[Gllug] Memory scanning
Richard Jones
rich at annexia.org
Mon Sep 6 10:43:55 UTC 2010
On Mon, Sep 06, 2010 at 08:02:16AM +0100, Nix wrote:
> Sure! You'll need to (in effect) reimplement most of ld.so in reverse,
> since relocation is its only significant job. Note that the relocations
> in question disappear once they are applied by ld.so; for text
> relocations, the appropriate bit of the binary text is overwritten, and
> for PLT relocations you'd have to cater for their being lazily relocated
> (and thus lazily overwritten with a direct call to the function) the
> first time each function is called. (You could dictate that everyone
> runs with LD_BIND_NOW=1 to ameliorate this, but this has performance
> implications and doesn't make your horrible job much simpler.)
Just read the originals out the disk image. Even works if the binary
has been deleted because you can scrabble around in the inode table.
Simples!
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list