The latter is the more interesting test — it writes a 0xcc byte (the x86-64 software breakpoint instruction) which will cause the kernel to deliver a SIGTRAP to our process if executed. This is literally changing the executable code of libc. So the next time we call getchar, if we get a SIGTRAP, we know that the write has succeeded.
There is a repository on GitHub that you can clone, run and debug if you want to see the code I'm talking about in this article. I've basically taken the code from the previous article and added some extra features. It's those additions are what I'll be explaining in the article.
。关于这个话题,新收录的资料提供了深入分析
�@�������A�Ɩ��ŏW���I�ɗ��p�����ƁA�Z���ԂŃg�[�N�������������ɒB���Ă��܂��A�T�[�r�X���ꎞ���~���郊�X�N�������B
mog_arm_timeout(ms) spawns a background thread that sleeps for the given duration, then sets the interrupt flag. This is useful for enforcing time limits on untrusted scripts: