dlinject.py – Inject a .so into a running Linux process, without ptrace
source link: https://github.com/DavidBuchanan314/dlinject
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
dlinject.py
Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace. Inspired by Cexigua and linux-inject , among other things.
Usage
Note: currently requires the python3 branch of pwntools . It's a fairly heavyweight dependency that I only use a few features of, so I might be able to remove it in the future.
usage: dlinject.py [-h] [--nostop] pid lib.so Inject a shared library into a live process. positional arguments: pid target pid lib.so Path of the shared library to load (note: must be relative to the target process's cwd, or absolute) optional arguments: -h, --help show this help message and exit --nostop Don't stop the target process prior to injection (race condition-y, but avoids potential side-effects of SIGSTOP)
Why?
-
Because I can.
-
There are various anti-ptrace techniques , which this evades by simply not using ptrace.
-
Using
LD_PRELOAD
can sometimes be fiddly or impossible, if the process you want to inject into is spawned by another process with a clean environment.
How it Works
-
Send the stop signal to the target process. (optional)
-
Locate the
_dl_open()
symbol. -
Retreive
RIP
andRSP
via/proc/[pid]/syscall
. -
Make a backup of part of the stack, and the code we're about to overwrite with our shellcode, by reading from
/proc/[pid]/mem
. -
Generate primary and secondary shellcode buffers.
-
Insert primary shellcode at
RIP
, by writing to/proc/[pid]/mem
. -
The primary shellcode:
mmap()
-
The secondary shellcode:
_dl_open() SIGSTOP
Limitations:
-
Sending
SIGSTOP
may cause unwanted side-effects, for example if another thread is waiting onwaitpid()
. The--nostop
option avoids this, but introduces race conditions. -
I'm not entirely sure how this will interact with complex multi-threaded applications. There's certainly potential for breakage.
-
x86-64
Linux only (for now - 32-bit support could potentially be added). -
Requires root, or relaxed YAMA configuration (
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
is useful when testing). -
If the target process is sandboxed (e.g. seccomp filters), it might not have permission to
mmap()
the second stage shellcode, or todlopen()
the library.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK