ari edelkind writes:
> Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is
> already being traced. As for core files, a process can use
> setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory
> pages may be encrypted or unloaded, to be decrypted or loaded on
> demand.

The person running the application can trivially replace ktrace(),
ptrace() and setrlimit() with non-functional stubs using LD_PRELOAD.

Ensuring that LD_PRELOAD is invisible to the application is left as an
exercise to the reader.

Dag-Erling Sm=C3=B8rgrav -
_______________________________________________ mailing list
To unsubscribe, send any mail to ""