% METHOD: FMEM and /DEV/MEM

% WHAT: Different ways of exploring your system memory (RAM). As in unix-based systems everything can be approached as a file, you can access your memory as if it were a file. 
% WHEN:
% WHO:
% URGENCY: Observing the operational level of software, getting closer to its workings. Examining the instruction-being of an executable/executing file, the way it is when it is loaded into memory rather than when it sits in the harddisk.

% PDFFIX: 1 \newpage

% REMEMBER: In Unix-like operating systems, a device file or special file is an interface for a device driver that appears in a file system as if it were an ordinary file. In the early days you could fully access your memory via the memory device (`/dev/mem`) but over time the access was more and more restricted in order to avoid malicious processes from directly accessing the kernel memory. The kernel option CONFIG_STRICT_DEVMEM was introduced  in kernel version 2.6 and upper (2.6.36–2.6.39, 3.0–3.8, 3.8+HEAD). So  you'll need to use the Linux kernel module fmem: this module creates `/dev/fmem` device, that can be used for accessing physical memory without the limits of /dev/mem (1MB/1GB, depending on the distribution).

% HOW:

`/dev/fmem`
tools to explore processes stored in the memory

% ------
   ps ax | grep process
   cd /proc/numberoftheprocess
   cat maps
% SRCCODE: bash

--> check what it is using

The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures.
It is commonly mounted at `/proc`. 
Most of it is read-only, but some files allow kernel variables to be changed.

dump to a file-->change something in the file-->dump new to a file-->diff oldfile newfile

"where am i?"

to find read/write memory addresses of a certain process    
% SRCCODE: bash awk -F "-| " '$3 ~ /rw/ { print $1 " " $2}' /proc/PID/maps

take the range and drop it to hexdump

% ----- 
sudo dd if=/dev/fmem bs=1 skip=$(( 16#b7526000 - 1 )) \
        count=$(( 16#b7528000 - 16#7b7526000 + 1)) | hexdump -C
% SRCCODE: bash

% SOURCE:  http://observatory.constantvzw.org/etherdump/files.md 511-535

Besides opening the memory dump with a hex editor you can also try to explore it with other tools or devices.
You can open it as a raw image, you can play it as a sound or perhaps send it directly to your frame-buffer device (`/dev/fb0`).

% WARNING: Although your memory may look like/sound like/read like gibberish, it may contain sensitive information about you and your computer! 
    
% EXAMPLE: - 
% ![Binary visualization example]( http://observatory.constantvzw.org/images/Screenshot_from_2017-06-07_164407.png )
% SHOW: tgsoimages.svg binvis
% BOX: Forensic and debugging tools can be used to explore and problematize the layers of abstraction of computing. 
    

% RELATESTO: http://pad.constantvzw.org/p/observatory.guide.monopsychism
% SOURCE: [Notes on how to observe files](http://observatory.constantvzw.org/etherdump/files.html)