Repository files navigation

memgrep is agrep for/proc/pid/mem. It's licensed under theMIT license.

The binaries are also bound by theHyperscanlicense due to static linking. Well, would beif the static linking worked. For the time being you need tosudo apt install libhyperscan5.

Why won't regulargrep do? You can try it, but it will justimmediately fail with an I/O error. This is because you can only readcertain parts of the file and the parts you can read are listed in thefile/proc/pid/maps.

So, basically, this tool combines parsing themaps file andgreppingthose regions for given process ids, or for all processes, while doingit in parallel with the CPUs you have.

Note that the value kernel parameterkernel.yama.ptrace_scopecan affectmemgrep abilities, even among your own processes. So forbest results you should choose between setting that value to0, orusingsudo to run the binary as root.

% memgrep --helpmemgrep 1.2.2Erkki Seppälä <erkki.seppala@vincit.fi>Process address space grepping toolUSAGE:    memgrep [FLAGS] [OPTIONS] [--] [regex]FLAGS:    -a, --all             Grep all processes    -c, --count           Show only the number of non-zero matches        --include-self    Include also this process in the results (implied by --pids)    -l, --list            Show list the processes, not the matches    -o, --show-content    Show the contents of the match (useful when using wildcards in regex)    -h, --help            Prints help information    -V, --version         Prints version informationOPTIONS:    -p, --pid <pid>...         Process id to grep

You need to provide either-p pid or-a; you must provide exactlyonepcre regex. Forcase-insensitive matching you can prefix your regex with(?i) (usingtheone of the supported option modifiers).

Note that due to used command line parser it is currently impossibleto provide non-utf8 parameters, as there is no function to providepatterns from file or as e.g. hex data. This means your searches willtry match the UTF8 byte representation of your patterns. The searchesthemselves are implemented without regard for UTF8; as the tool isscanning memory directly I chose it makes no sense to support anyparticular encoding.

Why not?

While this application might have few "real" use cases, it can be funfor discovering if some processes contain e.g. the string "helloworld" with

memgrep -a -r 'hello world'

Similarly you can use it to discover how many processes are aware ofyour password.. Preferably avoid trying that in a multi-user system(due to password being visible inps) and avoid putting thatcommand to your command history; with e.g. zsh you can achieve thiswithsetopt histignorespace and then prefixing the command with aspace.

Perhaps you can also use it for recovering deleted regions from yourtext editor; chances are the previously removed content is stillrecoverable from the memory. The tool will output the byte ranges youcan use with e.g.gdb:

% gdb -p 1438910 -batch-silent -ex 'dump memory contents.txt 0x7f262c6a5c6d 0x7f262c6a5c72'

Note that the value kernel parameterkernel.yama.ptrace_scopecan affect your ability to run that command.

Fun stuff to try:sudo memgrep -a -o '.{20}backdoor.{20}'.

sudo apt-get install libhyperscan-dev

cargo +nightly build. You can also download a binary forLinux/x86_64 from theGitHub releasespage. With the scanning work implemented inthe HyperScan library, the speed of operation is similar betweenrelease and debug builds.

..or you can just directly install it withcargo:

cargo install --locked --git https://github.com/eras/memgrep