

Hot Patch - feydr
https://github.com/vikasnkumar/hotpatch

======
tptacek
This program more or less implements a debugger, using ptrace to attach to its
target, suspend it, then trampoline through malloc and dlopen (the routines a
program would use to load dynamic libraries on its own behalf). This isn't far
from what gdb would do if you used "call" to dlopen a library.

~~~
bdonlan
Unfortunately, it's not race-free - if the target's already inside malloc, Bad
Things will happen. A better strategy would be to invoke clone() to spin up a
worker thread, somehow finagle a TLS segment good enough to fool libc and
dlopen into working Well Enough, and loading the library via this thread
(while the main thread is allowed to continue execution).

~~~
shykes
Instead of malloc, wouldn't it be safer to trigger an int80 straight to the
mmap syscall? You only need to overwrite a few instructions, and put them back
in place when you're done. Then you have freshly allocated memory pages for
your exclusive use, and I'm guessing things get a little simpler.

~~~
tptacek
WinAPI makes this especially easy too, since you can bypass the allocator and
just grab pages; I believe that's how Detours does it, and I know it's how our
code (which is public, somewhere) does it.

------
saurik
People here seem to not know of the many existing implementations of this
concept, including LCITK[1] and libhijack[2].

[1] <https://github.com/planetbeing/lcitk>

[2] <http://0xfeedface.org/category/tags/libhijack>

------
dlsspy
Wow. That'd be fun to mix with labrea:
<http://dustin.github.com/2010/12/03/labrea.html>

~~~
feydr
that's pretty cool too!

