Linux/Unix: Reading plain text strings from /dev/mem

📄 BetterWays.dev wiki page | 🕑 Last updated: Dec 5, 2022

/dev/mem is a virtual device file that contains a direct representation of physical memory. In the past, it was possible to access and read the whole contents of physical memory directly by doing something like this:

dd if=/dev/mem of=mem_dump

Nowadays, if you try that on any modern Linux distribution, you'll see an output similar to this:

dd: error reading '/dev/mem': Operation not permitted
2048+0 records in
2048+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0947453 s, 11.1 MB/s

So, we're limited to the first megabyte, which contains things like System and Video ROM. You can find out more about this exact layout by doing something like cat /proc/iomem, but let's return to the main topic - extracting plain text strings.

To extract plain text strings from any file, we can use the conveniently named tool strings. People are often using dd or cat to pipe the contents of device files (like /dev/mem) to strings, but since device files are also files, there's no need for that:

strings /dev/mem

And, of course, we can combine this with less to scroll through the contents:

strings /dev/mem | less

Or use grep to find keywords:

strings /dev/mem | grep BIOS

Example output:

00IBM VGA Compatible BIOS. 
BIOS_DATA_BLOCK 
2126Intel(R) Sandybridge/Ivybridge PCI Accelerated SVGA BIOS
    Intel(R) Sandybridge/Ivybridge Graphics Chipset Accelerated VGA BIOS
AMIBIOS 080010
AMIBIOS(C)2010 American Megatrends, Inc.                                      
BIOS Date: 04/27/12 17:24:37 Ver: 04.06.05

Accessing the whole physical memory

As I mentioned before, accessing /dev/mem on modern Linux distributions is restricted (for security reasons) to the first megabyte. The main kernel configuration option for controlling this behavior is called CONFIG_STRICT_DEVMEM.

You can check the current status in the config file of your active kernel in /boot directory:

grep CONFIG_STRICT_DEVMEM /boot/config-$(uname -r)

Most likely, you'll see that the kernel has been compiled with this option:

CONFIG_STRICT_DEVMEM=y

So, to remove this restriction, you can either recompile the kernel with CONFIG_STRICT_DEVMEM=n, or more easily, by appending this to your kernel cmdline:

strict-devmem=0

This should give you full access to your physical memory, but as always, be careful, and make sure that you understand the security implications.

Alternatives

In case you're interested in memory forensics or other workarounds, here are some alternatives that may be worth considering:


Comments and suggestions

You can use this form to submit a suggestion or a comment.

If you find this site useful, please consider supporting it. Supporters also get access to some extras.