@j3s or just open proc/pid/mem with r2 and search the text. No need for coredumps or ptrace :3
Top-level
@j3s or just open proc/pid/mem with r2 and search the text. No need for coredumps or ptrace :3 7 comments
@Netux @j3s i use ^Z a lot, the problem with regexes is that they are suposed to run on a limited space in memory. this is, if you use strings is fine, but when searching in memory, the regex expression can expand to read 4GB of memory to find a matching token, and this is not really optimal. Most forensic tools supporting regexes restrict the contents to search in or add limits to the regex engine @Netux @j3s the only way to use procpidmen is via mmap so cat wont work. And yes its possible and desirable to define boundaries when searching on raw memory. Actually the maps file describes the heap, etc so you can use e search.in=io.maps.rw and that would reduce the search to the writable maps. Which is where the user data is stored and avoid scanning the code ir readonly segments |
@pancake @j3s garbage collection is the enemy, catching and pausing with gdb may be faster than figuring out a good regex