[Gllug] Memory scanning
Nix
nix at esperi.org.uk
Wed Sep 8 23:47:45 UTC 2010
On 6 Sep 2010, Richard Jones told this:
> On Mon, Sep 06, 2010 at 08:02:16AM +0100, Nix wrote:
>> Sure! You'll need to (in effect) reimplement most of ld.so in reverse,
>> since relocation is its only significant job. Note that the relocations
>> in question disappear once they are applied by ld.so; for text
>> relocations, the appropriate bit of the binary text is overwritten, and
>> for PLT relocations you'd have to cater for their being lazily relocated
>> (and thus lazily overwritten with a direct call to the function) the
>> first time each function is called. (You could dictate that everyone
>> runs with LD_BIND_NOW=1 to ameliorate this, but this has performance
>> implications and doesn't make your horrible job much simpler.)
>
> Just read the originals out the disk image. Even works if the binary
> has been deleted because you can scrabble around in the inode table.
The scrabbling in the inode table is seriously ew. Possibly less 'ew'
than writing a de-relocator though.
> Simples!
Ew.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list