man pcat (Commandes) - pcat - copy process memory
NAME
pcat - copy process memory
SYNOPSIS
pcat [-hHv] [-m mapfile] process_id
DESCRIPTION
pcat hooks onto the process specified with process_id and copies the contents of its memory to standard output. By default, pcat skips over holes in the process address space. Consequently, absolute location information is lost.
Options:
- -h (default)
- Skip over holes in the process address space, so that absolute location information is lost.
- -H
- Preserve holes in the process address space, so that absolute location information is preserved. This option writes holes to the output file, and requires that stdout is redirected to file. This option does not work on some Solaris versions.
- -m mapfile
- Print the process memory map to mapfile, one entry per line. Each map entry consists of a region start address and the first address beyond that region. Addresses are separated by space, and are printed as hexadecimal numbers (0xhhhh).
- -v
- Enable verbose mode, for debugging purposes.
BUGS
On systems with a usable /proc file system, pcat does not stop the target process before accessing its memory. This can result in a loss of accuracy.
pcat uses ptrace(2) when the system lacks a usable /proc file system. This can be very, very, slow.
The use of ptrace(2) causes the target process to be stopped while its memory being is copied. This can be undesirable.
On some systems, the ptrace(2) detach operation resumes a process that was stopped prior to the ptrace(2) attach operation. pcat attempts to compensate by sending SIGSTOP signals when it detaches from the process.
On some systems, the ptrace(2) detach operation leaves a process stopped that was not stopped prior to the ptrace(2) attach operation. pcat attempts to compensate by sending a SIGCONT signal when it detaches from the process.
On most non-/proc systems, pcat accesses kernel data structures and therefore 1) needs super-user privilege and 2) must be compiled specifically for the machine that it runs on.
pcat will not copy its own memory.
pcat will not copy system processes (i.e. processes that live entirely inside the kernel).
HISTORY
This pcat command was written for the coroner's toolkit. However, a command with the same name exists on some versions of System V UNIX. That command, a file decompression utility, should not be confused with the command described in this manual page.
LICENSE
This software is distributed under the IBM Public License.
AUTHOR(S)
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA