Hi,
Just thought i would post how this is done as it saved me a lot of hassle today during some development work and its an interesting technique.
Situation: you have a program, executed and running in memory, and *stupidly* you delete its binary. So now you are left with the program running in memory, and no source executable. I read last month on some forensics thing its a pretty simple to get back the deleted source binary of a running process (try doing that on windows!, but i guess windows doesn't let you delete a running exe in the first place
)
Anyway heres how to do it
I guess its entirely possible the space could be overwritten before you do the recovery, just gotta be quick to avoid corruption
Just thought i would post how this is done as it saved me a lot of hassle today during some development work and its an interesting technique.
Situation: you have a program, executed and running in memory, and *stupidly* you delete its binary. So now you are left with the program running in memory, and no source executable. I read last month on some forensics thing its a pretty simple to get back the deleted source binary of a running process (try doing that on windows!, but i guess windows doesn't let you delete a running exe in the first place
)Anyway heres how to do it
Code:
Start program:
[jack@tmain ~]$ ./myprog&
Delete the binary:
[jack@tmain ~]$ rm myprog
Now recover it - find PID
[jack@tmain ~]$ ps -e | grep myprog
7884 pts/1 00:00:00 myprog
Navigate to /proc/PID and:
[jack@tmain 7884]$ ls -la | grep exe
lrwxrwxrwx 1 jack users 0 2008-07-03 20:17 exe -> /home/jack/myprog (deleted)
exe (broken link) points to where the file used to be, so stream it out to an executable file
[jack@tmain 7884]$ cat exe > ~/myprog_recovered
[jack@tmain 7884]$ chmod +x ~/myprog_recoveredI guess its entirely possible the space could be overwritten before you do the recovery, just gotta be quick to avoid corruption
