ELF binary from memory

Question

I just wrote a Hello world program in C that I was playing around with. I'd like to try and dump the binary from memory(using gdb) and try to create another executable from it. I tried dumping the page with executable privileges followed by its data page; however it segfaults. Are there any approaches to doing this? Is there any way I can debug and find out why it crashes? Any generic suggestions at all?

Thanks.

[EDIT]

Its on linux and I've tried it on both 32 and 64-bit x86. The kernel version is 3.13. I set a breakpoint on _start, dumped the executable page followed by its data page to a file and tried executing it.

Answer 1

Wait, are you just dumping the mapped text (exectuable page) section followed by the mapped data section to a file? That itself wouldn't be a valid ELF object, an ELF file needs an ELF header as well. I am surprised the OS even let you attempt to execute that, you should have gotten an error about an invalid ELF header or something like that.

In addition to the header, an ELF file contains many more sections that are important to be able to run it.

As for debugging, I'd start with GDB to see where it crashes. Does your program crash, or does the dynamic linker crash when trying to load your program? If the dynamic linker crashes, try debugging that, eg with

gdb --args /lib64/ld-2.18.so <your program>

Attempts to re-create ELF files from memory have been done before - have a look at Statifier , which even statically includes all loaded dynamic libraries into the resulting ELF.

Answer 2

It might be not very simple and is certainly processor and operating system specific.

You could look at emacs source unexec.c which is doing what you want. See this answer