encrypted executables
Dag-Erling Smørgrav
des at des.no
Thu Feb 21 16:41:18 UTC 2008
ari edelkind <edelkind-freebsd-hackers at episec.com> writes:
> Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is
> already being traced. As for core files, a process can use
> setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory
> pages may be encrypted or unloaded, to be decrypted or loaded on
> demand.
The person running the application can trivially replace ktrace(),
ptrace() and setrlimit() with non-functional stubs using LD_PRELOAD.
Ensuring that LD_PRELOAD is invisible to the application is left as an
exercise to the reader.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-hackers
mailing list