Skip to content



LiME on Ubuntu Linux, live memory capture.

sources and learning material:

LiME step by step

My adaptation for manually testing LiME in a step-by-step method.


## check if LiME is installed

if [[ `lsmod|grep lime|wc -l` -gt 0 ]] ; then
    sudo rmmod lime.ko

kernel_release=$(uname -r)
kernel_name=$(uname -s)

echo "
kernel_release : ${kernel_release}
kernel_name    : ${kernel_name}

## function - I executed one line at a time
installLimeApt() {
    sudo apt-get -y update
    sudo apt-get -y install git

    sudo apt-get install -y linux-headers-$1
    #sudo apt-get install -y linux-headers-${kernel_release}

    sudo apt-get install -y build-essential

    cd /tmp && sudo rm -rf LiME

    git clone
    # >> could not clone, so I copyed 1 file at a time <<

    cd LiME/src


    echo "lime_path : ${lime_path}"

# I run the commands one by one
#installLimeApt $kernel_release

# loading the kernel module
sudo insmod $lime_path path=tcp:4444 format=lime localhostonly=1 &

# confirm the LiME kernel module is "listening" on port 4444
netstat -patnl | grep 4444

#sleep 120

if [[ `lsmod|grep lime|wc -l` -gt 0 ]] ; then
    echo "LiME has been loaded"

MEMSIZE=`awk '/MemTotal/ {print $2/1024/1024}' /proc/meminfo`

METADATA_FLAG="--metadata uncompressed-size=$MEMSIZE,kernel-name=$kernel_name,kernel-release=$kernel_release"
# sample output >>> `METADATA_FLAG : --metadata uncompressed-size=31.0748,kernel-name=Linux,kernel-release=4.4.0-184-generic`

# copying memory dump into S3
#s3cp() {
# aws s3 cp - {{s3ArtifactLocation}}/linux_memcapture$1 $2 $3 $4

# original command
# cat < /dev/tcp/ | tee >(gzip | s3cp \".lime.gz\" \"$EXPECTED_SIZE_FLAG\" \"$METADATA_FLAG\" \"$ACL_FLAG\") | sha256sum | s3cp \"_sha256.txt\" \"$ACL_FLAG\"",

# compressed memory
#cat < /dev/tcp/ | tee >(gzip > ./linux_memcapture.lime.gz)

# raw memory dump

cat < /dev/tcp/ > ./linux_memcapture.lime
sha256sum linux_memcapture.lime >> _sha256.txt

# remove the kernel module
# most of the time I tested, the kernel module `lime.ko` "removed" itself.

sudo rmmod lime.ko

Happy learning,

Antonio Feijao UK

aws sts decode-authorization-message

Decoding the aws sts decode-authorization-message

I included jq and tr commands to "clean up" and make the decoded message easier to read.

Note: - One of the command is jq, from jquery, which usually doesn't come installed by default in some OS, keep that in mind in case you might need to install it. - You need to have the sts permission to run the decode message - sts:DecodeAuthorizationMessage

  • TIP - I added the message to a variable, which makes it easier to read the command aws sts decode-authorization-message
enc_message="akjhkajshdkjahsdkjhakjshdais8duas8d7a98sd7a9s87da....example...." #replace with your encoded message

aws sts decode-authorization-message --encoded-message ${enc_message} | jq '.DecodedMessage' | tr -d '\\' | tr ',' '\n'

further reading from AWS documentation:

Happy learning,

Antonio Feijao UK