Is it possible to read a .sh that was deleted from file system but is being executed?

Question

I've received a project that some dude did and it's on production stage. But that guy had some issues with project managers and other team members (bad attitude, being an ass.. etc). Intentionally he documented wrong apps, wrong paths, hidden folders, among others. And then left the company.

While researching I've found that there's a .sh executing on process list. But that .sh doesn't exist anymore in the specified path (or even another path in the filesystem).

Looking at .bash_history I've found that he executed the .sh and then removed the file (intentionally)...

To keep the project going I need to know the content of that file. And as far as I understand, this shell still exists on the RAM because it is being executed.

Is there any chance to read that file from RAM? or write its content on a new file?

Kind regards.

EDIT: @Artem S. Tashkinov and @Gilles. Thank you for your answers. but this only dumps the output of the process. What I need is the code that the .sh contained ando produced that output.

You can recover the content of deleted files that are still open. But avoid writing to the disk because there may also be deleted files that are no longer open, but still recoverable and useful. Don't get your hopes too much though: recovering fully deleted (no longer open) files that is difficult at the best of times and only worth the trouble if you're really desperate. — Gilles 'SO- stop being evil', Jul 14 '20 at 18:43
If it only dumps the output, you're accessing the wrong file descriptor. — muru, Jul 15 '20 at 02:43

score 0 · Answer 1 · answered Jul 14 '20 at 18:32

First, please try to find the script via

sudo lsof -n | grep deleted

if you find it this way you can trivially dump it from /proc

In case it doesn't help refer to these answers how to dump the shell process memory to disk:

Is it possible to read a .sh that was deleted from file system but is being executed?

1 Answers1