On Sun, Feb 15, 2004 at 09:20:55AM -0500, Tim Otten wrote: > The other day, I did something really stupid. I started a download with > BitTorrent, and, half-way through, deleted the file it was downloading. > > The file still existed because the torrent client had it open. I could use > 'lsof' to get an inode number -- but I needed some way to get access to > that node without having an entry in the file tree. [...] > Is it possible to access the file using a utility or small C program? > Would you have to write code for the kernel?
This probably won't be of much use to you: There are basically 2 approaches: (1) debugfs(8) or equivalent (2) injecting code in the bittorrent program, which would do a ``cat deleted_file > recovered_file'' equivalent. gdb(1) might be of some limited help here. Using a known security vulnerability would be an extremely cute approach ;-) As I think about it, (2) isn't as silly as it seemed to be at the first glance: Suppose the bittorrent calls an external program (/bin/foo, or, better /usr/lib/bittorrent/bar), or a function of a library that can be replaced during the program runs. The file descriptors are inherited when forking. So all you'd have to do is to add a fork at the beginning of the callee code. The parent would continue normally, and the child would copy the deleted_file (on the inherited descriptor) to a recovered_file. HTH. -- Jan Minar "Please don't CC me, I'm subscribed." x 9
pgp00000.pgp
Description: PGP signature
