9
1
I am using Ubuntu 12.04
I read the following tutorial on how to access the contents of RAM in Linux....
http://www.rootninja.com/using-dd-to-search-for-strings-in-memory-or-devices/
Code:
dd if=/dev/mem | hexdump -C | grep “string to search for”
So, I run the code...
Code:
sudo dd if=/dev/mem | hexdump -C > NAMEOFOUTPUTFILEHERE.txt
And... it starts pumping out HEX code, until a few seconds later, where it says:
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.44834 s, 2.3 MB/s
So basically.. I am able to get about 3.3 MB of RAM dump contents-- until the program stops, saying "Operation not permitted"
And so I am wondering why am I not able to dump the entire contents of RAM? Is this a deliberate limitation in Ubuntu, to stop malicious hackers? Or, is it something else? Does anybody know? Thanks
1" am able to get about 3.3 MB of RAM dump contents-". Uhm, you are? All I see is
1052672 bytes (1.1 MB) copied
. Not 3.3MB (nor 2.3MB/sec which was a speed). – Hennes – 2015-08-08T10:01:23.2273OK... forget it... turns out Ubuntu has 1 MB limit on RAM extraction, as defined in the kernel.. and obviously, that's good security, because then a hacker can't extract your passwords from RAM etc...
And so... yeah.... this thread is now SOLVED
Here is the full info, for anyone interested.... – None – 2013-03-07T13:19:31.137
1if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason.
You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions. – None – 2013-03-07T13:20:16.800