Threaded programs and programs
that fork can be difficult for debuggers to follow.
NOTE A fork operation creates a second copy, including all state, variable, and
open file information, of a process. Following the fork, two identical processes
exist distinguishable only by their process IDs. The forking process is termed
the parent and the newly forked process is termed the child. The parent and
child processes continue execution independently of each other.
Following a fork operation, a decision must be made to follow and debug the child
process, or to stick with and continue debugging the parent process. Obviously, if you
Gray Hat Hacking: The Ethical Hacker??™s Handbook
338
choose the wrong process, you may completely fail to observe an exploitable opportunity
in the opposing process. For processes that are known to fork, it is occasionally an
option to launch the process in nonforking mode. This option should be considered if
black box testing is to be performed on such an application. When forking cannot be
prevented, a thorough understanding of the capabilities of your debugger is a must. For
some operating system/debugger combinations it is not possible for the debugger to follow
a child process after a fork operation.
Pages:
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610