Chapter 3. Linux Process Tracing
In the last chapter, we covered the internals of the ELF
format and explained its internal workings. In Linux and other Unix-flavored OSes that use ELF
, the ptrace
system call goes hand in glove with analyzing, debugging, reverse engineering, and modifying programs that use the ELF
format. The ptrace
system call is used to attach to a process and access the entire range of code, data, stack, heap, and registers.
Since an ELF
program is completely mapped in a process address space, you can attach to the process and parse or modify the ELF
image very similarly to how you would do this with the actual ELF
file on disk. The primary difference is that we use ptrace
to access the program instead of using the open/mmap/read/write
calls that would be used for the ELF
file.
With ptrace
, we can have full control over a program's execution flow, which means that we can do some very interesting things, ranging from memory virus infection and virus analysis...