Jugaad: Linux Thread Injection Kit

Video thumbnail (Frame 0) Video thumbnail (Frame 7458) Video thumbnail (Frame 8102) Video thumbnail (Frame 9226) Video thumbnail (Frame 10187) Video thumbnail (Frame 11645) Video thumbnail (Frame 13135) Video thumbnail (Frame 14431) Video thumbnail (Frame 16470) Video thumbnail (Frame 17550) Video thumbnail (Frame 19500) Video thumbnail (Frame 23242) Video thumbnail (Frame 24491) Video thumbnail (Frame 26991) Video thumbnail (Frame 28996) Video thumbnail (Frame 31689) Video thumbnail (Frame 32626) Video thumbnail (Frame 33188) Video thumbnail (Frame 33873) Video thumbnail (Frame 36470) Video thumbnail (Frame 37680)
Video in TIB AV-Portal: Jugaad: Linux Thread Injection Kit

Formal Metadata

Jugaad: Linux Thread Injection Kit
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Windows malware conveniently use the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my work on creating an API similar to createRemoteThread() on *nix OSes. The kit currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces like the name and path of the injected library which can easily be found by reading the process maps file. Jugaad does an in-memory thread injection and hence is stealthier as there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection. The payload to be executed runs inside the thread and is independent of the kit - you chose your payload, jugaad injects the payload. Aseem Jakhar is an Independent security researcher with 7 years of experience in system programming, security research and consulting. He has worked on various security software including UTM appliances, Messaging/security appliances, Anti-Spam/antivirus engines, multicast packet reflector, Transparent HTTPS proxy with Captive portal, Bayesian spam filter to name a few. He has been a speaker at various security conferences like Xcon 2009, Blackhat EU 2008, Clubhack 2008/2009/2010, IBM Security and Privacy 2009, Cocon 2010, ISACA Bangalore 2010, Gnunify 2007/2009/2011. He is the founder of null - The open security community, the largest security community in India. null is now planning to expand outside India as well. Currently he is working full-time on null initiatives. One of the null initiatives is nullcon security conference, which is a favourite go-to destination of hackers and security professionals in the Indian sub-continent. Before starting on his own he was working with IBM.

Related Material

Video is accompanying material for the following resource
Presentation of a group Context awareness Injektivität Stochastic process Code View (database) Function (mathematics) Parameter (computer programming) Stack (abstract data type) Pointer (computer programming) Different (Kate Ryan album) Semiconductor memory Software framework Information security Library (computing) Vulnerability (computing) Injektivität Area Source code Stochastic process Bit Variable (mathematics) Window function Arithmetic mean Self-organization Remote procedure call Information security Data buffer Point (geometry) Service (economics) Cybersex Wave packet Operator (mathematics) Touch typing Operating system Computer worm Address space Computing platform Software development kit Default (computer science) Debugger Code Stack (abstract data type) Equivalence relation Word Function (mathematics) American Physical Society Buffer overflow Library (computing) Computer worm Address space
Inheritance (object-oriented programming) Stochastic process MIDI Function (mathematics) Telephone number mapping Read-only memory Semiconductor memory Term (mathematics) Computer configuration Military operation Operator (mathematics) Software testing Partial derivative Stochastic process Parameter (computer programming) Regulärer Ausdruck <Textverarbeitung> Single-precision floating-point format Word Uniform resource locator Oval Function (mathematics) Right angle Reading (process) Speicheradresse Library (computing)
Injektivität Game controller Functional (mathematics) Injektivität Mapping Demo (music) Stochastic process Code Weight Debugger Open source Stochastic process Bit Control flow Window function Function (mathematics) Interrupt <Informatik> Object (grammar) Library (computing) Library (computing)
Implementation Term (mathematics) Code 1 (number) Software testing Gamma function Library (computing)
Software bug Execution unit LTI system theory Stochastic process Maxima and minima Menu (computing) Principal ideal domain Function (mathematics) Open set Host Identity Protocol Telephone number mapping Computer worm Maize Loop (music) Library (computing) Tunis Vacuum
Injektivität Braid Computer file Stochastic process Demo (music) Lace Mereology Area Telephone number mapping CNN Insertion loss Read-only memory Semiconductor memory Gastropod shell Moving average Computer worm Software framework Maize Implementation Resource allocation Library (computing) Injektivität Execution unit Link (knot theory) Venn diagram Code Sound effect Semiconductor memory System call Sign (mathematics) Resource allocation Infinite conjugacy class property Boom (sailing) Convex hull Object (grammar) Computer worm Library (computing)
Game controller Run time (program lifecycle phase) Wrapper (data mining) Stochastic process Code Length Texture mapping Function (mathematics) Stack (abstract data type) Latent heat Read-only memory Semiconductor memory Gastropod shell Flag Cloning Backup Interrupt <Informatik> Speicherschutz Area Inheritance (object-oriented programming) Web page Length Stochastic process Code Stack (abstract data type) Control flow Semiconductor memory System call Uniform resource locator Oval Function (mathematics) Interrupt <Informatik> Remote procedure call Physical system Computer worm Address space Cloning
Point (geometry) Game controller Implementation Drag (physics) Stochastic process Ferry Corsten Length Code View (database) Strut MIDI Function (mathematics) Disk read-and-write head Code Independence (probability theory) Computer configuration Gastropod shell Cloning Flag Computer worm Squeeze theorem Extension (kinesiology) Cumulative distribution function Trail Inheritance (object-oriented programming) Stochastic process Code Generic programming Principal ideal domain System call Oval Personal digital assistant Speicherschutz Computer worm Cloning Address space
Injektivität Link (knot theory) Emulator Computer file Demo (music) Function (mathematics) Maxima and minima Software cracking Library (computing) Emulation Computer worm
Area Default (computer science) Execution unit Demo (music) Stochastic process Menu (computing) Color management ACID Commercial Orbital Transportation Services Emulation Telephone number mapping Mathematics Root Semiconductor memory Ring (mathematics) Data mining Convex hull Maize
Metre Execution unit Information management Just-in-Time-Compiler Prisoner's dilemma Stochastic process Menu (computing) Core dump Latent class model Inclined plane Telephone number mapping Mechatronics Mathematics Sic Maß <Mathematik>
Injektivität Metre Pointer (computer programming) Execution unit Context awareness Standard deviation Electronic data interchange Ring (mathematics) Gastropod shell Convex hull Hill differential equation Computer worm
Information management Stochastic process Normed vector space Density of states Binary file
Maxima and minima Newton's law of universal gravitation
Injektivität Cumulative distribution function Injektivität Stochastic process Code Software developer Line (geometry) Window function Computer configuration Semiconductor memory Personal digital assistant Function (mathematics) Normal (geometry) Cuboid Remote procedure call Library (computing) Computer worm Library (computing) Physical system
Injektivität Email Injektivität Stochastic process Binary code Projective plane Bit Group action Mereology 32-bit Revision control Revision control Query language Convex hull Local ring Library (computing) Computer forensics
hello Def Con first of all I would like to really thank def con for giving me the opportunity to come here and speak at this great conference you guys really rock so my presentation today is on a Linux thread injection kit this is a kid that I have developed i have named it jugaad which i'll tell you why why the name so a little bit about me i'm from india i'm the founder of null security community if you are not aware you can go to null dot cotton and have a look I'm all see the organizer for null con security conference in India it happens every year in February in Goa and I'm the chief researcher at pyro technologies which is a start-up in information security services and trainings all right so little bit about null it's a registered nonprofit organization and we have around six to seven chapters in India right now and our prime focus is on knowledge sharing and security research so we do that by means of having monthly meet in all of the chapters and then we do security awareness camps in organizations and institutions alright so the agenda for today's I'm briefly going to touch about what the the toolkit is what it is not and basically kind of give you a very brief or just touch upon what code injection is because I think most of you already know what different code injection techniques there are and then I'm going to talk about how it is handled in windows and how linux lacks this capability and a little bit about Pete race and finally I'll talk about why library injection has a little bit of flaws and then finally I'll talk about the toolkit that I have developed and how is it different from library injection and what exactly does it do ok so jugaad is a hindi word which is actually which means a walk around or a hack so which is evident from the fact what what what we have been doing with this library so it basically gives you a framework wherein you can inject your own customized payload as a thread inside a remote process so I started looking at it from the point of view of windows malware where they so windows already provides you an API where you can you know remotely inject code inside another process but it's not there in in Linux or other unix platforms okay so what it is not it's not an exploit I won't even call it a vulnerability because it is one of the features provided by UNIX operating systems okay so most of you are already aware of different code injection techniques you you can do it you can do remote code execution we are buffer overflows or you can do SQL injection so I'm not going to talk about it because these are these are kind of I mean everybody knows about it so my interest area is the last that is the APS that are provided by the operating systems so windows windows already has an API where all you need to do is just call this function and it will do the needful what whatever you want to do so I am NOT going to go into deep into what this API does but we will just look at some of the important parameters that this function has so each process will specify the target process or the victim process where you want to inject code the stack size talks about the stack for the thread that you want to create inside the main process and then the start address is the address of the function or old code that you want to execute now according to this the documentation of this function it says that the function or or the code must exist inside the process okay so Linux there's there's no equivalent API on Linux so the question is how do we inject code into a remote process so the first thing that obviously comes to mind is a debugger how does a debugger you know inject code or you know do memory operations how's the debugger able to access memory inside a remote process or a trace process how is it able to change the values of variables so the answer is simple it uses the petrus API which is obviously provided by most of the unix platforms so little bit about Pete race
so Pete race is just a single function and it's a very partial function in terms of what operations you can perform on a target process so just one function will give you the ability to read memory right memory read registers right registers stop the process and do a lot of other things yeah so some of the
common operations that you can perform which we've also used in this library attach obviously to attach or to start debugging a particular process continuous to if the trace process is stopped you can start the trace the execution of the trace process pic text if you so peak test allows you to read a word from a specified location inside a process pope text does the opposite it allows you to write to that memory location and get regs and set regs give you the option of setting registers for the process okay so so how does the
debugger get the control back I mean if if I if I am tracing a process obviously I need the controlled back after I execute some some code so how do I do that so the breakpoints come to rescue it's it's actually an entry instruction or a software interrupt when specified inside when executed in a remote process what it will do is the child process stops and you get the control back as the SD tracing process all right so a little bit about library
injection so when I started the intention of developing this library was to create an exact replica of what what what is already there for four windows so create remote thread so after I was finished half way through i was still searching on the net for i mean any tool available that does this thing so I I found an interesting tool called inject a so which uses the same petrus functionality to inject a whole shared object inside the process now the problem with this is you can you can see the the the library or the the shared object that has been loaded into the process if you go and view the maps file okay so I'll just give you a small demo of the tool it's a pretty old tool i
think it was developed in 2005 or 2006
but it's nice in terms of what it does alright so this is the library code is just the test code that comes with the injector so implementation so all it does is just says yo from in it when the library is loaded 26 26 ones
okay so this is how the libraries are structured
now what we are going to do is
so all you need to do is just specify the PID and the library that you want to inject and it uses it uses the DL open function inside the inside the process execute that particular function so there you go
ok so now coming back to the library that I have created so what I have done is instead of injecting shared object I inject I give the framework for you know two people want to use it to inject a shellcode instead of you know injecting the whole library so so if you if you inject the shell call what happens is what you are doing is in effect all in memory injection so there are no traces of any libraries ever being injected into the process so i have divided the problem into three parts one was memory allocation and execution how do you allocate memory inside the process and how do you make make it executes then is how do you how do you 3d file how do you create a thread inside that particular process and the third is the customized payload that you want to execute inside that process so allocation is very
simple what i have done is i have created a stub shellcode which we will see for a map a map to system call so what I do is I back up a particular location inside the remote process and I back up the registers of the process and then I override it with my own a map to shell code and then make it execute that so how do I do it i use set rags to set the IP to the memory that has been newly allocated by my shell code and at the end i put the in three instructions so that i know once it it has executed it gives controlled back to me yeah so it's
as simple as this you specify the length of length of the memory that you want to create inside the remote process and em map specific flags and the protection for the memory area so this is the stop shellcode now at runtime I just change the values whatever use the user wants or the caller wants I just change it to whatever is specified in the function so thread if occasion so so what I do is I use the M map code to first allocate memory inside the process so i allocate memory for the thread and i allocate memory for the thread stack and then what I do is I call I call the clone so I inject the clone shellcode which also contains my payload that will come to later so what happens is i put the clone shellcode and using the same process i make it executes the clone shellcode and if it's the if it's the child thread it jumps on to the payload if it's the parent thread you know it's it gives me the control back because because of the so the interrupt instruction yeah so this is how the
payroll looks like once you once you pass the payload to the API what it does is it creates a sandwich wherein it gives the clone head which is the stop shell code for the clone for the clone system call and a clone tail which is just the exit system call so once it starts executing in the child it will jump onto the payload from the clone head and then eventually to clone tail which is the exit system call and if it is if it is if it is the parent thread what will do is it will execute the CC instruction and give control back to the tracing process okay yeah so implementation is very simple I just I just play around with shellcodes rather than you know executing the function inside the process drag directly it makes it easier so that's the API I mean this is used internally but in case if you want to extend the shell codes you can do it I mean it follows if you if you look if you look at the functions the requirement is the same you specify the length you specify the memory protections and the flags for EM map to it will generate the shellcode on the fly for you okay so finally the API the API is as simple as this all you need to do is specify the PID of the remote process you need to specify the stack the size of the stack and you need to specify the payload that you want to inject inside that process so this is all that is required from a generic point of view but if you want to try it out with different options you can actually get greater control using the extended function wherein you can specify your own m map flags now why I've kept this extension is because I've been I've been kind of finding a lot of problems with some of the distributions so if you guys can try it out using different options for the M map flags and the thread flags or whatever
alright so first first we look at a simple demo where in what I have done is my payload just creates a file called / temp TMP / / temp / TMP and it writes some some data on to that file
focus up now I bagged up the registers and I have injected my ship my a map to shellcode came twice so so this is one of the memories that has been returned by this process so let's just have a look at it FB 0 0 0 so this this memory has area has been allocated because I have by default i specify read write and execute permissions for the memory area
that's like always supposed to happen with demos so so a real demo would be I'll show you another demo which and i'll try to
inject a tcp listener on to firefox
so this particular shellcode starts a listener I've directly taken it from his meter sprite this starts listening at port 44 44 let's see if it works out it's just check so just injected a thread inside this process let's see if so it's probably this thread that is running
alright so just one thing to understand
is that since it is a thread injection
your payload should be at least thread aware since this payload is a standard meter squad payload that just sponsor shell basically xyx the shell so as soon as you try to connect to it the Firefox will will die obviously because it execs to a shell so here is the Firefox now
let's try and connect to it let's say NC so now firefox is dead and the process the process has changed to slash bin
slash sh
alright so the conclusion is now you can
actually do stealthy create remote thread in linux on on on top of what windows provides windows does not give you the option of you know just passing in your payload and it will do the rest but in this case you just need to pass the payload so for windows you need to first create memory inside the remote process I mean you need to use two or three few lines of code before actually you're trying to execute something library injection if you are looking at some kind of stealthy Marvel library injection will not help you because it may be find out by four and six people and they are trying to just investigate which process might be the evil process so yeah if you want to so the Ubuntu I think from 10 onwards Ubuntu has disabled Petrus in their distribution fedora I think still has it open so if you want to you know safeguard yourself from any future threat of this kind I think the best way would be to just disable ptrace because on a normal system if if it's not a development box there is no requirement of having Petrus on it makes no sense actually alright so
details of the project you can get the project it's it's hosted on github and and so this this release contains yeah is a 32-bit a binary that works for 32-bit processes so next version onwards we will be putting in support for 60 64 bit processes and since we are already you know created this so we might put a lot of other things like vm detection or anti forensics into it so if any of you interested in helping out or just you know letting us know what all we can add into it other than just the thread injection part it be it will be helpful all right so contribution in the
end so if you guys are interested we are actually having a small informal null meet here tomorrow four o'clock outside the wireless village so if you if any of you is interested in starting a null chapter or just want to know what null is or what we do you can meet us at four o'clock I think four o clock was six o'clock i'll be there at four o'clock and six o'clock all right yeah so that's about it if you have any questions I think we can take it in the Q&A room