官术网_书友最值得收藏!

Chapter 3. Linux Process Tracing

In the last chapter, we covered the internals of the ELF format and explained its internal workings. In Linux and other Unix-flavored OSes that use ELF, the ptrace system call goes hand in glove with analyzing, debugging, reverse engineering, and modifying programs that use the ELF format. The ptrace system call is used to attach to a process and access the entire range of code, data, stack, heap, and registers.

Since an ELF program is completely mapped in a process address space, you can attach to the process and parse or modify the ELF image very similarly to how you would do this with the actual ELF file on disk. The primary difference is that we use ptrace to access the program instead of using the open/mmap/read/write calls that would be used for the ELF file.

With ptrace, we can have full control over a program's execution flow, which means that we can do some very interesting things, ranging from memory virus infection and virus analysis/detection to userland memory rootkits, advanced debugging tasks, hotpatching, and reverse engineering. Since we have entire chapters in this book dedicated to some of these tasks, we will not cover each of these in depth just yet. Instead, I will provide a primer for you to learn about some of the basic functionality of ptrace and how it is used by hackers.

主站蜘蛛池模板: 芒康县| 甘洛县| 昌都县| 沙河市| 大石桥市| 呼伦贝尔市| 文登市| 沾化县| 辽阳市| 轮台县| 库尔勒市| 吉木乃县| 武冈市| 邹平县| 乌鲁木齐县| 遂平县| 丰镇市| 岑巩县| 赤壁市| 竹山县| 伽师县| 宾阳县| 平潭县| 金阳县| 高陵县| 长宁区| 泸西县| 抚松县| 屯昌县| 天水市| 门源| 万载县| 武宣县| 丹巴县| 桐乡市| 黄平县| 大渡口区| 岑巩县| 岳池县| 汉中市| 仁化县|