14
8
Is there any way to see the content of the RAM memory? From the first byte until the last one. I'd like to see where the OS and all the processes running on it are located in the RAM. Is this possible?
osta
Posted 2012-09-09T00:37:35.840
Reputation: 143
8
You could use a kernel debugger, which would allow for "raw" memory access, like SoftICE for Windows. You can also configure GDB to act as a debugger for the Linux kernel. If a virtual machine is an option, some virtualization software supports saving the machine's state (including RAM) to disk, which can then be further analyzed. It should be noted, however, that most "modern" operating systems use address space layout randomization (ASLR). The true physical memory map of the system is purposely fragmented to help mitigate various security issues and exploits (i.e. stack/heap buffer overflows).
For a given program running in a modern operating system, however, you could obtain a logical memory map for a given process/thread - so long as you have the appropriate debugging symbols and debugger. If you want an overall view, if the software/hardware uses virtual memory, the situation becomes drastically more complex. Again though, if you literally want what's just on the RAM, see the first paragraph.
Breakthrough
Posted 2012-09-09T00:37:35.840
Reputation: 32 927
9
On Windows, the contents of physical memory can be accessed through the \Device\PhysicalMemory object in the Object Manager. This requires kernel-level access to the system, which means you would need to install a program, most likely a kernel-mode driver, to access this object.
On Linux, the contents of physical memory can be directly accessed as binary data by reading /dev/mem as root. See What is /dev/mem? and the mem(4) man page for more details.
I'm not sure why you need to determine where the operating system and processes are located in physical memory, though...
bwDraco
Posted 2012-09-09T00:37:35.840
Reputation: 41 701
1Not any more. As of Server 2003 and in all later versions, the \DevicePhysicalMemory object cannot be opened from user mode. RAMmap and most of the other sysinternals tools include a kernel mode driver to do that part of their work. – Jamie Hanrahan – 2015-03-02T05:21:45.493
I would add that on a virtual memory OS this will be a fairly frustrating exercise, because the content will be constantly changing due to paging. – Jamie Hanrahan – 2015-03-02T05:28:18.780
1As a user process in a protected memory environment, you only have access to the user's copy of its virtual memory space. Kernel memory space, other users' virtual memory space, and unused physical memory are all protected from your prying eyes. On the other hand, a random in time snapshot of physical SDRAM will not mean much unless you know the virtual memory mappings. – sawdust – 2012-09-09T00:47:30.513
Random access memory memory? So the page allocation table? – ta.speot.is – 2012-09-09T00:48:42.713
What exactly are you trying to accomplish? http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem
– bwDraco – 2012-09-09T00:57:20.780You'd probably be much happier with some tool that shows how memory is allocated, vs actually looking at the 1s and 0s. – Daniel R Hicks – 2012-09-09T01:31:11.320
1it was just out of curiosity – osta – 2012-09-09T03:24:04.807