[landfill
] is a Python library for dumping a running Linux process from memory and rebuilding it into an ELF file that can then be run on any system. It is heavily based on the [process dumper
] tool by ilo. The library works by attaching to a process using ptrace and then rebuilding the program using only the auxv vector found on the stack. It supports both 32bit and 64bit.
First the Python dependencies must be installed:
git clone git://github.com/cloudburst/pyptrace.git
git clone git://github.com/cloudburst/Elf.git
git clone git://github.com/cloudburst/landfill.git
Then:
>>> import landfill
>>> l = landfill.landfill(pid)
>>> l.rebuild_elf()
A sample utility is also included as sample/dump_process_from_memory.py that will fill in the pid at runtime.
- ilo - Advances in remote-exec AntiForensics
- grugq & scut - Armouring the ELF: Binary encryption on the UNIX platform
- Chris Rohlf - No Section Header? No Problem
- Chris Rohlf - Resolving ELF Relocation Name / Symbols
- herm1t - INT 0x80? No, thank you!
- Add file launching
- Add stricter bounds checking
- Remove ptrace dependency with kernel module
- Add section rebuilding
- Add symbol rebuilding
- Add core file rebuilding