Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?
Jeffrey Walton
noloader at gmail.com
Fri Nov 10 12:49:23 EST 2017
On Fri, Nov 10, 2017 at 8:30 AM, Lev Olshvang <levonshe at yandex.com> wrote:
> ...
> Besides to be security hole, I do not see any legitimate use except of live patching of shared object.
> I do not know whether production or mission critical system may take a risk of live patching, but development system
> would do a library update by stopping dependent application first.
Somewhat off-topic, but it may give some perspective...
Microsoft offers hot patching to avoid reboots and downtime. If I
recall correctly, some function calls are padded with no-ops so a jump
can be written in its place.
I think the Microsoft technology to do it is called the Detours
library. Its a neat library even when detached from the hot patching
use case. I used it several years ago to test DLL injections and
spinning up malicious threads to egress data. Also see
https://www.microsoft.com/en-us/research/project/detours/.
Jeff
More information about the Kernelnewbies
mailing list