LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

skpd: A tool to dump processes to executable ELF files

[Posted April 17, 2009 by cook]

From:  Albert Sellarès <whats-AT-wekk.net>
To:  bugtraq-AT-securityfocus.com
Subject:  skpd: A tool to dump processes to executable ELF files
Date:  Wed, 15 Apr 2009 22:35:55 +0200
Message-ID:  <1239827755.5916.16.camel@x61s>
Archive-link:  Article, Thread 

Hello,

I just developed a tool for dump a running process, to an executable ELF
file. This tool works on GNU/Linux, and has been tested on systems like
Ununtu 8.10, Gentoo, Debian lenny, Debian etch, etc.

Fell free to send me bugs, comments, and patches.

It can be downloaded from here:
http://www.wekk.net/skpd/
https://www.wekk.net/skpd/skpd.tar.gz

Regards.

-- 
  Albert Sellarès        GPG id: 0x13053FFE
  http://www.wekk.net    whats@jabber.org   
  Linux User: 324456
(Log in to post comments)

skpd: A tool to dump processes to executable ELF files

Posted Apr 23, 2009 14:27 UTC (Thu) by nix (subscriber, #2304) [Link]

Portable unexec(): party like it's 1985!

(I'm sure this is useful, but I'm not sure how.)

skpd: A tool to dump processes to executable ELF files

Posted Apr 23, 2009 19:00 UTC (Thu) by jimparis (subscriber, #38647) [Link]

From the README: 
 * It supports:
    - static binaries.
    - dynamic binaries.
    - compressed files (at least upx)
    - elfuck encrypted.
 * 32 and 64 bits support.
 * Generates an ELF file from a running process.
 * If the original file was encrypted, the new one will not.
So, at the very least, it sounds useful for generating uncompressed/unencrypted versions of obfuscated executables. I can also imagine uses where an unknown process is found running on the system, but the original binary can't be located. This could be a very useful tool for forensics.

How's it useful? Ask any Lisper.

Posted Apr 24, 2009 1:06 UTC (Fri) by flewellyn (subscriber, #5047) [Link]

It's common practice in Common Lisp programming to dump the state of the current Lisp process to an executable image, which can be reloaded later. In fact, that's how many Lisp systems are distributed: a loader and a memory image. The default image has just the standard libraries loaded, but you can easily load other libraries, write other code, set variables and create state, and then dump the image and reload it later with everything still there. (Obviously, externalities like opened files, network connections, and such won't be preserved, and you have to handle their restoration.)

Giving this capability to any program in any language would be very powerful.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds