Inject a shared library (i.e. arbitrary code) right into a reside linux course of, with out ptrace. Impressed by Cexigua and linux-inject, amongst different issues.
.___.__ .__ __ __
__| _/| | |__| ____ |__| ____ _____/ |_ ______ ___.__.
/ __ | | | | |/ | |/ __ _/ ___ __ ____ < | |
/ /_/ | | |_| | | | ___/ ___| | | |_> >___ |
____ | |____/__|___| /__| |___ >___ >__| /| __// ____|
/ /______| / / /|__| /supply: https://github.com/DavidBuchanan314/dlinject
utilization: dlinject.py [-h] [--stopmethod {sigstop,cgroup_freeze,none}]
pid /path/to/lib.so
Inject a shared library right into a reside course of.
positional arguments:
pid The pid of the goal course of
/path/to/lib.so Path of the shared library to load (observe: should be
relative to the goal course of's cwd, or absolute)< br/>
non-obligatory arguments:
-h, --help present this assist message and exit
--stopmethod {sigstop,cgroup_freeze,none}
Tips on how to cease the goal course of previous to shellcode
injection. SIGSTOP (default) can have side-effects.
cgroup freeze requires root. 'none' is prone to trigger
race situations.
-
As a result of I can.
-
There are numerous anti-ptrace strategies, which this evades by merely not utilizing ptrace.
-
I do not like ptrace.
-
Utilizing
LD_PRELOAD
can typically be fiddly or unimaginable, if the method you wish to inject into is spawned by one other course of with a clear atmosphere.
-
Ship the cease sign to the goal course of. (non-obligatory)
-
Find the
_dl_open()
image. -
Retreive
RIP
andRSP
through/proc/[pid]/syscall
. -
Make a backup of a part of the stack, and the code we’re about to overwrite with our shellcode, by studying from
/proc/[pid]/mem
. -
Generate main and secondary shellcode buffers.
-
Insert main shellcode at
RIP
, by writing to/proc/[pid]/mem
. -
The first shellcode:
- Pushes widespread registers to the stack.
- Hundreds the secondary shellcode through
mmap()
. - Jumps to the secondary shellcode.
-
The secondary shellcode:
- Restores the stack and program code to their unique states.
- Pivots the stack (so we do not contact the unique one in any respect).
- Calls
_dl_open()
to load the user-specified library. Any constructors will likely be executed on load, as ordinary. - Restores register state, un-pivots the stack, and jumps again to the place it was on the time of the unique
SIGSTOP
.
-
Sending
SIGSTOP
could trigger undesirable side-effects, for instance if one other thread is ready onwaitpid()
. The--stopmethod=cgroup_freeze
choice avoids this, however requires root (on most distros, a minimum of). -
I am not totally positive how this can work together with complicated multi-threaded functions. There is definitely potential for breakage.
-
x86-64
Linux solely (for now – 32-bit help may doubtlessly be added). -
Requires root, or relaxed YAMA configuration (
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
is beneficial when testing). -
If the goal course of is sandboxed (e.g. seccomp filters), it won’t have permission to
mmap()
the second stage shellcode, or todlopen()
the library.