Inject A Shared Library (I.E. Arbitrary Code) Into A Reside Linux Course of, With out Ptrace

Inject a shared library (i.e. arbitrary code) right into a reside linux course of, with out ptrace. Impressed by Cexigua and linux-inject, amongst different issues.

    .___.__  .__            __               __
__| _/|  | |__| ____     |__| ____   _____/  |_  ______ ___.__.
/ __ | |  | |  |/        |  |/ __ _/ ___   __ ____ <   |  |
/ /_/ | |  |_|  |   |     |    ___/  ___|  |   |  |_> >___  |
____ | |____/__|___|  /__|  |___  >___  >__| /|   __// ____|
/              /______|    /     /     /|__|   /
supply: https://github.com/DavidBuchanan314/dlinject
utilization: dlinject.py [-h] [--stopmethod {sigstop,cgroup_freeze,none}]
pid /path/to/lib.so
Inject a shared library right into a reside course of.
positional arguments:
pid                   The pid of the goal course of
/path/to/lib.so       Path of the shared library to load (observe: should be
relative to the goal course of's cwd, or absolute)<   br/>
non-obligatory arguments:
-h, --help            present this assist message and exit
--stopmethod {sigstop,cgroup_freeze,none}
Tips on how to cease the goal course of previous to shellcode
injection. SIGSTOP (default) can have side-effects.
cgroup freeze requires root. 'none' is prone to trigger
race situations.

• As a result of I can.

• There are numerous anti-ptrace strategies, which this evades by merely not utilizing ptrace.

• I do not like ptrace.

• Utilizing LD_PRELOAD can typically be fiddly or unimaginable, if the method you wish to inject into is spawned by one other course of with a clear atmosphere.

• Ship the cease sign to the goal course of. (non-obligatory)

• Find the _dl_open() image.

• Retreive RIP and RSP through /proc/[pid]/syscall.

• Make a backup of a part of the stack, and the code we’re about to overwrite with our shellcode, by studying from /proc/[pid]/mem.

• Generate main and secondary shellcode buffers.

• Insert main shellcode at RIP, by writing to /proc/[pid]/mem.

• The first shellcode:

  • Pushes widespread registers to the stack.
  • Hundreds the secondary shellcode through mmap().
  • Jumps to the secondary shellcode.

• The secondary shellcode:

  • Restores the stack and program code to their unique states.
  • Pivots the stack (so we do not contact the unique one in any respect).
  • Calls _dl_open() to load the user-specified library. Any constructors will likely be executed on load, as ordinary.
  • Restores register state, un-pivots the stack, and jumps again to the place it was on the time of the unique SIGSTOP.

• Sending SIGSTOP could trigger undesirable side-effects, for instance if one other thread is ready on waitpid(). The --stopmethod=cgroup_freeze choice avoids this, however requires root (on most distros, a minimum of).

• I am not totally positive how this can work together with complicated multi-threaded functions. There is definitely potential for breakage.

• x86-64 Linux solely (for now – 32-bit help may doubtlessly be added).

• Requires root, or relaxed YAMA configuration (echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope is beneficial when testing).

• If the goal course of is sandboxed (e.g. seccomp filters), it won’t have permission to mmap() the second stage shellcode, or to dlopen() the library.