Dumping Executable's Image

[n00b13]

hey everyone,

I am trying to develop a simple raw file system driver (which will read from the given sectors of hdd) but having a little problems.

Let's say I have a single application like ;

main(){
printf("yea!!\n");
return 0;
}

once I execute it it will take place in memory and exit after a short while.What I would like to do is take snapshot of it while it is in memory so that I can later save that image and load the specified sector from my raw driver to memory and execute the code.Is there such a tool for dumping the executables image from memory ?

I hope I could express what I wanted to.
I couldn't find anything related to this so I would appreciate sugesstions!

Cheers!

[Cabhan]

I do not know of an existing utility to do this, but I think I know how you could do it.

Every currently-running process has a space in the proc filesystem, located under /proc. So if you launch your process, you can find it under /proc/PID, where PID is that process's PID, obviously.

The /proc/PID/mem file allows you to read the memory of a running process. It works just like a file: open() it, lseek() to the position you want, and read().

Using this, you should be able to write a program to dump a process's memory.

[n00b13]

I do not know of an existing utility to do this, but I think I know how you could do it.

Every currently-running process has a space in the proc filesystem, located under /proc. So if you launch your process, you can find it under /proc/PID, where PID is that process's PID, obviously.

The /proc/PID/mem file allows you to read the memory of a running process. It works just like a file: open() it, lseek() to the position you want, and read().

Using this, you should be able to write a program to dump a process's memory.

On ubuntu I try to cat /proc/PID/mem but cat returns 'no such process' also trying to copy to a different location doesn't work as well.

On the other hand, I want to dump the whole executable image to a file (note that I will load the executable to memory from direct disc access), isn't proc/PID is about memory map (like variables and etc) of the executable ?

[Cabhan]

You need to replace "PID" with the process ID of the process that you want to dump.

And dumping /proc/PID/mem will dump all of memory, which includes the executable. It will also include the stack, which includes most variables.

If you only want the executable itself, why are you getting it from memory? When you compile an application, you will obtain an executable file: this is the executable. There may be formatting in it that you don't need (ELF headers, etc.), but by playing with gcc and ld options, you can change the output to a format that you need.