Reading Solaris Memory


In the Solaris Operating System the /dev/mem pseudo-device provides access to the physical memory on a server. This pseudo-device can be immensly valuable for determing the contents of memory after an intrusion, locating the contents of a file when you accidentally delete it (this assumes the file was placed into memory and is still resident), or to test memory for errors (I believe the mem test utilities use /dev/mem). To view the contents of /dev/mem, you can use the less utility:

$ less -f /dev/mem /dev/memory_bandwidth

[ ... ]
^@ (try again later)^@^@^@^@^@^@SUNW_OST_OSLIB^@^@socket:
All ports in use
^@^@^@SUNW_OST_OSLIB^@^@connect to address %s:
^@SUNW_OST_OSLIB^@^@Trying %s...
^@^@^@SUNW_OST_OSLIB^@^@write: setting up
stderr^@^@^@^@SUNW_OST_OSLIB^@^@socket: protocol failure in
circuit setup.
^@SUNW_OST_OSLIB^@^@socket: protocol failure in circuit setup.
^@SUNW_OST_OSLIB^@^@socket: protocol failure in circuit setup.
^@SUNW_OST_OSLIB^@^@Protocol error, %s closed connection
^@^@^@SUNW_OST_OSLIB^@^@Protocol error, %s sent %d bytes
^@^@^@SUNW_OST_OSLIB^@^@%d: Address family not supported
^@^@^@SUNW_OST_OSLIB^@^@%s: unknown host

This page of memory looks to be part of a network library that was loaded recently. Viva la less!

This article was posted by Matty on 2005-09-04 20:29:00 -0400 EDT