[GTALUG] ECFS - memory analysis of a process snapshot.
Russell Reiter
rreiter91 at gmail.com
Sat Mar 12 05:57:33 UTC 2016
Here's an interesting video from Defcon 23 regarding ECFS for finer
grained ELF tracking of hijacks and other problem code. It can recover
full truncated text segments and reconstruct original section headers
from core dumps among other things.
They've dubbed it process necromancy. I guess this comes from its
ability to snapshot a process without killing it and even reanimate a
process from a snapshot.
https://www.youtube.com/watch?v=fCJJnJ84MSE
More information about the talk
mailing list