Linux/Unix: Reading plain text strings from /dev/mem📄 OneThingWell.dev wiki page | 🕑 Last updated: Dec 5, 2022
/dev/mem is a virtual device file that contains a direct representation of physical memory. In the past, it was possible to access and read the whole contents of physical memory directly by doing something like this:
dd if=/dev/mem of=mem_dump
Nowadays, if you try that on any modern Linux distribution, you'll see an output similar to this:
dd: error reading '/dev/mem': Operation not permitted
2048+0 records in
2048+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0947453 s, 11.1 MB/s
So, we're limited to the first megabyte, which contains things like System and Video ROM. You can find out more about this exact layout by doing something like
cat /proc/iomem, but let's return to the main topic - extracting plain text strings.
To extract plain text strings from any file, we can use the conveniently named tool
strings. People are often using
cat to pipe the contents of device files (like /dev/mem) to
strings, but since device files are also files, there's no need for that:
And, of course, we can combine this with
less to scroll through the contents:
strings /dev/mem | less
grep to find keywords:
strings /dev/mem | grep BIOS
00IBM VGA Compatible BIOS.
2126Intel(R) Sandybridge/Ivybridge PCI Accelerated SVGA BIOS
Intel(R) Sandybridge/Ivybridge Graphics Chipset Accelerated VGA BIOS
AMIBIOS(C)2010 American Megatrends, Inc.
BIOS Date: 04/27/12 17:24:37 Ver: 04.06.05
Accessing the whole physical memory
As I mentioned before, accessing /dev/mem on modern Linux distributions is restricted (for security reasons) to the first megabyte. The main kernel configuration option for controlling this behavior is called
You can check the current status in the config file of your active kernel in /boot directory:
grep CONFIG_STRICT_DEVMEM /boot/config-$(uname -r)
Most likely, you'll see that the kernel has been compiled with this option:
So, to remove this restriction, you can either recompile the kernel with
CONFIG_STRICT_DEVMEM=n, or more easily, by appending this to your kernel cmdline:
This should give you full access to your physical memory, but as always, be careful, and make sure that you understand the security implications.
In case you're interested in memory forensics or other workarounds, here are some alternatives that may be worth considering:
Comments and suggestions
If you find this site useful in any way, please consider supporting it.