Geek Answers Handbook

Writing an image of an executable process on Linux

What if process B writes (with the usual notation () syscall) some data to the image of process A while the latter is executing? Won't this damage process A?

I am new to Linux. As far as I understand, Unix historically does not impose mandatory file locks (for example, Windows). So recording is quite possible.

I searched the Internet without any results. When I ask this question to my experienced Linux staff, they all reply that process A has its image completely in memory.

However, from what I read, the kernel can easily swap some pages for an image file from memory, say, under low memory conditions. Thus, although some pages on the disk may be damaged by another recording process; subsequently, they can be replaced back to RAM and executed.

+7
source share
3 answers

Are you thinking about the process of writing to some /proc/1234/mem another pid_t 1234 process?

Or are you thinking of writing a process to the ELF executable of another process?

Both scenarios are very unusual and specific to Linux (other Posix do not have them), so I don’t know what might happen in this case. But at least the permitting technique should protect some.

See also ETXTBSY error.

In practice (as shown in strace -f /usr/bin/gcc hello.c -o hello ), the compiler and linker remove the executable to open - to write the executable, so most compilations are never written to the old executable:

 870 stat("hello", {st_mode=S_IFREG|0755, st_size=6096, ...}) = 0 870 unlink("hello") = 0 870 open("hello", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0777) = 17 870 fstat(17, {st_mode=S_IFREG|0755, st_size=0, ...}) = 0

So, to write to the executable, you need to try. Of course, when you do this, mischievous accidents can occur.

+2
source

What do you read suggesting that pages can be replaced "with an image file"?

If the system is inactive in memory, the pages will be replaced with a swap partition on the disk, which is different from the executable file. Writing to an executable file will have no effect until the next start of the file.

If you were somehow able to write the exact page in the swap file (it would be difficult because you had to know exactly where and when the data was written to disk). If you have done this, you can modify the object code. Do you suggest executable file corruption or some smart way to modify a program while it is running?

+1
source

In fact, it is not necessary to have a “low memory condition” in order for the pages to be replaced. Linux downloads executable files “on demand” anyway, so a page only loads when it is needed.

But see my answer to the previous. What happens when you overwrite an executable with memory mapping?

+1
source

More articles:


All Articles