Thursday, July 16, 2015

Using MemFetch


memfetch dumps the memory of a program without disrupting its operation, either immediately or on the nearest fault condition (such as SIGSEGV). It can be used to examine suspicious or misbehaving processes on your system, verify that processes are what they claim to be, and examine faulty applications using your favorite data viewer so that you are not tied to the inferior data inspection capabilities in your debugger.


I'm trying to use memfetch to dump the memory of a particular process from my Samsung Galaxy Nexus.

I downloaded memfetch from

Extracted out its contents using the following command:

tar -xvf memfetch.tgz

Ran an ls on my memfetch directory:


COPYING Makefile memfetch.c README

At this stage i'm supposed to run the make command to get my memfetch executable.
Editing the memfetch.c file, i removed the include page.h line

So first i downloaded the Android ARM Architecture it with the following command. This was for static cross-compilation for the memfetch:

apt-get install gcc-arm0-linux-gnueabi

Then i edited Makefile at the following areas:

FILE = memfetch
CFLAGS = -Wall -09 -static
CC = arm-linux-gnueabi-gcc

So success, i had my memfetch executable:


arm-linux-gnueabi-gcc -Wall -09 -static    memfetch.c    -o memfetch


COPYING Makefile memfetch memfetch.c README

Then i pushed the memfetch executable into my Android phone: 
adb push memfetch /sdcard/memfetch

Now from here i worked things from my phone. 
I ran executed a adb shell command and created a directory to store the memfetch exectable, ideally to run it from there:

adb shell


cd /sdcard

mkdir tmp

mount -t tmpfs tmpfs tmp

cp memfetch tmp

cd tmp

chmod 6755 memfetch

Now here's where the problem comes. When i executed the memfetch, i was getting the following error:

./memfetch 1197

memfetch 0.05b by Michal Zalewski <>

Usage ./memfetch [ -sawn ] [ -S xxx ] PID

 -s     - wait for fault signal before generating a dump

 -a     - skip non-anonymous maps (libraries etc)

 -w     - write index file to stdout instead of mfetch.lst

 -m     - avoid mmap(), helps to prevent hanging on some 2.2 boxes

 -S xxx - dump segment containing address xxx (hex) only

No matter what PID i tried to dump, i always got the same error. I even tried with various flag combinations but none of them worked :(

The solution is, if you don't use other inputs "samwS" comment this lines,

while ((opt=getopt(argc,(void*)argv, "+samwS:h"))!=EOF)
    switch(opt) {
      case 's': waitsig=1; break;
      case 'a': skipmap=1; break;
      case 'w': textout=1; break;
      case 'm': avoid_mmap=1; break;
      case 'S': if (sscanf(optarg,"%x",&onlyseg)!=1)
                  fatal("Incorrect -S syntax (hex address expected).\n");
      default:  usage(argv[0]);
it you use them just comment default:  usage(argv[0]);