This tool injects the following code into a Linux ELF file:
kill(getpid(), SIGSTOP); goto entry_point;
When the ELF file is loaded, this will immediately pause execution until a SIGCONT signal is sent to the process, at which point execution resumes from the ELF's original entry point.
Why might this be useful?
- You wish to debug a process that is executed by another process (e.g., a CGI file executed by a Web server).
- You want to examine the memory layout (
/proc/pid/maps) of a short-lived process without requiring a debugger.
- You wish to debug a process, but starting the process from inside a debugger can modify process environment variables, stack offsets, etc.
These goals are not always easily realized via traditional methods, especially on embedded systems where you may have limited access to debugging tools / toolchains.
Simply provide the path to the ELF binary you wish to modify, and Botox will add the SIGSTOP code to it:
$ botox ./path/to/some/file.cgi
Botox currently supports x86, x86_64, ARM and MIPS Linux ELF files (executable, non-relocatable).
Just run the included
setup.py installation script:
$ sudo python2 setup.py install
Botox is written in Python, and requires the keystone assembler library and Python module.