|
From: James Courtier-D. <Ja...@su...> - 2006-10-15 00:16:11
|
Nicholas Nethercote wrote: > On Sat, 14 Oct 2006, James Courtier-Dutton wrote: > >> Are there any tool available to tell me if a particular executable or >> lib can contain self modifying code. I.e. Executes instructions in a >> page that does not have Read/Execute set, but instead has >> Read/Write/Execute set. >> >> I understand that valgrind can work with self modifying code so that is >> why I ask here. > > It's possible to have code executed from a RWX page that is not > self-modifying. I know it is possible, but if the code executed from a RWX page is not self-modifying, why would one not set it to R-X instead? > >> I want to try to scan an entire system and highlight all executables and >> libs that might have self modifying code in them. >> >> Obviously, things like java jit might have self modifying code, but I >> want to detect all such programs. > > I think you're confusing self-modifying code with dynamically generated > code. How does dynamically generated code work? Is it possible for an application to change the page type of one of it's pages while running. I.e. start with a data page, fill is with code, and then change the page to +X. > > There are no existing tools to do this, but it would be straightforward > to modify Valgrind's core to detect this. But it sounds like you want > something that can detect this statically, which Valgrind cannot do. > > Nick I don't necessarily want to detect code actually changing. I want to be able to detect rwx pages. The only x pages I want to see are r-x pages. This is in part to aid security. James |