/dev/mem grep

Often it is useful to be able to search the contents of system memory, for example to check if a program you are running stores your password unencrypted in memory.

The following command combines dd, strings and grep to search the system memory for character strings, and searches those results for those matching SearchString. Because /dev/mem does not have public read permissions, you must run the command from a root terminal.

dd if=/dev/mem | strings | grep -i SearchString

Bear in mind that, depending on your kernel version, you might actually only be searching the non-kernel portion of memory using /dev/mem. Generally this isn't an issue, but just something to be aware of.

Leave a Reply