On Sun, Feb 15, 2004 at 09:20:55AM -0500, Tim Otten wrote:
> The other day, I did something really stupid. I started a download with
> BitTorrent, and, half-way through, deleted the file it was downloading.
> 
> The file still existed because the torrent client had it open. I could use
> 'lsof' to get an inode number -- but I needed some way to get access to
> that node without having an entry in the file tree.
[...]
> Is it possible to access the file using a utility or small C program?  
> Would you have to write code for the kernel?

This probably won't be of much use to you:

There are basically 2 approaches:

(1) debugfs(8) or equivalent
(2) injecting code in the bittorrent program, which would do a ``cat
deleted_file > recovered_file'' equivalent.  gdb(1) might be of some
limited help here.  Using a known security vulnerability would be an
extremely cute approach ;-)

As I think about it, (2) isn't as silly as it seemed to be at the first
glance: Suppose the bittorrent calls an external program (/bin/foo, or,
better /usr/lib/bittorrent/bar), or a function of a library that can be
replaced during the program runs.  The file descriptors are inherited
when forking.  So all you'd have to do is to add a fork at the beginning
of the callee code. The parent would continue normally, and the child
would copy the deleted_file (on the inherited descriptor) to a
recovered_file.

HTH.

-- 
Jan Minar                   "Please don't CC me, I'm subscribed." x 9

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to