Runtime Process Infection (part 2)

Video in TIB AV-Portal: Runtime Process Infection (part 2)

Formal Metadata

Runtime Process Infection (part 2)
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This presentation will instruct participants on how to inject arbitrary code into a process during runtime. Writing malware on Linux isn't an easy task. Anonymously injecting shared objects has been a frightful task that no one has publicly implemented. This presentation will show how and why malware authors can inject shared objects anonymously in 32bit and 64bit linux and 64bit FreeBSD. The presenter will be releasing a new version of a tool called libhijack. libhijack aims to make injection of arbitrary code and shared objects extremely easy. There will be a live demo injecting a root shell backdoor into multiple programs during runtime.
Metropolitan area network Sine Executive information system Mass Value-added network
Metropolitan area network Sign (mathematics) Group action Sine Order (biology) Cartesian coordinate system Routing
Metropolitan area network Computer file Sine Artificial neural network Software testing Object (grammar)
Metropolitan area network Functional (mathematics) Sine Haar measure Object (grammar) Gamma function
Metropolitan area network Uniformer Raum Sine Function (mathematics) Curvature
Metropolitan area network Freeware Uniformer Raum Sine Cloud computing Software testing Newton's law of universal gravitation
Metropolitan area network Sine Lemma (mathematics) Lucas sequence Mereology Line (geometry)
Metropolitan area network Intel Haar measure Linker (computing) Maxima and minima
Point (geometry) Metropolitan area network Default (computer science) Functional (mathematics) Thread (computing) Link (knot theory) Linker (computing) Line (geometry) Multiplication sign Address space Resultant
Injektivität Metropolitan area network Uniformer Raum Lemma (mathematics) Code Software testing Ripping Function (mathematics)
Metropolitan area network Software testing Natural language Ripping Newton's law of universal gravitation
Metropolitan area network Haar measure String (computer science) Computer file Gastropod shell Software testing Ripping Grand Unified Theory Drop (liquid) Value-added network
Metropolitan area network Process (computing) Sine Haar measure Computer file Maxima and minima Software testing Ripping Arm
Metropolitan area network Asynchronous Transfer Mode Sine Software testing Ext functor Ripping Gastropod shell Plastikkarte
Metropolitan area network Raster graphics Sine Demo (music) Software testing Gastropod shell Ripping
Metropolitan area network Presentation of a group Ext functor
on so because I'm running as a different
user action have to use pseudo or you know after getting route In order to do this if I were running as the dub dub dub USA as the same user as engine axis is running I would have to do that because I'm targeting genetic so of the
here it is 10
25 so what this commanders in checks shared object on test it's the name of
my shellcode my shellcode file and this is the path
to the malicious shared
object that I'm going to reject inject and we see is the function I'm going to hold I we Oh yes
actually along yeah because I have to be of the if quite a
bit no yes I do but so you
see that it's got you know engine exploded and there's probably
that's probably the top line now is probably the heat
and then it's got the run-time linker loaded and all the stuff for
credits and PCR and I and hashing libraries and and let's see you have start let's see and with thread the actually what we have to do is we don't know what the run-time linker usually does is in its default configuration it does lady lazy on resolving of functions so the very 1st time you run the very 1st time you run a function you you call a function its address it's not actually not in the GOT it's at the address that's in the GOT is a is a stub address for that points around link and then the run-time linker actually goes and resolves and replaces the GOT addressed the we with that with that country with the with the result that so reduce can connect and medical
received and now we'll do
our injections that some
debugging output there and actually I need to sure goes there that's so I just
restarted and genetics because the already injected the stuff so I need to show show you guys
that when I enter my custom string isn't it doesn't drop me into a shell so now I am going to for in the are going to
inject into the process and now we're
dropped into shell crazy
thank good you thing about the so that is
the presentation does anyone have any further questions the


  510 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)