Use /proc/[0-9]*/maps to see what's mapped, what's shared in memory
 

I just thought up an interesting shell-command phrase, in answer to
"What files are mapped into memory? Do I have
/.evil/.overlord/.control/.program hidden somewhere?":

$ sudo cat /proc/[0-9]*/maps | cut -c82- | sort | uniq -c | sort -n

which tells me which files are mapped into memory by every existing
task, and how many tasks have them mapped. Both the top and bottom of
the list are worth a look - files mapped in to memory only once, and
files mapped into memory lots of times. On my system the outputs ends
with:

512 /lib/libpthread-2.10.1.so
664 /lib/libc-2.10.1.so
1927 /dev/dri/card0
2956

I interpret the last number as the number of non-file-mapped memory
segments owned by tasks, that is, memory allocated by mapping /dev/zero
with copy-on-write, then writing.

This won't show files mapped by the kernel (e.g. loaded kernel modules),
and I don't understand /proc/[0-9]*/maps entries that look like this

7ffa46651000-7ffa46653000 r-xp 00000000 00:00 0

or this

7f9d4229a000-7f9d4250a000 rwxp 00000000 00:00 0
7f9d4250a000-7f9d4529a000 rwxp 00000000 00:00 0


Why are these blocks of memory marked Executable? Where did the code
that's executable come from?

Walt

I'm not sure what your commands doing what you say it is. The files mapped into memory can be obtained from the lsof command. Any file with 'mem' in the file-descriptor column is a memory-mapped file. Running the command consistently returns a different result from running your command.