This tool injects the following code into a Linux ELF file:
kill(getpid(), SIGSTOP);
goto entry_point;
When the ELF file is loaded, this will immediately pause execution until a SIGCONT signal is sent to the process, at which point execution resumes from the ELF's original entry point.
Why might this be useful?
- You wish to debug a process that is executed by another process (e.g., a CGI file executed by a Web server).
- You want to examine the memory layout (
/proc/pid/maps
) of a short-lived process without requiring a debugger. - You wish to debug a process, but starting the process from inside a debugger can modify process environment variables, stack offsets, etc.
These goals are not always easily realized via traditional methods, especially on embedded systems where you may have limited access to debugging tools / toolchains.
Simply provide the path to the ELF binary you wish to modify, and Botox will add the SIGSTOP code to it:
$ botox ./path/to/some/file.cgi
Botox currently supports x86, x86_64, ARM, and MIPS Linux ELF files (executable, non-relocatable).
Install the Botox
Python module and script using pip
:
$ sudo pip3 install .
Botox is written for Python3, and requires the keystone assembler library and Python module.
$ sudo pip3 install keystone-engine