From 1c4e47d4670f37d72f51d30735cad5b71db568f9 Mon Sep 17 00:00:00 2001
From: Vladan Sekulic <is231338@fhstp.ac.at>
Date: Tue, 6 Jan 2026 12:50:04 +0100
Subject: [PATCH] Update T1003.007 dump_heap.py: refactor FreeBSD heap memory
 dumping logic (#3231)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1003.007/src/dump_heap.py | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/atomics/T1003.007/src/dump_heap.py b/atomics/T1003.007/src/dump_heap.py
index 9908be65..b6659603 100644
--- a/atomics/T1003.007/src/dump_heap.py
+++ b/atomics/T1003.007/src/dump_heap.py
@@ -1,21 +1,16 @@
 #!/usr/bin/env python
 '''Dump a process's heap space to disk
-
 Usage:
     python dump_proc.py <PID> <filepath>
 '''
 import argparse
 import platform
-
-
 parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
 parser.add_argument('pid', type=int, help='ID of process to dump')
 parser.add_argument('filepath', help='A filepath to save output to')
 args = parser.parse_args()
-
 process_id = args.pid
 output_file = args.filepath
-
 if platform.system() == "Linux":
   with open("/proc/{}/maps".format(process_id), "r") as maps_file:
       # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
@@ -25,16 +20,24 @@ if platform.system() == "Linux":
       mem_stop = int(heap_range.split('-')[1], 16)
       mem_size = mem_stop - mem_start
 elif platform.system() == "FreeBSD":
-  import linecache
-  mem_line = linecache.getline("/proc/"+str(process_id)+"/map",4)
-  mem_start = int(mem_line.split(' ')[0], 16)
-  mem_stop = int(mem_line.split(' ')[1], 16)
+  import subprocess
+  procstat_output = subprocess.check_output(["procstat", "-v", str(process_id)], universal_newlines=True)
+  heap_line = None
+  for line in procstat_output.splitlines():
+      if "rw-" in line and "sw" in line:
+          heap_line = line
+          break
+  if not heap_line:
+      for line in procstat_output.splitlines():
+          if "rw-" in line and not (".so" in line or "/lib/" in line):
+              heap_line = line
+              break
+  columns = heap_line.split()
+  mem_start = int(columns[1], 16)
+  mem_stop = int(columns[2], 16)
   mem_size = mem_stop - mem_start
-  mem_start = mem_stop
-
 with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
     mem_file.seek(mem_start, 0)
     heap_mem = mem_file.read(mem_size)
-
 with open(output_file, "wb") as ofile:
     ofile.write(heap_mem)