Runtime Process Infection (part 2)

1 views

Formal Metadata

Title
Runtime Process Infection (part 2)
Title of Series
Author
Webb, Shawn
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI
Publisher
Berkeley System Distribution (BSD), Andrea Ross
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
This presentation will instruct participants on how to inject arbitrary code into a process during runtime. Writing malware on Linux isn't an easy task. Anonymously injecting shared objects has been a frightful task that no one has publicly implemented. This presentation will show how and why malware authors can inject shared objects anonymously in 32bit and 64bit linux and 64bit FreeBSD. The presenter will be releasing a new version of a tool called libhijack. libhijack aims to make injection of arbitrary code and shared objects extremely easy. There will be a live demo injecting a root shell backdoor into multiple programs during runtime.
Loading...
Metropolitan area network Computer animation Sine Executive information system Mass
Metropolitan area network Sign (mathematics) Group action Computer animation Sine Order (biology) Cartesian coordinate system Routing
Metropolitan area network Computer animation Computer file Sine Software testing Object (grammar)
Metropolitan area network Computer animation Sine Object (grammar) Gamma function Haar measure Functional (mathematics)
Metropolitan area network Curvature Computer animation Sine Function (mathematics) Uniform space
Metropolitan area network Freeware Computer animation Sine Cloud computing Software testing Uniform space Newton's law of universal gravitation
Metropolitan area network Computer animation Sine Lemma (mathematics) Lucas sequence Mereology Line (geometry)
Metropolitan area network Intel Computer animation Linker (computing) Haar measure Maxima and minima
Point (geometry) Metropolitan area network Default (computer science) Thread (computing) Computer animation Linker (computing) Line (geometry) Multiplication sign Functional (mathematics) Address space Resultant
Injektivität Metropolitan area network Computer animation Lemma (mathematics) Code Software testing Ripping Function (mathematics) Uniform space
Metropolitan area network Computer animation Software testing Natural language Ripping Newton's law of universal gravitation
Metropolitan area network Computer animation String (computer science) Computer file Gastropod shell Software testing Ripping Grand Unified Theory Drop (liquid) Haar measure
Metropolitan area network Process (computing) Computer animation Sine Computer file Software testing Ripping Haar measure Maxima and minima
Metropolitan area network Asynchronous Transfer Mode Computer animation Sine Smart card Software testing Ext functor Ripping Gastropod shell
Metropolitan area network Computer animation Raster graphics Sine Demo (music) Software testing Gastropod shell Ripping
Metropolitan area network Computer animation Presentation of a group Ext functor
on so because I'm running as a different
user action have to use pseudo or you know after getting route In order to do this if I were running as the dub dub dub USA as the same user as engine axis is running I would have to do that because I'm targeting genetic so of the
here it is 10
25 so what this commanders in checks shared object on test it's the name of
my shellcode my shellcode file and this is the path
to the malicious shared
object that I'm going to reject inject and we see is the function I'm going to hold I we Oh yes
actually along yeah because I have to be of the if quite a
bit no yes I do but so you
see that it's got you know engine exploded and there's probably
that's probably the top line now is probably the heat
and then it's got the run-time linker loaded and all the stuff for
credits and PCR and I and hashing libraries and and let's see you have start let's see and with thread the actually what we have to do is we don't know what the run-time linker usually does is in its default configuration it does lady lazy on resolving of functions so the very 1st time you run the very 1st time you run a function you you call a function its address it's not actually not in the GOT it's at the address that's in the GOT is a is a stub address for that points around link and then the run-time linker actually goes and resolves and replaces the GOT addressed the we with that with that country with the with the result that so reduce can connect and medical
received and now we'll do
our injections that some
debugging output there and actually I need to sure goes there that's so I just
restarted and genetics because the already injected the stuff so I need to show show you guys
that when I enter my custom string isn't it doesn't drop me into a shell so now I am going to for in the are going to
inject into the process and now we're
dropped into shell crazy
thank good you thing about the so that is
the presentation does anyone have any further questions the
Loading...
Feedback

Timings

  623 ms - page object

Version

AV-Portal 3.9.1 (0da88e96ae8dbbf323d1005dc12c7aa41dfc5a31)