We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Jugaad: Linux Thread Injection Kit

00:00
Untertitel
Aus
Abspielgeschwindigkeit
1
Untertitel
Aus
Englisch (automatisch erzeugt)
Abspielgeschwindigkeit
0.25
0.5
0.75
1
1.25
1.5
1.75
2
Qualität
576p
21
 Zitieren
 Teilen
 Zugehöriges Material
 Herunterladen Bestellen
Kein Logo verfügbarDEF CON
 Jakhar, Aseem

Formale Metadaten

Titel
Jugaad: Linux Thread Injection Kit
Serientitel
Anzahl der Teile
122
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Windows malware conveniently use the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my work on creating an API similar to createRemoteThread() on *nix OSes. The kit currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces like the name and path of the injected library which can easily be found by reading the process maps file. Jugaad does an in-memory thread injection and hence is stealthier as there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection. The payload to be executed runs inside the thread and is independent of the kit - you chose your payload, jugaad injects the payload. Aseem Jakhar is an Independent security researcher with 7 years of experience in system programming, security research and consulting. He has worked on various security software including UTM appliances, Messaging/security appliances, Anti-Spam/antivirus engines, multicast packet reflector, Transparent HTTPS proxy with Captive portal, Bayesian spam filter to name a few. He has been a speaker at various security conferences like Xcon 2009, Blackhat EU 2008, Clubhack 2008/2009/2010, IBM Security and Privacy 2009, Cocon 2010, ISACA Bangalore 2010, Gnunify 2007/2009/2011. He is the founder of null - The open security community, the largest security community in India. null is now planning to expand outside India as well. Currently he is working full-time on null initiatives. One of the null initiatives is nullcon security conference, which is a favourite go-to destination of hackers and security professionals in the Indian sub-continent. Before starting on his own he was working with IBM.
DEF CON 19104 / 122
1
Vorschaubild
45:38
Seven Ways to Hang Yourself with Google Android
2
Vorschaubild
47:32
Assessing Civilian Willingness to Participate in On-line Political and Social Conflict
3
Vorschaubild
39:15
DEF CON Awards - 2011
4
Vorschaubild
43:07
Welcome & Making of the badge
5
Vorschaubild
40:58
We Owe it All to the Hackers
6
Vorschaubild
47:07
Blinkie Lights: Network Monitoring with Arduino
7
Vorschaubild
41:27
IP4 TRUTH: The IPocalypse is a LIE
8
Vorschaubild
19:58
Hacking the Global Economy with GPUs Or: How I Learned To Stop Worrying And Love Bitcoin
9
Vorschaubild
23:01
Are You In Yet? The CISO's View of Pentesting
10
Vorschaubild
44:14
Runtime Process Insemination
11
Vorschaubild
42:14
DIY Non-Destructive Entry
12
Vorschaubild
48:24
Three Generations of DoS Attacks
13
Vorschaubild
47:24
PIG: Finding Truffles Without Leaving A Trace
14
Vorschaubild
50:38
Economics of Password Cracking in the GPU Era
15
Vorschaubild
42:43
Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests
16
Vorschaubild
32:21
An Insider's Look at International Cyber Security Threats and Trends
17
Vorschaubild
51:20
Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence
18
Vorschaubild
48:31
Why Airport Security Can't Be Done FAST
19
Vorschaubild
14:35
Halloween Makers Or How a Haunter: Voids Warranties, Social Engineers and Finds the Joy of Curiosity
20
Vorschaubild
33:00
Bulletproofing The Cloud: Are We Any Closer To Security?
21
Vorschaubild
17:46
Taking Your Ball And Going Home; building your own secure storage space that mirrors Dropbox's functionality
22
Vorschaubild
46:05
Kiosk Hacking Redux
23
Vorschaubild
50:53
Whoever Fights Monsters?
24
Vorschaubild
45:15
Net Neutrality Panel
25
Vorschaubild
46:47
Smartfuzzing The Web: Carpe Vestra Foramina
26
Vorschaubild
32:01
This is REALLY not the Droid you're looking for...
27
Vorschaubild
50:28
SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas
28
Vorschaubild
47:33
Represent! Defcon Groups, Hackerspaces, and You.
29
Vorschaubild
1:50:40
PCI 2.0: Still Compromising Controls and Compromising Security
30
Vorschaubild
46:18
Network Security Podcast
31
Vorschaubild
56:34
Is it 0-day or 0-care?
32
Vorschaubild
51:39
Former Keynotes - The Future
33
Vorschaubild
1:43:32
DEF CON Comedy Jam IV, A New Hope For The Fail Whale
34
Vorschaubild
54:18
Ask EFF: The Year in Digital Civil Liberties
35
Vorschaubild
51:01
PacketFence, the Open Source Nac: What we've done in the last two years
36
Vorschaubild
18:22
FingerBank - Open DHCP fingerprints database
37
Vorschaubild
40:46
Steal Everything, Kill Everyone, Cause Total Financial Ruin!
38
Vorschaubild
36:13
Getting SSLizzard
39
Vorschaubild
41:42
Malware Freak Show 3: They're pwning er'bodey out there!
40
Vorschaubild
48:47
Virtunoid: Breaking out of KVM (Kernel Virtual Machine)
41
Vorschaubild
46:21
SSL And The Future Of Authenticity: Moving beyond Certificate Authorities
42
Vorschaubild
44:11
Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities
43
Vorschaubild
40:36
Abusing HTML5
44
Vorschaubild
49:44
The History and Evolution of Computer Viruses
45
Vorschaubild
21:25
Beat to 1337: How to create a successful university cyber defense organization
46
Vorschaubild
45:44
Build Your Own Radar System
47
Vorschaubild
18:15
Whose time is it anyway?
48
Vorschaubild
43:03
WTF Happened to the Constitution?!
49
Vorschaubild
48:42
DCFluX in: License to Transmit
50
Vorschaubild
47:26
Network Nightmare: Ruling the nightlife between shutdown and boot with pxesploit
51
Vorschaubild
41:31
The Art of Trolling
52
Vorschaubild
43:40
The Future of Cybertravel: Legal Implications of the Evasion of Geolocation
53
Vorschaubild
1:25:04
Balancing The Pwn Trade Deficit: APT Secrets in Asia
54
Vorschaubild
42:47
Sneaky PDF
55
Vorschaubild
47:06
Vulnerabilities of Wireless Water Meter Networks
56
Vorschaubild
45:48
Hacking Google Chrome OS
57
Vorschaubild
49:48
Strategic Cyber Security: An Evaluation of Nation-State Cyber Attack Mitigation Strategies
58
Vorschaubild
14:22
Kernel Exploitation Via Uninitialized Stack
59
Vorschaubild
14:30
Don't Fix It In Software
60
Vorschaubild
46:26
Pentesting the Smart Grid
61
Vorschaubild
50:42
Hacking MMORPGs for Fun and Mostly Profit
62
Vorschaubild
39:09
Key Impressioning
63
Vorschaubild
48:40
Hacking .Net Applications: The Black Arts
64
Vorschaubild
16:48
Phishing and Online Scams in China
65
Vorschaubild
50:18
We (the government) are Here to Help: How FIPS 140 Helps (and Hurts) Security
66
Vorschaubild
41:41
Mobile App Moolah: Profit taking with Mobile Malware
67
Vorschaubild
10:52
Kinectasploit: Metasploit Meets Kinect
68
Vorschaubild
44:18
Archive Team: A Distributed Preservation of Service Attack
69
Vorschaubild
47:47
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
70
Vorschaubild
49:42
Physical Memory Forensics for Files and Cache
71
Vorschaubild
44:40
Security when nanoseconds count
72
Vorschaubild
46:05
Web application analysis with Owasp Hatkit
73
Vorschaubild
49:25
Getting F***** On the River
74
Vorschaubild
43:02
Port Scanning Without Sending Packets
75
Vorschaubild
43:52
The Art and Science of Security Research
76
Vorschaubild
39:59
I'm Your MAC(b)Daddy
77
Vorschaubild
47:21
Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan
78
Vorschaubild
40:46
VDLDS - All Your Voice Are Belong To Us
79
Vorschaubild
21:33
Handicapping the US Supreme Court
80
Vorschaubild
49:52
Don't Drop the SOAP: Real World Web Service Testing for Web Hacker
81
Vorschaubild
19:39
Steganography and Cryptography 101
82
Vorschaubild
45:06
Cellular Privacy: A Forensic Analysis of Android Network Traffic
83
Vorschaubild
36:48
Mamma's Don't Let Your Babies Grow Up to be Pen Testers: Everything Your Guidance Counselor Forgot To Tell You About Pen Testing
84
Vorschaubild
46:04
Federation and Empire
85
Vorschaubild
41:30
From Printer To Pwnd
86
Vorschaubild
51:48
DEFCON Networking Team: How we learned to stop worrying and deploy a network for ~12 hackers in 3 days.
87
Vorschaubild
46:58
Hacking and Forensicating an Oracle Database Server
88
Vorschaubild
30:20
Pentesting over Power lines
89
Vorschaubild
52:42
Introduction to Tamper Evident Devices
90
Vorschaubild
48:29
Speaking with Cryptographic Oracles
91
Vorschaubild
48:20
Owned Over Amateur Radio: Remote Kernel Exploitation in 2011
92
Vorschaubild
52:19
Black Ops of TCP/IP 2011
93
Vorschaubild
44:38
Art of the possible
94
Vorschaubild
45:22
Weaponizing Cyberpsychology & Subverting Cybervetting: For Fun, Profit & Subterfuge
95
Vorschaubild
31:02
DUST: Your RSS Feed belongs to you!
96
Vorschaubild
38:03
Bosses love Excel...hackers too!
97
Vorschaubild
49:05
Battery Firmware Hacking
98
Vorschaubild
42:39
Metasploit vSploit Modules
99
Vorschaubild
48:28
How To Get Your Message Out When your Government Turns Off the Internet
100
Vorschaubild
41:09
Deceptive Hacking: How misdirection can be used to steal information without being detected
101
Vorschaubild
14:58
How Our Browsing History Is Leaking into the Cloud
102
Vorschaubild
40:50
Network Application Firewalls vs. Contemporary Threats
103
Vorschaubild
50:54
"Get Off of My Cloud": Cloud Credential Compromise and Exposure
104
Vorschaubild
25:59
Jugaad: Linux Thread Injection Kit
105
Vorschaubild
45:13
Bit-squatting: DNS Hijacking Without Exploitation
106
Vorschaubild
39:40
Traps of Gold
107
Vorschaubild
27:15
Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP
108
Vorschaubild
1:33:26
A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux
109
Vorschaubild
38:01
Hacking and Securing DB2 LUW
110
Vorschaubild
51:37
Cipherspaces/Darknets: An Overview of Attack Strategies
111
Vorschaubild
16:20
Pillaging DVCS Repos...for fun and profit
112
Vorschaubild
28:39
UPnP Mapping
113
Vorschaubild
38:07
When Space Elephants Attack
114
Vorschaubild
52:33
Vanquishing Voyeurs: Secure Ways to Authenticate Insecurely
115
Vorschaubild
27:24
Pervasive Cloaking
116
Vorschaubild
54:16
Whitfield Diffie and Moxie Marlinspike
117
Vorschaubild
42:45
Covert Post-Exploitation Forensics With Metasploit: Tools and Examples
118
Vorschaubild
30:05
Smile for the Grenade! "Camera Go Bang!"
119
Vorschaubild
46:33
Look At What My Car Can Do
120
Vorschaubild
48:30
Lock Designs for Government and Commerce: Deconstructing Insecurity
121
Vorschaubild
35:57
I'm Not a Doctor but I Play One on Your Network
122
Vorschaubild
46:28
Staying Connected during a Revolution or Disaster
00:00
ComputersicherheitQuellcodeCybersexCodeInjektivitätProgrammbibliothekWurm <Informatik>DefaultPufferspeicherPunktprozessKeller <Informatik>Zeiger <Informatik>Funktion <Mathematik>AdressraumEinfache GenauigkeitENUMGruppoidOvalMIDI <Musikelektronik>ROM <Informatik>ParametersystemVererbungshierarchieKontrollstrukturOpen SourceDebuggingPunktprozessBitNichtlinearer OperatorVariableSystemplattformCodeFunktion <Mathematik>ProgrammbibliothekFunktionalAdressraumInjektivitätWurm <Informatik>TermCoxeter-GruppeLesen <Datenverarbeitung>Rechter WinkelSelbst organisierendes SystemPartielle DifferentiationPunktDienst <Informatik>WellenpaketSoftwaretestComputersicherheitMapping <Computergraphik>GamecontrollerWort <Informatik>Framework <Informatik>Kontextbezogenes SystemMaschinenschreibenURLDifferenteRegulärer Ausdruck <Textverarbeitung>Software Development KitPufferüberlaufDemo <Programm>FensterfunktionArithmetisches MittelGewicht <Ausgleichsrechnung>NetzbetriebssystemObjekt <Kategorie>Interrupt <Informatik>SpeicheradresseKonfiguration <Informatik>HalbleiterspeicherFlächeninhaltRPCSichtenkonzeptSoftwareschwachstelleParametersystemÄquivalenzklasseAmerican Physical SocietyKeller <Informatik>MalwareExploitSystemprogrammierungSoftwareSchreiben <Datenverarbeitung>Stetige FunktionPOKELeistung <Physik>HackerComputeranimation
07:46
GammafunktionProgrammbibliothekImplementierungTermCodeSoftwaretestEinsComputeranimation
08:44
ENUMLoopProgrammfehlerWurm <Informatik>MenütechnikMarketinginformationssystemHIP <Kommunikationsprotokoll>TUNIS <Programm>VakuumLineares zeitinvariantes SystemLokales MinimumRechenwerkICC-GruppeZellulares neuronales NetzSpitze <Mathematik>VerschlingungGleitendes MittelGeflecht <Mathematik>Vorzeichen <Mathematik>FlächeninhaltBaum <Mathematik>EinfügungsdämpfungEuler-DiagrammDemo <Programm>ProgrammbibliothekInjektivitätPunktprozessHauptidealringFunktion <Mathematik>Offene MengeProgrammbibliothekComputeranimation
09:52
InjektivitätROM <Informatik>ProgrammbibliothekWurm <Informatik>Konvexe HülleHalbleiterspeicherBetriebsmittelverwaltungCodeImplementierungDemo <Programm>KontrollstrukturDatensicherungPhysikalisches SystemTextur-MappingDickeSpeicherschutzWeb-SeiteInterrupt <Informatik>Keller <Informatik>AdressraumPunktprozessOvalKlon <Mathematik>Wrapper <Programmierung>Funktion <Mathematik>Weg <Topologie>Stochastische AbhängigkeitMIDI <Musikelektronik>StrebeWurm <Informatik>StrömungswiderstandBetriebsmittelverwaltungSystemaufrufPunktprozessLaufzeitfehlerEinschließungssatzSchreib-Lese-KopfFunktion <Mathematik>GamecontrollerNabel <Mathematik>CodeDickeFlächeninhaltKlon <Mathematik>Keller <Informatik>VererbungshierarchieSpeicherschutzProgrammbibliothekCASE <Informatik>Objekt <Kategorie>Framework <Informatik>CodierungFahne <Mathematik>HauptidealringGenerizitätPunktHalbleiterspeicherInterrupt <Informatik>MereologieSichtenkonzeptElektronische PublikationKonfiguration <Informatik>MaßerweiterungInjektivitätVerteilungsfunktionSystem FSoundverarbeitungUmwandlungsenthalpieURLImplementierungPhysikalisches SystemRPCRichtungSpeicherverwaltungWechselsprungComputeranimation
15:30
Funktion <Mathematik>InjektivitätProgrammbibliothekLokales MinimumCracker <Computerkriminalität>EmulationEmulatorVerschlingungElektronische PublikationDemo <Programm>Wurm <Informatik>Programm/QuellcodeComputeranimation
16:20
Data MiningRechenwerkMenütechnikMathematikKonvexe HülleEinfacher RingCOTSENUMRootkitMarketinginformationssystemFarbverwaltungssystemEmulationAtomarität <Informatik>Geneigte EbeneGefangenendilemmaSpeicherabzugOISCMechatronikLatent-Class-AnalyseJust-in-Time-CompilerInformationsmanagementMaß <Mathematik>Zeiger <Informatik>Hill-DifferentialgleichungElektronischer DatenaustauschZustandsdichteNormierter RaumLokales MinimumGravitationsgesetzProgrammbibliothekFunktion <Mathematik>InjektivitätHalbleiterspeicherWurm <Informatik>Kontextbezogenes SystemStandardabweichungMeterNabel <Mathematik>FlächeninhaltPunktprozessBinärdatenDemo <Programm>InjektivitätDefaultSurjektivitätComputeranimation
22:49
InjektivitätFunktion <Mathematik>ProgrammbibliothekVersionsverwaltungKonvexe HülleGruppenoperationStellenringE-MailAbfrageSoftwareentwicklerQuaderBinärcodeBitProjektive EbeneFensterfunktionWurm <Informatik>RPCVersionsverwaltungInjektivitätPhysikalisches SystemPunktprozessComputerforensikProgrammbibliothekGeradeVerteilungsfunktionMereologieNormalvektorZweiunddreißig BitKonfiguration <Informatik>CASE <Informatik>CodeHalbleiterspeichersinc-FunktionComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Hello DEFCON. First of all, I would like to really thank DEFCON for giving me the opportunity to come here and speak at this great conference. You guys really rock. So my presentation today is on Linux thread injection kit. This is a kit that I have developed. I've
00:21
named it Jugar, which I'll tell you why the name. So a little bit about me. I'm from India. I'm the founder of a null security community. If you are not aware, you can go to null.co.in and have a look. I'm also the organizer for Nullcon security conference in India. It happens every year in February in Goa and
00:43
I'm the chief researcher at Pyrotechnologies, which is a startup in information security services and trainings. Alright, so a little bit about null. It's a registered nonprofit organization and we have around six to seven chapters in India right now and our prime focus is on
01:03
knowledge sharing and security research. So we do that by means of having monthly meets in all of the chapters and then we do security awareness camps in organizations and institutions. Alright, so the agenda for today is I'm briefly going to touch about what the toolkit is, what it is not and
01:27
basically kind of give you a very brief or just touch upon what code injection is because I think most of you already know what different code injection techniques there are. And then I'm going to talk about how it is handled in Windows and
01:42
how Linux lacks this capability and a little bit about ptrace and finally I'll talk about why library injection has a little bit of flaws and then finally I'll talk about the toolkit that I've developed and how is it different from library injection and what exactly does it do?
02:04
Okay, so jugaad is a Hindi word, which is actually which means a workaround or a hack. So which is evident from the fact what we have been doing with this library. So it basically gives you a
02:21
framework wherein you can inject your own customized payload as a thread inside a remote process. So I started looking at it from the point of view of Windows malware where they So Windows already provides you an API where you can, you know, remotely inject code inside another process.
02:40
But it's not there in Linux or other Unix platforms. Okay, so what it is not, it's not an exploit. I won't even call it a vulnerability because it is one of the features provided by Unix operating systems. Okay, so most of you are already aware of different code injection techniques. You can do it,
03:05
you can do remote code execution via buffer overflows or you can do SQL injection. So I'm not going to talk about it because these are kind of, I mean everybody knows about it. So my interest area is the last, that is the APIs that are provided by
03:22
the operating systems. So Windows, Windows already has an API where all you need to do is just call this function and it'll do the needful work, whatever you want to do. So I'm not going to go into deep into what this API does, but we'll just look at some of the important
03:43
parameters that this function has. So edge process will specify the target process or the victim process where you want to inject code. The stack size talks about the stack for the thread that you want to create inside the main process. And then the start address is the address of the function or code that you want to execute.
04:05
Now according to this, the documentation of this function, it says that the function or the code must exist inside the process. Okay, so Linux, there's
04:20
there's no equivalent API on Linux. So the question is how do we inject code into a remote process? So the first thing that obviously comes to mind is a debugger. How does a debugger, you know, inject code or, you know, do memory operations? How's the debugger able to access memory inside a remote process or a trace process?
04:44
How is it able to change the values of variables? So the answer is simple. It uses the ptrace API, which is obviously provided by most of the Unix platforms.
05:00
So a little bit about ptrace. So ptrace is just a single function, and it's a very powerful function in terms of what operations you can perform on a target process. So just one function will give you the ability to read memory, write memory, read registers, write registers, stop the process, and do a lot of other things.
05:25
Yeah, so some of the common operations that you can perform, which we've also used in this library, attach, obviously to attach or to start debugging a particular process, continuous to, if the trace process is stopped, you can start the trace, the execution of the trace process.
05:46
Peak text, if you, so peak text allows you to read a word from a specified location inside a process. Poke text does the opposite. It allows you to write to that memory location.
06:01
And getregs and setregs give you the option of setting registers for the process. Okay, so how does the debugger get the control back? I mean, if I'm tracing a process, obviously I need the control back after I execute some code. So how do I do that?
06:24
So the breakpoints come to rescue. It's actually an int3 instruction or a software interrupt. When specified inside, when executed in a remote process, what it will do is the child process stops, and you get the control back as the tracing process.
06:47
All right, so a little bit about library injection. So when I started, the intention of developing this library was to create an exact replica of what is already there for Windows, so create remote thread.
07:06
after I was finished halfway through, I was still searching on the net for, I mean, any tool available that does this thing. So I found an interesting tool called InjectSO, which uses the same ptrace functionality to inject a whole shared object inside a process.
07:27
Now the problem with this is you can see the library or the shared object that has been loaded into the process if you go and view the maps file.
07:42
Okay, so I'll just give you a small demo of the tool. It's a pretty old tool. I think it was developed in 2005 or 2006, but it's nice in terms of what it does.
08:14
So this is the library code. This is just the test code that comes with the InjectSO implementation. So all it does is just says yo from init when the library is loaded.
08:49
Okay, so this is how the libraries are structured. Now what we're going to do is, so all you need to do is just specify the PID and the library that you want to inject.
09:16
And it uses the DL open function inside the process, executes that particular function. So there you go.
09:54
Okay, so now coming back to the library that I've created. So what I've done is instead of injecting a shared object,
10:07
I inject, I give the framework for, you know, to people who want to use it to inject a shellcode instead of, you know, injecting the whole library.
10:20
So, so if you, if you inject the shellcode, what happens is what you're doing is in effect all in-memory injection. So there are no traces of any libraries ever being injected into the process. So I've, I've divided the problem into three parts. One was memory allocation and execution.
10:42
How do you allocate memory inside the process and how do you make, make it execute? Then is how do you, how do you threadify it? How do you create a thread inside that particular process? And the third is the customized payload that you want to execute inside that process. So allocation is very simple. What I've done is I,
11:04
I've created a stub shellcode, which we'll see for a map, a map to system call. So what I do is I back up a particular location inside the remote process and I back up the registers of the process and then I overwrite it with my own map to shellcode and
11:22
then make it execute that. So, how do I do it? I use setregs to set the EIP to the memory that has been newly allocated by my shellcode and at the end, I put the int3 instruction so that I know once it, it has executed, it gives control back to me.
11:44
Yeah, so, so it's as simple as this. You specify the length of, length of the memory that you want to create inside the remote process and mmap specific flags and the protection for the memory area.
12:02
So yeah, this is the stub shellcode. Now at runtime, I just changed the values, whatever values the user wants or the caller wants, I just change it to whatever is specified in the function. So threadification, so what I do is I use the mmap code to first allocate memory inside the process.
12:21
So I allocate memory for the thread and I allocate memory for the thread stack and then what I do is I call, I call the clone, so I inject the clone shellcode, which also contains my payload that will come to later. So what happens is, I put the clone shellcode and
12:41
using the same process, I make it execute the clone shellcode and if it's the, if it's the child thread, it jumps onto the payload. If it's the parent thread, you know, it's, it gives me the control back because, because of the interrupt instruction.
13:07
Yeah, so this is how the payload looks like. Once you, once you pass the payload to the API, what it does is it creates a sandwich. Wherein it gives the clone head, which is the stub shellcode for the clone, for the clone system call and a clone tail,
13:21
which is just the exit system call. So once it starts executing in the child, it'll jump onto the payload from the clone head and then eventually to clone tail, which is the exit system call and if it is, if it is, if it is the parent thread, what it'll do is it'll execute the CC instruction and give control back to the
13:44
tracing process. Okay. Yeah, so implementation is very simple. I just, I just play around with shell codes rather than, you know, executing the function inside the process directly. It makes it easier.
14:08
So that's the API. I mean, this is used internally, but in case if you want to extend the shell codes, you can do it. I mean, it follows, if you, if you look up, if you look at the functions,
14:23
the requirement is the same. You specify the length, you specify the memory protections and the flags for MMAP2. It'll generate the shell code on the fly for you. Okay, so finally the API, the API is as simple as this. All you need to do is specify the PID of the
14:41
remote process. You need to specify the stack, the size of the stack and you need to specify the payload that you want to inject inside that process. So this is all that is required from a generic point of view, but if you want to try it out with different options, you can actually get greater control using the extended function,
15:04
wherein you can specify your own MMAP flags. Now why I've kept this extension is because I've been, I've been kind of finding a lot of problems with some of the distributions, so if you guys can try it out using different options for the MMAP flags and the
15:23
thread flags or whatever.
15:46
Alright, so first, first we'll look at a simple demo, wherein what I've done is, my payload just creates a file called tmp slash temp slash tmp and it writes some some data onto that file. Okay, so now
16:46
I've backed up the registers and I've injected my MMAP2 shellcode, it came twice.
17:07
So this is one of the memories that has been returned by this process. Let's just have a look at it.
17:34
Yeah.
17:47
So this, this memory has, area has been allocated because I've, by default I specify read write and execute permissions for the memory area.
18:39
That's like always supposed to happen with
18:41
demos. So, so a real demo would be, I'll show you another demo
19:21
which, I'll try to inject a TCP listener onto Firefox. So this particular shellcode
19:53
starts a listener, I've directly taken it from Metasploit, this starts a listener at port 4444.
20:01
Let's see if it works out. So I've just injected a thread inside this process. Let's see if,
21:03
so it's probably this thread that is running.
21:20
Alright, so just one thing to understand is that since it's a thread injection, your payload should be at least thread aware since this payload is a standard Metasploit payload that just spawns a shell, basically execs the shell. So as soon as you try to connect to it, the Firefox will, will die obviously because it execs to a shell.
21:43
So here's the Firefox. Now, let's try and connect to it. So now Firefox is dead and the process,
22:08
the process has changed to slash min slash sh. Alright, so the conclusion is
22:52
now you can actually do stealthy create remote thread in Linux. On top of what Windows provides, Windows does not give you the option of, you know, just passing in your
23:04
payload and it'll do the rest. But in this case, you just need to pass the payload. So for Windows, you need to first create memory inside the remote process. I mean, you need to use two or three, a few lines of code before actually you're trying to execute something.
23:26
Library injection, if you are looking at some kind of stealthy malware, library injection will not help you because it may be find out by forensics people when they're trying to just investigate which process might be the evil process.
23:44
So yeah, if you want to, so Ubuntu, I think from 10 onwards, Ubuntu has disabled ptrace in their distribution. Fedora, I think still has it open. So if you want to, you know, safeguard yourself from any future
24:02
threat of this kind, I think the best way would be to just disable ptrace. Because on a normal system, if it's not a development box, there is no requirement of having ptrace on. It makes no sense, actually. All right, so details of the project, you can get the project.
24:24
It's hosted on GitHub and so this release contains, is a 32-bit binary that works for 32-bit processes. So next version onwards, we'll be putting in support for 64-bit processes and
24:43
since we're already, you know, created this, we might put a lot of other things like VM detection or anti-forensics into it. So if any of you is interested in helping out or just, you know, letting us know what all we can add into it other than just the
25:03
threat injection part, it'll be helpful. All right, so contribution. In the end, so if you guys are interested, we're actually having a small informal null meet here tomorrow,
25:20
4 o'clock outside the wireless village. So if you, if any of you is interested in starting a null chapter or just want to know what null is or what we do, you can meet us at 4 o'clock, I think 4 o'clock or 6 o'clock. I'll be there at 4 o'clock and 6 o'clock.
25:43
Alright. Yeah, so that's about it. If you have any questions, I think we can take it in the Q&A room.