Changes

Jump to: navigation, search

CR tools

421 bytes added, 21:55, 14 October 2011
no edit summary
#* Seizes a task via relatively new ptrace interface. Seizing a task means to put it into a special state when the task have no idea if it's being operated by ptrace.
#* Core parameters of a task (such as registers and friends) are being dumped via ptrace interface and parsing '''/proc/$pid/stat''' entry.
#* The dumper injects a parasite code into a task via ptrace interface. This allows us to dump pages of a task right from within the task's address space. An injection procedure is pretty simple - the dumper scans executable VMA areas of a task (which were collected previously) and tests if there a place for <code>syscall</code> call, then (by ptrace as well) it substitutes an original code with <code>syscall</code> instructions and creates a new VMA area inside process address space. Finally parasite code get copied into the new VMA, and the former code which was modified during parasite bootstrap procedure get restored.#* Then (by using a parasite code ) the dumper flushes contents of a task's pages to the file. And pulls out parasite code block completely, since we don't need it anymore.#* Once parasite removed a task get restoredunseized via ptrace call but it remains stopped still.#* The dumper writes out files and pipes parameter and data.# The procedure continues for every '''$pid'''.
16
edits

Navigation menu