp/hpfs/ccsrt_0x1231map_! -o 4194302 -s 5400000 > foo
# ls -l foo
-rw-rw-r-- 1 rachid rachid 5400000 sept. 6 06:33 foo
The same command with the debug level set to 5:
# vmadump -P 3101 -p /tmp/hpfs/ccsrt_0x1231map_! -o 4194302 -s 5400000 -d 5 > foo
DBG_4 (mm_map_pid#481): File name '/tmp/hpfs/ccsrt_0x1231map_5' matched pattern '/tmp/hpfs/ccsrt_0x1231map_!'
DBG_4 (mm_map_pid#542): New VMA: '/tmp/hpfs/ccsrt_0x1231map_5', 0x7fa963400000-0x7fa963800000 (4194304 bytes)
DBG_4 (mm_map_pid#481): File name '/tmp/hpfs/ccsrt_0x1231map_4' matched pattern '/tmp/hpfs/ccsrt_0x1231map_!'
DBG_4 (mm_map_pid#542): New VMA: '/tmp/hpfs/ccsrt_0x1231map_4', 0x7fa963800000-0x7fa963a00000 (2097152 bytes)
DBG_4 (mm_map_pid#481): File name '/tmp/hpfs/ccsrt_0x1231map_3' matched pattern '/tmp/hpfs/ccsrt_0x1231map_!'
DBG_4 (mm_map_pid#542): New VMA: '/tmp/hpfs/ccsrt_0x1231map_3', 0x7fa963a00000-0x7fa964000000 (6291456 bytes)
DBG_4 (mm_map_pid#481): File name '/tmp/hpfs/ccsrt_0x1231map_2' matched pattern '/tmp/hpfs/ccsrt_0x1231map_!'
DBG_4 (mm_map_pid#542): New VMA: '/tmp/hpfs/ccsrt_0x1231map_2', 0x7fa964000000-0x7fa964400000 (4194304 bytes)
DBG_4 (mm_map_pid#481): File name '/tmp/hpfs/ccsrt_0x1231map_1' matched pattern '/tmp/hpfs/ccsrt_0x1231map_!'
DBG_4 (mm_map_pid#542): New VMA: '/tmp/hpfs/ccsrt_0x1231map_1', 0x7fa964400000-0x7fa964600000 (2097152 bytes)
DBG_1 (main#852): Mmapped '/tmp/hpfs/ccsrt_0x1231map_5' (fd=3, size=4194304) @ 0x7fa963400000 (Same as source process)
DBG_1 (main#852): Mmapped '/tmp/hpfs/ccsrt_0x1231map_4' (fd=4, size=2097152) @ 0x7fa963800000 (Same as source process)
DBG_1 (main#852): Mmapped '/tmp/hpfs/ccsrt_0x1231map_3' (fd=5, size=6291456) @ 0x7fa963a00000 (Same as source process)
DBG_1 (main#852): Mmapped '/tmp/hpfs/ccsrt_0x1231map_2' (fd=6, size=4194304) @ 0x7fa964000000 (Same as source process)
DBG_1 (main#852): Mmapped '/tmp/hpfs/ccsrt_0x1231map_1' (fd=7, size=2097152) @ 0x7fa964400000 (Same as source process)
DBG_1 (main#877): Dumping 5400000 bytes from offset 4194302
DBG_2 (main#896): Dumping 2 bytes from offset 4194302 in '/tmp/hpfs/ccsrt_0x1231map_5'
DBG_2 (main#896): Dumping 2097152 bytes from offset 0 in '/tmp/hpfs/ccsrt_0x1231map_4'
DBG_2 (main#896): Dumping 3302846 bytes from offset 0 in '/tmp/hpfs/ccsrt_0x1231map_3'
# ls -l foo
-rw-rw-r-- 1 rachid rachid 5400000 sept. 6 06:34 foo