on kernel 2.6.35.11-83.fc14.x86_64 this does not work:
$ export LANG=C ;sudo dd if=/dev/mem | hexdump -C | grep “8888”
dd: reading `/dev/mem’: Operation not permitted
Using dd to search for strings in memory or devices
In a page on
====# dd if=/dev/mem | hexdump -C | grep “string to search for”====
The problem is, hexdump will give you 16 ascii characters surrounded by pipes and then a newline before printing the next 16. You can’t search for long strings that way, so you need to break them up between the pipes and then concatenate them back together before you can find anything longer than 16 chars this way.
I found this works better:
====# dd if=/dev/mem | hexdump -C | sed -e ‘s/.* |//’ -e ‘s/|$//’ | awk ‘{printf “%s”, $0 }’ | sed ‘s/\.\.\.\./\.\.\.\.\n/g’====
The last sed is optional. If you don’t use this, everything will be one long line. My memory contents contained tons of periods, so I used that. You could break at a specifc string if you wanted.
If you want to search more interactively, you can pipe it to ‘less’ so you can easily search over and over throughout the contents.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
f.... .... t..$.... p.q.p.... .... f.KW3Sf... .$..".... ..Virtual Appliance boot failed.... Continuing with normal boot sequence...Error Code: .A configuration change was requested to ena ble VT, TxT, TPM, and VA... Press Y to accept or N to reject the change request.... .w..h@..h.... .... .=..t.j..f..|.... j..f.... .h...f..<.... .... |
3 thoughts on “Using dd to search for strings in memory or devices”
3 thoughts on “Using dd to search for strings in memory or devices”
-
-
@Alex if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason.
You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions.
on kernel 2.6.35.11-83.fc14.x86_64 this does not work:
$ export LANG=C ;sudo dd if=/dev/mem | hexdump -C | grep “8888”
dd: reading `/dev/mem’: Operation not permitted
@Alex if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason.
You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions.
A quick way to check for something like STRICT_DEVMEM=y is to grep it from your kernel sources. Fedora’s package that includes the saved config is “kernel-devel”.
$ grep DEVMEM /usr/src/kernels/
uname -r/include/config/auto.confCONFIG_STRICT_DEVMEM=y