http://priv.efnet.pe/~builder/memgrep-0.8.1b.tar.gz
Skape describes his program as this:
A dynamic memory analysis utility for Linux and FreeBSD.
on the original site http://hick.org/code/skape/memgrep/
which also has all the documentation and older packages.
* UPDATED by builder #priv@efnet. where you at skape?
* couple of minor adjustments to make this compile on newer linux.
* an #include to
* line 101. Added a NULL check on fgets() at line 652 to eliminate a warning. Also simple.c needs #include
* another minor warning. anyway, I really love this code and i hope skape will make it compatible with amd64 arch soon!
I take no credit for developing this code, but I really love it and skape hasn't updated it in forever so I made some minor changes to make it compile neatly on newer 32 bit linux systems. I have only tried on Ubuntu and Gentoo so if anything, this post will hopefully get some feedback and we can work together to make this tool popular again. My ultimate dream is to have this work on 64 bit architectures.
here is the usage, enjoi!
memgrep -- Run-time/core-time memory searching, dumping and modifying utility.
Usage: ./memgrep [-p pid] [-o core] [-T] [-d] [-r] [-s] [-e] [-a addr1,addr2,bss,addr3] [-l length]
[-f fmt,search data] [-t fmt,replace data] [-b pad] [-m minimum size]
[-F fmt] [-L] [-v] [-h]
-p [pid] The process id to operate on.
-o [core] The core file to operate on.
-T Build a referential tree for the given address(es).
-d Dump memory from the specified address(es) for the given length (-l).
-r Replace memory at the specified address(es). If -s is also specified.
only memory that matches the search criteria will be replaced.
-s Search memory at the specified address(es).
-e Enumerate the heap.
-a [addr] The address(es) to operate on seperated by commas. Addresses can be
in the following format:
0x821c4ac
821c4ac
Also, the following keywords can be used:
bss -> Uses the VMA associated with the .bss section (uninit global vars, heap data).
rodata -> Uses the VMA associated with the .rodata section (read-only data, ie, static text).
data -> Uses the VMA associated with the .data section (data, ie, global variables).
text -> Uses the VMA associated with the .text section (text, ie, executable code).
stack -> Dynamically determines the current stack pointer.
all -> Uses bss, stack, rodata, data, text. This is the only keyword that can be used
when operating on core files.
-l [len] The length to use when searching or dumping. A length of 0 means search
till end-of-memory.
-f [data] This specifies the search criteria. Multiple formats are accepted for ease
of use. Below are accepted formats and their examples:
s -> String format (Ex: 's,Testing')
x -> Hex format (Ex: 'x,00414100AB')
i -> Integer format (Ex: 'i,4724')
-t [data] This specifies the replace data. The same formats used with the -f parameter
are valid for the -t parameter.
-m [minsz] The minimum size of a heap allocation for use when enumerating.
-b [pad] Number of bytes of padding to use around dump addresses (default is 0).
-F [fmt] The format to use when dumping memory, can be one of the following:
hexint -> Four byte hexi-decimal integers.
hexshort -> Two byte hexi-decimal shorts.
hexbyte -> One byte hexi-decimal characters.
decint -> Four byte decimal integers.
decshort -> Two byte decimal shorts.
decbyte -> One byte decimal characters.
printable -> Printable characters.
-L List memory segments of a process or core file.
-v Version information.
-h Help.
Example search (search for 'Jane' in .bss):
./memgrep -p 1335 -s -a bss -f s,Jane
Example replace (replace memory at 0x8423143 and 0x8443147 with 0x00ff0041):
./memgrep -p 1335 -r -a 0x8423143,0x8443147 -t x,00ff0041
Example search/replace (Replace 'Test' with 'Rest' in .bss and .rodata):
./memgrep -p 1335 -s -r -a bss,rodata -f s,Test -t s,Rest
Example dump (Dump memory starting at 0x8422113 for 16 bytes):
./memgrep -p 1335 -d -a 0x8422113 -l 16