Module bash 

Linux bash command history recovery.

Scans bash process heap memory for HIST_ENTRY structures to recover command history. Works by finding bash processes, walking their VMAs to locate anonymous RW regions (the heap), then pattern-matching for valid HIST_ENTRY structs (24 bytes: line ptr, timestamp ptr, data ptr).

Functions

walk_bash_history

Walk all bash processes and recover command history from their heaps.