Dumping memory

The dump command prints byte for byte what's in memory.
Here's how you would create dump.bin, a file that contains the entire contents in memory of the program whose PID is 12345:

$ proctal dump --pid=12345 > dump.bin

The --region option lets you specify which memory regions to dump. It takes the following values:

  • stack contents on the stack of every thread

  • heap contents on the heap

  • program-code instructions from the executable (does not include shared libraries)

These options let you specify whether the memory regions have to be readable, writeable or executable:

  • --read

  • --write

  • --execute

Here's how you would dump anything that is executable in memory to the file dump2.bin:

$ proctal dump --pid=12345 --execute > dump2.bin

The --address-start option specifies where to start dumping the contents in memory and the --address-stop option specifies where to stop.
Here's how you would dump the contents starting from the address 7F7BE75E0714 up to the address 7F7BE75ED1A0 to the file dump3.bin:

$ proctal dump --pid=12345 --address-start=7F7BE75E0714 --address-stop=7F7BE75ED1A0 > dump3.bin

The --pause option prevents the program from executing code while the command is running.