Re: Can't undate running process binary in Solaris?

Boltar wrote:
On 5 Jul, 22:14, Eric Sosman <Eric.Sos...@xxxxxxx> wrote:
Frank Cusack wrote On 07/05/07 16:41,:



On Thu, 05 Jul 2007 13:34:23 -0700 Frank Cusack <fcus...@xxxxxxxxxxx> wrote:
On Thu, 05 Jul 2007 03:40:12 -0700 Boltar <boltar2...@xxxxxxxxxxx> wrote:
I'm trying to get a running process to update its own binary but for
some reason under Solaris it doesn't work , the binary remains
unchanged even though no errors are returned from any function. Does
anyone know why this might happen? My test code is below:
...
mptr = (char *)mmap(
NULL,fs.st_size,PROT_READ | PROT_WRITE,MAP_PRIVATE,fd,
^^^^^^^^^^^
Actually, even when you fix that i don't think you'll be able to
update in-place. You will probably get ETXTBUSY or whatever the
error is, if not at mmap() time, than maybe you'll get SEGV or
a bus error when you actually write to memory.
If a program's text is busy (I mean, if a program is running),
Solaris will not let you, e.g., do something like "echo > program".
Or do I have it backwards and it's Linux that doesn't allow this?
Solaris allows the update (I tried it).

How did you get it to work?

I'm not sure what Boltar's goal in self-modifying the
executable is, though. He mentioned this thread in another
having to do with license-enforcement schemes, but I don't
see any way to use self-modification for enforcement (it's
too easy to protect the file against being written, or to
restore an unmodified backup copy). Boltar, what are you
trying to accomplish? Maybe there's an easier way ...

Well I could just use a hidden file or shared memory but they're much
easier for users to fiddle with. Not many people are going to whip out
a disassembler and figure out what the binary does then hack the
assembly code.

You still didn't say what you're trying to do ...

However, here's an easy way to defeat an enforcement scheme
that relies on modifying the executable file: Make a backup
copy, and restore from backup whenever the executable stops
working. Or make the file owned by user1 with 755 permissions,
and run the program as user2. Or burn the file to a CD or
other WORM medium and run it from there. Or ...

You may also run afoul of a feature of present-day Solaris:
it can verify the digitally-signed checksum of an executable file
or library before permitting it to run. The verification is
optional, by default, but can be made mandatory for specific user
accounts if the sysadmin is security-conscious. Usage of this
feature does not seem to be widespread as yet, but as malware
continues to spread it would not surprise me to find verification
enabled at more and more sites. And since your self-modifying
executable cannot maintain a constant checksum, you will find
no customers, nor even any trial users, at those sites ...

--
Eric Sosman
esosman@xxxxxxxxxxxxxxxxxxxx
.

Relevant Pages