mem-dump/main.c at master · null-calx/mem-dump · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#include "logging.c"
#include "parse-args.c"
#include "search-path.c"
#include "elf-parser.c"
#include "proc-maps-parser.c"
#include "debugger.c"

#include <signal.h>

#define PATH_MAX 100

int
main(int argc, char *argv[], char *envp[])
{
    char *outfname;
    int optind;
    char pathname[PATH_MAX];
    uint64_t entrypoint;

    pid_t pid;
    FILE *outfile;

    procmaps_table *table;
    uint64_t newentrypoint;

    outfname = "mem.dump";
    optind = parse_args(argc, argv, &outfname);

    argv += optind;
    argc -= optind;

    if (argc < 1)
        die(1, "must have PROG [ARGS]");

    find_binary(argv[0], (char *) pathname, PATH_MAX);
    info("found binary: '%s'", pathname);

    entrypoint = binary_entrypoint(pathname);
    info("found entrypoint: 0x%016lx", entrypoint);

    pid = fork();
    if (pid < 0)
        die(1, "couldn't fork");

    if (pid == 0) {
        // child process
        if (debugger_trace_me())
            die(1, "unable to call ptrace(PTRACE_TRACEME, ...)");
        execve(pathname, argv, envp);
        return 0;
    }

    // parent process
    info("child pid: %d", pid);

    debugger_prepared(pid);
    table = parse_procmaps(pid);

    newentrypoint = loading_offset(table) + entrypoint;
    info("new entrypoint: 0x%016lx", newentrypoint);

    destroy_procmaps_table(table);

    debugger_continue_until(pid, newentrypoint);

    table = parse_procmaps(pid);

    outfile = fopen(outfname, "w");
    debugger_dump_registers(pid, outfile);
    debugger_dump_memory(pid, table, outfile);
    fclose(outfile);
    info("dumped to file: %s", outfname);

    kill(pid, 9);
    info("killed child");

    destroy_procmaps_table(table);
    info("bye..");

    return 0;
}