memdump
Utility to dump memory contents to standard output, skipping over holes in memory maps. By default, dumps physical memory contents.
Description
memdump is a program which dumps system memory to the standard output stream. It skips over holes in memory maps and is useful in security tests and forensics investigations.
This tool will not work if CONFIG_STRICT_DEVMEM is enabled in the kernel, which several kernels enable by default since version 2.6. It provides options to control buffer size, target kernel or physical memory, memory mapping, page size, dump size, and verbose output for debugging.
memdump supports dumping either physical memory (default) or kernel memory, with customizable parameters for size and buffering.
How It Works
memdump reads system memory contents, skipping holes in memory maps, and outputs to standard output. It uses system page size by default for reading and dumping but allows specification of read buffer size, memory page size, and total dump size. The -k option switches from physical memory to kernel memory. The -m option prints the memory map without dumping contents. Verbose mode aids debugging.
Installation
sudo apt install memdumpFlags
Examples
memdumpmemdump -kmemdump -m map_filememdump -vmemdump -s 1048576memdump -b 4096 -p 4096memdump -k -v