How to dump memory of any running processes in Android (rooted)

First download and untar the Android NDK (in my case it is r7 version).

Next untar the “dump_android_memory.tgz” (which can be downloaded from http://groups.google.com/group/embeddednewbies/attach/03ee7f77fae48976/dump_android_memory.tgz?part=2) and copy the entire directory “dump_android_memory” under the “samples” subdirectory.

“cd” to that directory, and execute “export NDK_PROJECT_PATH=`pwd`”.

Then execute “../../ndk-build” as follows (ie, just execute the “ndk-build” that comes with the NDK download):

After compilation look for the file:

./libs/armeabi/dump_android_memory

And then “file” to view the binary file type:

file libs/armeabi/dump_android_memory
libs/armeabi/dump_android_memory: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped

Now this is a ELF file successfully compiled and created by NDK.

Copy the dump_android_memory binary to your Android devices via “adb push”. (details not shown). Assuming “adb” is in your $PATH, connect into your android device:

adb push dump_android_memory /data

adb shell

(“su” will be necessary to escalate to root if it is a real Android device)

Inside the Android device, run as root (“su”) to execute the command “chmod 4755 dump_android_memory” to setuid the executeable.

# chmod 4755 /data/dump_android_memory

# /data/dump_android_memory
/data/dump_android_memory <pid> <start_address> <total_words>
where <start_address> is in hexadecimal (remember the “0x” in front is
needed – by sscanf()

Finding where is the starting address to dump (for efficiency), using pid=37 as an example:

# cat /proc/37/maps
00008000-00028000 r-xp 00000000 00:01 24 /sbin/adbd
00028000-00029000 rwxp 00020000 00:01 24 /sbin/adbd
00029000-00034000 rwxp 00029000 00:00 0 [heap]
10000000-10001000 ---p 10000000 00:00 0
10001000-10100000 rwxp 10001000 00:00 0
40000000-40008000 r-xs 00000000 00:07 188
/dev/ashmem/system_properties (deleted)
40008000-40009000 r-xp 40008000 00:00 0
40009000-4000a000 ---p 40009000 00:00 0
4000a000-40109000 rwxp 4000a000 00:00 0
40109000-4010a000 ---p 40109000 00:00 0
4010a000-40209000 rwxp 4010a000 00:00 0
bed45000-bed5a000 rwxp befeb000 00:00 0 [stack]


Now you can dump the memory of any live process using the command “dump_android_memory <pid> <start_address> <total_words_to_dump>” where words are measure in counts of 4 bytes, and start_address must be entered in hexadecimal format as “0x12345678”.

Dumping 10 words:

# /data/dump_android_memory 37 0x00008000 10

464c457f 10101 0 0
280002 1 80a0 34

Dumping 100 words:

# /data/dump_android_memory 37 0x00008000 100

464c457f 10101 0 0
280002 1 80a0 34
20998 5000002 200034 280003
e000f 70000001 1e198 26198
26198 1460 1460 4
4 1 0 8000
8000 1f5f8 1f5f8 5
1000 1 20000 28000
28000 8e4 787c 6
1000 0 0 0
e1a0000d e3a01000 e28f2004 e28f3004
ea006730 ea006737 28000 28008
28014 2801c e1a00000 e1a00000
f005b510 bd10ffa1 f013b510 bd10ff51
6803b510 2b001c04 6840d005 68626058
60136064 1c206024 f0013008 6a60fa35
d0012800 ff3cf013 28006aa0 f013d001
6ae0ff37 d0032800 31301c21 fb64f001
f0131c20 bd10ff2d f7ffb510 bd10ffd9
4657b5f8 b4c04646 4e154d14 447d1c07
468859ab 681c4692 d014429c 1c386a61
f92af00f d10a2800 46406aa1 f924f00f
d1042800 2b006ae3 4553d001 6824d009
429c59ab 2001d1ea bc0c4240 469a4690
1c20bdf8 ffacf7ff e7f62000 2043a #


Hope it helps.

Advertisement