devttys0 / botox

SIGSTOPing ELF binaries since 0x7E1

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Botox

This tool injects the following code into a Linux ELF file:

kill(getpid(), SIGSTOP);
goto entry_point;

When the ELF file is loaded, this will immediately pause execution until a SIGCONT signal is sent to the process, at which point execution resumes from the ELF's original entry point.

Why might this be useful?

  1. You wish to debug a process that is executed by another process (e.g., a CGI file executed by a Web server).
  2. You want to examine the memory layout (/proc/pid/maps) of a short-lived process without requiring a debugger.
  3. You wish to debug a process, but starting the process from inside a debugger can modify process environment variables, stack offsets, etc.

These goals are not always easily realized via traditional methods, especially on embedded systems where you may have limited access to debugging tools / toolchains.

Usage

Simply provide the path to the ELF binary you wish to modify, and Botox will add the SIGSTOP code to it:

$ botox ./path/to/some/file.cgi

Supported Architectures

Botox currently supports x86, x86_64, ARM, and MIPS Linux ELF files (executable, non-relocatable).

Installation

Install the Botox Python module and script using pip:

$ sudo pip3 install .

Dependencies

Botox is written for Python3, and requires the keystone assembler library and Python module.

$ sudo pip3 install keystone-engine

About

SIGSTOPing ELF binaries since 0x7E1


Languages

Language:Python 100.0%