Linux – How to recover the deleted binary executable file of a running process

deleted-filesexecutablelinuxopen filesprocess

I have a process running very long time.

I accidentally deleted the binary executable file of the process.

Since the process is still running and doesn't get affected, there must be the original binary file in somewhere else….

How can I get recover it? (I use CentOS 7, the running process is written in C++)

Best Answer

It could only be in memory and not recoverable, in which case you'd have to try to recover it from the filesystem using one of those filesystem recovery tools (or from memory, maybe). However!

$ cat hamlet.c
#include <unistd.h>
int main(void) { while (1) { sleep(9999); } }
$ gcc -o hamlet hamlet.c
$ md5sum hamlet
30558ea86c0eb864e25f5411f2480129  hamlet
$ ./hamlet &
[1] 2137
$ rm hamlet
$ cat /proc/2137/exe > newhamlet
$ md5sum newhamlet 
30558ea86c0eb864e25f5411f2480129  newhamlet
$

With interpreted programs, obtaining the script file may be somewhere between tricky and impossible, as /proc/$$/exe will point to perl or whatever, and the input file may already have been closed:

$ echo sleep 9999 > x
$ perl x &
[1] 16439
$ rm x
$ readlink /proc/16439/exe
/usr/bin/perl
$ ls /proc/16439/fd
0  1  2

Only the standard file descriptors are open, so x is already gone (though may for some time still exist on the filesystem, and who knows what the interpreter has in memory).

Related Question