|
From: James Courtier-D. <Ja...@su...> - 2006-10-14 12:10:34
|
Hi, Are there any tool available to tell me if a particular executable or lib can contain self modifying code. I.e. Executes instructions in a page that does not have Read/Execute set, but instead has Read/Write/Execute set. I understand that valgrind can work with self modifying code so that is why I ask here. I want to try to scan an entire system and highlight all executables and libs that might have self modifying code in them. Obviously, things like java jit might have self modifying code, but I want to detect all such programs. James |
|
From: Nicholas N. <nj...@cs...> - 2006-10-14 23:10:30
|
On Sat, 14 Oct 2006, James Courtier-Dutton wrote: > Are there any tool available to tell me if a particular executable or > lib can contain self modifying code. I.e. Executes instructions in a > page that does not have Read/Execute set, but instead has > Read/Write/Execute set. > > I understand that valgrind can work with self modifying code so that is > why I ask here. It's possible to have code executed from a RWX page that is not self-modifying. > I want to try to scan an entire system and highlight all executables and > libs that might have self modifying code in them. > > Obviously, things like java jit might have self modifying code, but I > want to detect all such programs. I think you're confusing self-modifying code with dynamically generated code. There are no existing tools to do this, but it would be straightforward to modify Valgrind's core to detect this. But it sounds like you want something that can detect this statically, which Valgrind cannot do. Nick |
|
From: James Courtier-D. <Ja...@su...> - 2006-10-15 00:16:11
|
Nicholas Nethercote wrote: > On Sat, 14 Oct 2006, James Courtier-Dutton wrote: > >> Are there any tool available to tell me if a particular executable or >> lib can contain self modifying code. I.e. Executes instructions in a >> page that does not have Read/Execute set, but instead has >> Read/Write/Execute set. >> >> I understand that valgrind can work with self modifying code so that is >> why I ask here. > > It's possible to have code executed from a RWX page that is not > self-modifying. I know it is possible, but if the code executed from a RWX page is not self-modifying, why would one not set it to R-X instead? > >> I want to try to scan an entire system and highlight all executables and >> libs that might have self modifying code in them. >> >> Obviously, things like java jit might have self modifying code, but I >> want to detect all such programs. > > I think you're confusing self-modifying code with dynamically generated > code. How does dynamically generated code work? Is it possible for an application to change the page type of one of it's pages while running. I.e. start with a data page, fill is with code, and then change the page to +X. > > There are no existing tools to do this, but it would be straightforward > to modify Valgrind's core to detect this. But it sounds like you want > something that can detect this statically, which Valgrind cannot do. > > Nick I don't necessarily want to detect code actually changing. I want to be able to detect rwx pages. The only x pages I want to see are r-x pages. This is in part to aid security. James |