how dump a program which is running in memory

Wojtek Walczak gminick at bzt.bzt
Thu Sep 11 14:43:20 CEST 2008


On Thu, 11 Sep 2008 02:31:23 -0700 (PDT), ruqiang826 wrote:

> I have written a service running backgroud to do something in linux.
> unfortunately,I deleted the source code by mistake, and I can still
> see the process running background using "ps aux" :
>
> username   13820  0.0  0.0 60368 2964 ?        S    Aug20   0:33
> python ./UpdateJobStatus.py
>
>
> I wonder if there is some way to dump the programme
> "UpdateJobStatus.py" and get the source code back?

The best way to do it would be to undelete the file,
just as Gerhard suggested.

If you remember any line (or piece) of code from the UpdateJobStatus.py
file you can try to dump the /dev/mem to the hard disk, and then grep
through it (remember that you need root priviledges to access /dev/mem).

I tried it with this code:

http://www.mail-archive.com/linuxbios@listman.lanl.gov/msg03696.html

with a small modification of this line:
nvram = (strtol(argv[1], 0, 0)) << 16;
changed to:
nvram = (strtol(argv[1], 0, 0));

After compilation I just did:
./a.out 0x0 0xffffffff > memdump
to get the memory dump.

I am not a memory expert, but 0xffffffff should be enough
for <= 4GB of RAM. If you got more, increase it.

And to make it clear: I do not recommend this way of sorting
things out :)

-- 
Regards,
Wojtek Walczak,
http://tosh.pl/gminick/



More information about the Python-list mailing list