11

I am using Ubuntu 12.04

I read the following tutorial on how to access the contents of RAM in Linux....

http://www.rootninja.com/using-dd-to-search-for-strings-in-memory-or-devices/

Code:

dd if=/dev/mem | hexdump -C | grep “string to search for”

So, I run the code...

Code:

sudo dd if=/dev/mem | hexdump -C > NAMEOFOUTPUTFILEHERE.txt

And... it starts pumping out HEX code, until a few seconds later, where it says:

dd: reading `/dev/mem': Operation not permitted
2056+0 records in 
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.44834 s, 2.3 MB/s

So basically.. I am able to get about 3.3 MB of RAM dump contents-- until the program stops, saying "Operation not permitted"

And so I am wondering why am I not able to dump the entire contents of RAM? Is this a deliberate limitation in Ubuntu, to stop malicious hackers? Or, is it something else? Does anybody know? Thanks

  • 3
    OK... forget it... turns out Ubuntu has 1 MB limit on RAM extraction, as defined in the kernel.. and obviously, that's good security, because then a hacker can't extract your passwords from RAM etc... And so... yeah.... this thread is now SOLVED Here is the full info, for anyone interested.... –  Mar 07 '13 at 13:19
  • 2
    if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason. You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions. –  Mar 07 '13 at 13:20
  • 1
    " am able to get about 3.3 MB of RAM dump contents-". Uhm, you are? All I see is `1052672 bytes (1.1 MB) copied`. Not 3.3MB (nor 2.3MB/sec which was a speed). – Hennes Aug 08 '15 at 10:01

1 Answers1

6

The linux kernel on your Ubuntu installation ships with has a setting* which limits RAM extraction to has 1 MB.

If you do not wish that you can either recompile the kernel without it (obvious caveeat: you are lowering security!) or you can download and insmod the forensic kernel module fmem to work around this. That provides a /dev/fmem device without any security.

As mentioned by Opello: you can also use strict-devmem=0 in the kernel cmdline.

*: STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION)

Hennes
  • 64,768
  • 7
  • 111
  • 168