Recovering application data from core files
Post date: Jan 26, 2011 5:24:48 AM
So, I was writing an email today in Outlook Web Access, and after hitting send, the "Sending" box popped up... and stayed there.
I noticed my SSL VPN had disconnected. I frantically tried to reconnect and hope the email goes through... but no dice. Then I think, no worries, I'll just copy the email to my clip board and paste it into a new email. If only it were that easy. The designers thought that little sending box should stop all controls from being highlighted so I couldn't copy and paste. Now what!? I'm lazy so F&(*& typing that email again. There were a lot of statistics and stuff in it. I had to think. That was a lot of effort!
I know! I can just pull the email out of memory by taking a core dump of the running firefox process! Luckily I am running Linux.
Actually you can do this same concept in FreeBSD, windows too, and on a mac, and pretty much every operating system - except you're on your own.
First, look up the process ID of the running Firefox:
jayme@Jayme2:~$ ps auwwx|grep firefox-bin
jayme 2067 0.0 0.0 4148 96 ? S Jan24 0:00 /bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin
jayme 2071 4.3 22.8 1085160 469216 ? Sl Jan24 111:51 /usr/lib/firefox-3.6.13/firefox-bin
jayme 14681 0.0 0.0 8956 876 pts/1 S+ 10:00 0:00 grep firefox-bin
Second, core the process:
jayme@Jayme2:~$ sudo gcore -o firefox2 2071
[Thread debugging using libthread_db enabled]
[New Thread 0x7f0733bff700 (LWP 12285)]
[New Thread 0x7f07380ff700 (LWP 11904)]
[New Thread 0x7f07736f1700 (LWP 10897)]
[New Thread 0x7f073dcfe700 (LWP 10791)]
[New Thread 0x7f07705ca700 (LWP 2155)]
[New Thread 0x7f07614b4700 (LWP 2086)]
[New Thread 0x7f0761cb5700 (LWP 2085)]
[New Thread 0x7f07624b6700 (LWP 2084)]
[New Thread 0x7f076e8ff700 (LWP 2082)]
[New Thread 0x7f076f239700 (LWP 2081)]
[New Thread 0x7f07715ff700 (LWP 2077)]
[New Thread 0x7f07724e5700 (LWP 2076)]
[New Thread 0x7f0772ce6700 (LWP 2075)]
[New Thread 0x7f07742fa700 (LWP 2073)]
[New Thread 0x7f0774cff700 (LWP 2072)]
0x00007f077ece4203 in poll () from /lib/libc.so.6
Saved corefile firefox2.2071
Third, investigate the contents of the dump file for the email contents:
jayme@Jayme2:~$ cat -t firefox2.2071|sed 's/\^.//g'|less
/contents of email
I found the contents, all in tact, copied them to a new email and as they say here in Dubai, khalas.
Actually, looking at memory dumps can give you a lot of useful information.
Like recovering stored encrypted/passwords keys, recovering deleted files still in memory etc.
It was easy, try it. It may save you in the future.