Dumping Modules Associated with a Process in Linux Systems
Linux commands used to pull process modules.
- pmap -d <PID>
Dumping process modules command:
- gcore -o <dest> <pid>
In this demonstration, we’ll use the built-in Linux tool “gcore” to dump an example process named bash with the process ID: 5885.
Scenario: We are instructed to examine this process on a live system under the assumption that bash:5885 is connecting a known malicious domain.
First, begin by using the command “ps aux | grep <target_process> ” to list every process that is currently active.
Next, run “sudo gcore -o <dir filename> <PID> ” after that. In this instance, 5885
Now, run “strings <dumped process> | grep .so” command.
#Tip: On Windows systems,.so, which stands for shared object, is similar to.dll.
#Tip: keep an eye out for unusual uses of common objects. search for anomalies. (For instance, the bash process makes use of the.so connection protocol to the internet.)
#Tip: Before doing live forensics, make a copy of the system’s volatile image.
Note: When a Linux system is vital and cannot be shut down for dead box forensics, live forensics is the only alternative.