After starting VirtualBox, the computer became sluggish and then hung completely due to OOM. Usually, OOM should be starting killing processes in order to free up some space, but this did not happen (this was the second time that I experienced this).
I had some unsaved important work in a text editor, so I was hoping to find it back in the system RAM after killing all processes in the current console using SysRq + K. The machine in question is a laptop with 8 GiB RAM running Linux x86_64 3.7.5 with a SSD as target disk.
My first attempt was dd if=/dev/mem of=memory, but this failed after reading 1MiB of data. Next, I tried dd if=/dev/fmem of=memory bs=1M, but this stopped after reading 3010461696 bytes (exactly 2871 MiB). After looking at /proc/mtrr (shown below), I decided to try adding skip=4096. This ultimately slowed down, reading at a speed of only 3 MiB/sec, so I interrupted it (yielding a file of 5.8 GiB). (at least the last 100 MiB of the file contains FFs)
reg01: base=0x000000000 ( 0MB), size= 2048MB, count=1: write-back
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
reg05: base=0x23c000000 ( 9152MB), size= 64MB, count=1: uncachable
reg06: base=0x0b4000000 ( 2880MB), size= 64MB, count=1: uncachable
reg07: base=0x0b8000000 ( 2944MB), size= 128MB, count=1: uncachable
I could not find the data I had open for some hours in the text editor, so I believe I have skipped some memory while doing a dump. So, given my goal (recovery of data from userspace programs), what is the most efficient method to dump the system memory to a file? What are some points that must be considered while doing such a dump?
Best Answer
Check this project: foriana
There is a kernel module fmem:
I have use it, compile pretty easy.