Usage: rpm [OPTIONS] <PID> [ADDR]
Arguments:
<PID> the PID of the process to dump from
[ADDR] the virtual address of the target pagemap entry
Options:
-a, --all dump the entire memory region(s)
-h, --help Print help
-V, --version Print version
-
Currently only tested on the x86-64/amd64 system.
-
May need
sudo
to run (required by reading/proc/<pid>/pagemap
).- If you are using a Docker container, add
--privileged
atdocker run
. - Seeing zeroed PFNs / cannot open pagemap?
Since Linux 4.0, only users with the CAP_SYS_ADMIN capability can get PFNs.
In 4.0 and 4.1 opens by unprivileged fail with -EPERM.
Starting from 4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN.
- If you are using a Docker container, add
The following example uses a Docker container (
ubuntu:latest
) on macOS.
Start with a privileged container:
docker run --rm -it -v PATH_TO_RPM:/home \
--privileged \
--platform linux/amd64 \
ubuntu bin/bash
Go to /home
, and set up a target process using /bin/sleep
:
root@021488b1d7d7:/> cd home
root@021488b1d7d7:/home> sleep 1000 &
[1] 14
rpm
defaults to dumping the /proc/<pid>/maps
file when providing only the PID:
root@021488b1d7d7:/home> ./rpm 14
Memory Region (size) Perm Offset Device Inode Path
0x0000000000200000-0x00000000002b5000 ( 724K) r--p 0 7:0 78570 /usr/bin/qemu-x86_64
0x00000000002c4000-0x0000000000461000 ( 1652K) r-xp 737280 7:0 78570 /usr/bin/qemu-x86_64
0x0000000000470000-0x00000000004ab000 ( 236K) rw-p 2424832 7:0 78570 /usr/bin/qemu-x86_64
0x00000000004ba000-0x00000000004cf000 ( 84K) rw-p 2662400 7:0 78570 /usr/bin/qemu-x86_64
0x00000000004cf000-0x00000000004ef000 ( 128K) rw-p 0 0:0 0
0x0000000034506000-0x0000000034507000 ( 4K) ---p 0 0:0 0 [heap]
0x0000000034507000-0x000000003450b000 ( 16K) rw-p 0 0:0 0 [heap]
0x0000004000000000-0x0000004000002000 ( 8K) r--p 0 254:1 1868853 /usr/bin/sleep
0x0000004000002000-0x0000004000006000 ( 16K) r--p 8192 254:1 1868853 /usr/bin/sleep
0x0000004000006000-0x0000004000007000 ( 4K) r--p 24576 254:1 1868853 /usr/bin/sleep
0x0000004000007000-0x0000004000008000 ( 4K) ---p 0 0:0 0
0x0000004000008000-0x0000004000009000 ( 4K) r--p 28672 254:1 1868853 /usr/bin/sleep
0x0000004000009000-0x000000400000a000 ( 4K) rw-p 32768 254:1 1868853 /usr/bin/sleep
0x000000400000a000-0x000000400002b000 ( 132K) rw-p 0 0:0 0
0x000000400100a000-0x000000400100b000 ( 4K) ---p 0 0:0 0
0x000000400100b000-0x000000400180b000 ( 8192K) rw-p 0 0:0 0
0x000000400180b000-0x000000400180d000 ( 8K) r--p 0 254:1 1869368 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x000000400180d000-0x0000004001837000 ( 168K) r--p 8192 254:1 1869368 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x0000004001837000-0x0000004001842000 ( 44K) r--p 180224 254:1 1869368 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x0000004001842000-0x0000004001843000 ( 4K) ---p 0 0:0 0
0x0000004001843000-0x0000004001845000 ( 8K) r--p 225280 254:1 1869368 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x0000004001845000-0x0000004001847000 ( 8K) rw-p 233472 254:1 1869368 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x0000004001847000-0x0000004001849000 ( 8K) rw-p 0 0:0 0
0x000000400184b000-0x0000004001873000 ( 160K) r--p 0 254:1 1869386 /usr/lib/x86_64-linux-gnu/libc.so.6
0x0000004001873000-0x0000004001a08000 ( 1620K) r--p 163840 254:1 1869386 /usr/lib/x86_64-linux-gnu/libc.so.6
0x0000004001a08000-0x0000004001a60000 ( 352K) r--p 1822720 254:1 1869386 /usr/lib/x86_64-linux-gnu/libc.so.6
0x0000004001a60000-0x0000004001a64000 ( 16K) r--p 2179072 254:1 1869386 /usr/lib/x86_64-linux-gnu/libc.so.6
0x0000004001a64000-0x0000004001a66000 ( 8K) rw-p 2195456 254:1 1869386 /usr/lib/x86_64-linux-gnu/libc.so.6
0x0000004001a66000-0x0000004001a75000 ( 60K) rw-p 0 0:0 0
0x0000ffff7b6f0000-0x0000ffff7b7a1000 ( 708K) rw-p 0 0:0 0
0x0000ffff7b7a1000-0x0000ffff837a0000 (131068K) rwxp 0 0:0 0
0x0000ffff837a0000-0x0000ffff837a1000 ( 4K) ---p 0 0:0 0
0x0000ffff837a1000-0x0000ffff837a5000 ( 16K) rw-p 0 0:0 0
0x0000ffff837a8000-0x0000ffff838ce000 ( 1176K) rw-p 0 0:0 0
0x0000ffff838ce000-0x0000ffff838d0000 ( 8K) ---p 0 0:0 0
0x0000ffff838d0000-0x0000ffff838f3000 ( 140K) rw-p 0 0:0 0
0x0000ffff838f3000-0x0000ffff838f5000 ( 8K) r--p 0 0:0 0 [vvar]
0x0000ffff838f5000-0x0000ffff838f6000 ( 4K) r-xp 0 0:0 0 [vdso]
0x0000ffffe6faf000-0x0000ffffe6fd0000 ( 132K) rw-p 0 0:0 0 [stack]
From which one can pick the virtual page that is of interest, such as:
root@021488b1d7d7:/home> ./rpm 14 0x00000000004ba000
VirtAddr PFN Present Swapped FileMap Shared Dirty
0x00000000004ba000 0x1719d8 [*] [ ] [ ] [ ] [ ]
Or use -a
to examine the entire region:
root@021488b1d7d7:/home> ./rpm 14 0x00000000004ba000 -a
VirtAddr PFN Present Swapped FileMap Shared Dirty
0x00000000004ba000 0x1719d8 [*] [ ] [ ] [ ] [ ]
0x00000000004bb000 0x13b69d [*] [ ] [*] [*] [ ]
0x00000000004bc000 0x13b69e [*] [ ] [*] [*] [ ]
0x00000000004bd000 0x13b69f [*] [ ] [*] [*] [ ]
0x00000000004be000 0x1399a3 [*] [ ] [*] [*] [ ]
0x00000000004bf000 0x1399a9 [*] [ ] [*] [*] [ ]
0x00000000004c0000 0x17183a [*] [ ] [ ] [ ] [ ]
0x00000000004c1000 0x1399f7 [*] [ ] [*] [*] [ ]
0x00000000004c2000 0x139a06 [*] [ ] [*] [*] [ ]
0x00000000004c3000 0x1718bc [*] [ ] [ ] [ ] [ ]
0x00000000004c4000 0x170ba8 [*] [ ] [ ] [ ] [ ]
0x00000000004c5000 0x1399ff [*] [ ] [*] [*] [ ]
0x00000000004c6000 0x170714 [*] [ ] [ ] [ ] [ ]
0x00000000004c7000 0x16d924 [*] [ ] [ ] [ ] [ ]
0x00000000004c8000 0x17269c [*] [ ] [ ] [ ] [ ]
0x00000000004c9000 0x139a23 [*] [ ] [*] [*] [ ]
0x00000000004ca000 0x17210f [*] [ ] [ ] [ ] [ ]
0x00000000004cb000 0x16e2eb [*] [ ] [ ] [ ] [ ]
0x00000000004cc000 0x171d06 [*] [ ] [ ] [ ] [ ]
0x00000000004cd000 0x1729d2 [*] [ ] [ ] [ ] [ ]
0x00000000004ce000 0x16fc1b [*] [ ] [ ] [ ] [ ]