You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* It uses ptrace() to [manipulates the stack's Elf-Aux-Table](https://iq.thc.org/how-does-linux-start-a-process).
* Zapper intercepts when the Kernel passes the command-options to the program (during SYS_execve()): It moves the orignal command-options to a new memory location and then destroyes the old memory location. From the perspective of the Kernel (and procps), the command-options cease to exist. Finally, zapper fixes the pointers in the progam's Aux-Table and hands execution back to the program (PTRACE_CONTINUE). Thereafter, the program is tracked for any further calls to fork() or execve() [to do the same all over again].
* Almost zero performance impact by using some neat ptrace-features: Tracing only execve() and fork() events (but not any other syscall).
* The `-n <pid>` trick (to start a program under _any_ pid) is a gimmick: Linux assigns a new pid to every new _thread_ in sequential order, up until the largest possible pid of 4,194,304 (2^22). Thereafter, it starts again at pid 300 (or 1, depending on the environment). Zapper iterates over all 2^22 possible pids (within a few seconds) until the target pid-1 is encountered: Zapper forks 8+ processes, each calling `clone((int (*)(void *))exit, ..)`. Directly jumping into `exit()` and setting `CLONE_VM` is the fastest way to iterate through all available PIDs.
