试图访问RAM / dev / mem ...说“不允许操作” [英] Attempting to access RAM /dev/mem… says “Operation not permitted”
问题描述
我正在使用Ubuntu 12.04
我阅读了以下有关如何访问Linux内存内容的教程....
http://www.rootninja.com/using-dd-to-search-for-strings-in-memory-or-devices/
dd if = / dev / mem | hexdump -C | grep要搜索的字符串
所以,我运行代码...
sudo dd if = / dev / mem | hexdump -C> NAMEOFOUTPUTFILEHERE.txt
并且...它开始抽出十六进制代码,直到几秒钟后,它说:
dd:阅读`/ dev / mem'':不允许操作
2056 + 0记录
2056 + 0记录
复制1052672字节(1.1 MB),0.44834 s,2.3 MB / s
基本上......我可以得到大约3.3 MB的RAM转储内容 - 直到程序停止,说不允许操作
....所以......我在想......为什么我无法转储RAM的全部内容?这是Ubuntu的故意限制,以阻止恶意黑客..?或者是别的什么..?有谁知道..?谢谢
好的......忘记了......事实证明,Ubuntu在RAM提取上有1 MB的限制,正如内核中所定义的那样......显然,那个'安全性很好,因为黑客不能从RAM等中提取你的密码......
所以...是的......这个帖子现已解决
以下是完整信息,适合所有感兴趣的人....
引用:如果你的内核是用STRICT_DEVMEM = y编译的(参见例如/ boot / config-KERNELVERSION)那么只从/ dev /读取前1MB记忆这不是内核版本问题,而是由于您自己的机器内核的编译方式;大多数发行版内核都会有充分的理由限制这个限制。
你可以下载并修改取证内核模块fmem来解决这个问题。风险自负!之后尽快rmmod。 fmem模块提供/ dev / fmem设备,没有任何安全限制。
I am using Ubuntu 12.04
I read the following tutorial on how to access the contents of RAM in Linux....
http://www.rootninja.com/using-dd-to-search-for-strings-in-memory-or-devices/
dd if=/dev/mem | hexdump -C | grep "string to search for"
So, I run the code...
sudo dd if=/dev/mem | hexdump -C > NAMEOFOUTPUTFILEHERE.txt
And... it starts pumping out HEX code, until a few seconds later, where it says:
dd: reading `/dev/mem'': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.44834 s, 2.3 MB/s
So basically.. I am able to get about 3.3 MB of RAM dump contents-- until the program stops, saying "Operation not permitted"
.... And so... I am wondering... why am I not able to dump the entire contents of RAM? Is this a deliberate limitation in Ubuntu, to stop malicious hackers..? Or, is it something else..? Does anybody know..? Thanks
OK... forget it... turns out Ubuntu has 1 MB limit on RAM extraction, as defined in the kernel.. and obviously, that''s good security, because then a hacker can''t extract your passwords from RAM etc...
And so... yeah.... this thread is now SOLVED
Here is the full info, for anyone interested....
Quote:if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason.
You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions.
这篇关于试图访问RAM / dev / mem ...说“不允许操作”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!