Process image reconstruction – from the memory to the executable
One neat exercise to test our abilities with both the ELF
format and ptrace
is to design software that can reconstruct a process image back into a working executable. This is especially useful for the type of forensic work where we find a suspicious program running on the system. Extended core file snapshot (ECFS) technology is capable of this and extends the functionality into an innovative forensics and debugging format that is backward compatible with the traditional Linux core files' format. This is available at https://github.com/elfmaster/ecfs and is further documented in Chapter 8, ECFS – Extended Core File Snapshot Technology, in this book. Quenya also has this feature and is available for download at http://www.bitlackeys.org/projects/quenya_32bit.tgz.
Challenges for process-executable reconstruction
In order to reconstruct a process back into an executable we must first consider the challenges involved, as there are...