3

What is the difference between /dev/mem, /dev/kmem and /proc/kcore?

Can I disassemble its contents using tools like objdump and gdb?

Patryk
  • 22,602
  • 44
  • 128
  • 244
user567879
  • 5,139
  • 20
  • 71
  • 105

1 Answers1

7

/dev/kmem gives access to the kernel's virtual memory space, and /dev/mem gives access to physical memory.

/proc/kcore is a pseudofile in ELF core format, of the kernel's virtual memory space. You should be able to examine it with standard ELF utilities, like objdump and gdb - although you will likely better off to make a regular file copy of it and work on that.

caf
  • 233,326
  • 40
  • 323
  • 462
  • In laymans terms what is the difference between this virtual memory space and physical memory – user567879 Feb 03 '11 at 07:37
  • @user567879: The virtual memory address space corresponds to the addresses as seen by the program in question (in this case, the kernel). The physical memory address space corresponds to the actual memory addresses that are placed on the system bus. The MMU within the CPU translates virtual addresses into physical addresses. – caf Feb 03 '11 at 08:43
  • @caf _Kernel virtual memory_ does not really make sense. Virtual memory is relative to a process, and the kernel is not a process. In fact, every process' virtual memory contain the same kernel part on top (higher addresses), which is only accessible after a switch in kernel context. `/proc/kcore` is the physical memory. – lledr Jun 28 '14 at 09:28
  • @ysomane: I would argue that it *does* make sense - as you point out the 'kernel' part of every process's page tables is the same, and is only accessible in kernel mode. Those are the addresses "seen" by the kernel - the addresses of kernel objects are virtual addresses in that constant kernel part of the address space. `/proc/kcore` covers the kernel virtual address space region, not physical memory - though depending on kernel configuration this might well include a mapping of all physical memory. – caf Jun 28 '14 at 22:42
  • @caf You're right on this, my point was in reply to your first comment, which sounds like you considered the kernel as some process. The _kernel virtual memory_ may be considered as the kernel part of the current process's virtual space. What would be odd may be to talk about the _kernel_ **'s** _virtual memory_. For the other point, every documentation I saw talk about physical memory for `/proc/kcore`... – lledr Jun 29 '14 at 10:43