Runtime Process Infection
by anonymous (2002)
Phrack Magazine. Issue 59 article 8.
https://phrack.org/issues/59/8.html
| Notes |
|---|
| ptrace |
| Linux |
| debugging |
| resolving symbols |
| backdoor |
| ELF |
| x86 |
| PTRACE_ATTACH |
| pid |
| waitpid |
| WIFSTOPPED |
| PTRACE_DETACH |
| perror |
| PTRACE_PEEKTEXT |
| PTRACE_POKETEXT |
| link_map structure |
| global offset table (GOT) |
| pointer |
| symbol |
| DT_SYMTAB |
| DT_STRTAB |
| PT_DYNAMIC |
| Elf32_Dyn |
| Elf32_Ehdr |
| Elf32_Phdr |
| Elf32_Word |
| DT_HASH nchains |
| assembly language |
| .so injection |
| dlopen, dlsym, dlclose |
| libdl |
| internal_function |
| RTLD_LAZY |
| Aleph1 |
| position-independent |
| loader |
| register |
| PTRACE_GETREGS |
| dynamic linker |
| /proc/PID/maps |
| kmem patching |
| static linked binaries |
| function redirection |
| Proceture Linkage Table (PLT) |
| sshfucker |
| Links |
|---|
| More elf buggery, bugtraq, grugq http://online.securityfocus.com/archive/1/274283/2002-07-10/2002-07-16/2 |
| Shared lib redirection, Silvio Cesare http://www.big.net.au/~silvio/lib-redirection.txt |
| Subversive Dynamic Loading, grugq http://online.securityfocus.com/data/library/subversiveld.pdf |
| BlackHat 2001 presentation, Shaun Clowes http://www.blackhat.com/presentations/bh-europe-01/shaun-clowes/injectso3.ppt |
| Tool Interface Standard (TIS) Executable and Linking Format Specification http://x86.ddj.com/ftp/manuals/tools/elf.pdf |
| ptrace man page http://www.die.net/doc/linux/man/man2/ptrace.2.html |