Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?

Jeffrey Walton noloader at gmail.com
Fri Nov 10 12:49:23 EST 2017

On Fri, Nov 10, 2017 at 8:30 AM, Lev Olshvang <levonshe at yandex.com> wrote:
> ...
> Besides to be security hole, I do not see any legitimate use except of live patching of shared object.
> I do not know whether production or mission critical system may take a risk of live patching, but development system
> would do a library update by stopping dependent application first.

Somewhat off-topic, but it may give some perspective...

Microsoft offers hot patching to avoid reboots and downtime. If I
recall correctly, some function calls are padded with no-ops so a jump
can be written in its place.

I think the Microsoft technology to do it is called the Detours
library. Its a neat library even when detached from the hot patching
use case. I used it several years ago to test DLL injections and
spinning up malicious threads to egress data. Also see


More information about the Kernelnewbies mailing list