Pete Finnigan's Oracle security weblog

[Previous entry: "Oracle reinforces their identity management software offerings"] [Next entry: "Interesting post in Amis about "who called me""]

A truss like tool for IBM AIX and a file undelete program

Post to del.icio.us   Post to Furl  

I have been reading Reversing: Secrets of Reverse Engineering as I mentioned a few posts ago in a post titled "A good book on reverse engineering". I have been reading and skimming the book, which so far is excellent. I started to look at different ways that can be used to analyse what a program does or rather how it does it. One way that is less intrusive (if that is the right word) in finding out how a program got where it did is to trace it. This is exactly what Oracle's own trace mechanisms do, except that their trace is built into the code tree as instrumentation. If a piece of software has been instrumented then it is easy to turn on trace and gather information about flow of control and also error stacks and details of certain internal structures and values. If there is no instrumentation then it is much harder to track what the program does. Tools like OCI Spy (There is a link on my Oracle security tools page) and P6Spy for Java allow function calls to be caught and the parameters displayed. This is the same trick that tools such as strace, ltrace and truss use to hook function calls as they are made.

If you are interested in security then you need to be aware of the techniques that hackers can use to find out how your applications work.

Thinking about trace methods made me remember my good friend Phil's program libtrace that was written a few years ago. Phil wrote the C and PowerPC assembler code to hook calls made to functions in dynamic link libraries for IBM AIX 4.3 and higher. This enabled Phil to get truss like functionality for the IBM. The code is available on Phil's companies page Useful Programs and Scripts. libtrace is included along with some other useful programs, for instance inf_vgda that Phil wrote to allow the manipulation of the VGDA area of a LVM managed physical disk. This all means that you can hot swap disks (as Phil says, "if you know what you ar doing").

Another program that is of interest is rsb also written by Phil that allows the superblock of a jsf file system to be read and dumped. This includes inodes of files that have been deleted. If this is the case and the physical space has not be overwritten it allows files to be "undeleted". This can be useful if something is deleted and you need it. But also remember that someone else could "undelete" files or data that you thought had been deleted.