Wednesday, February 2, 2011

ELF process dumping trickery

I made a small tool available here which allows to
dump ELF binaries from memory to disk in cases
where the original image has been altered/deleted/crypted
There is no way to make it 100% reliable as the state
of the program might not be the same as when just loaded
and therefore you can have dangling pointers etc.
in .data. However it works surprisingly well for a lot
of programs.
Some info is lost during loading anyway and has to be
restored heuristically. We rely on linear ascending
PLT jump-slots for example.

I only tested it on x86-64 but it has basic support
for x86 as well. The de-relocation of the image has
to be checked though. All other architectures like
PPC64 etc. can easily be added by adding appropriate
R_ types to the switch() clause.

1 comment:

Anonymous said...

Hero please help guys from unrevoked with exploit to Wildfire 2.2. The People is waiting for it. Thanks in advance!