RPD is an utility to recover 32 and 64 bit ELF executables from a process dump.
- Statically linked executables without
glibc - Dynamically linked executables
- PIE executables
This project based on ilo pd and skpd.
To build rpd just use:
make- Run the
telnetprogram:$ telnet telnet> - Get the pid with the
psutility:$ ps -a | grep telnet 13139 pts/2 00:00:00 telnet - Then use
rpdto dump the process memory and recover an ELF from it:Root privileges may be required to run the$ ./rpd -p 13139 -o dump
rpdprogram. - Run the recovered executable:
$ ./dump dump>
Executable reconstruction from process dump consists of the following steps:
We want to obtain the information about segments, so the reconstruction
starts with locating program headers. /proc/[pid]/auxv contains the
necessary data: address, entity count, entity size.
Once the program headers are located, we can use ptrace to read them. Each
program header contains a segment type and a virtual address, so we can
easily dump LOAD segments. Keep in mind, that if the executable is PIE, then
the virtual address will be relative and we will need to get the base
address of the executable.
The ELF header is still the original, but we don't have any section information, so we need to reset the section header data.
If the executable contains a DYNAMIC segment, then we can get information about the relocations and undo them. Also we can get the GOT offset from it and find the PLT for the GOT reconstruction.
Finally, we simply write all the data to a file and make it executable.
- Static binaries using libc always fall with a segmentation fault
- The data segment can contain runtime values, so recovered segment may differ from the original
- The current version of RPD can't undo direct relocations with implicit addend
- The current version of RPD can't recover section headers