Daniel Roberson - runtimeprocessinfection-anonymous2002

Daniel Roberson

runtimeprocessinfection-anonymous2002

2024-08-25

Runtime Process Infection

by anonymous (2002)

Phrack Magazine. Issue 59 article 8.

https://phrack.org/issues/59/8.html

Notes
ptrace
Linux
debugging
resolving symbols
backdoor
ELF
x86
PTRACE_ATTACH
pid
waitpid
WIFSTOPPED
PTRACE_DETACH
perror
PTRACE_PEEKTEXT
PTRACE_POKETEXT
link_map structure
global offset table (GOT)
pointer
symbol
DT_SYMTAB
DT_STRTAB
PT_DYNAMIC
Elf32_Dyn
Elf32_Ehdr
Elf32_Phdr
Elf32_Word
DT_HASH nchains
assembly language
.so injection
dlopen, dlsym, dlclose
libdl
internal_function
RTLD_LAZY
Aleph1
position-independent
loader
register
PTRACE_GETREGS
dynamic linker
/proc/PID/maps
kmem patching
static linked binaries
function redirection
Proceture Linkage Table (PLT)
sshfucker

Links
More elf buggery, bugtraq, grugq http://online.securityfocus.com/archive/1/274283/2002-07-10/2002-07-16/2
Shared lib redirection, Silvio Cesare http://www.big.net.au/~silvio/lib-redirection.txt
Subversive Dynamic Loading, grugq http://online.securityfocus.com/data/library/subversiveld.pdf
BlackHat 2001 presentation, Shaun Clowes http://www.blackhat.com/presentations/bh-europe-01/shaun-clowes/injectso3.ppt
Tool Interface Standard (TIS) Executable and Linking Format Specification http://x86.ddj.com/ftp/manuals/tools/elf.pdf
ptrace man page http://www.die.net/doc/linux/man/man2/ptrace.2.html

Links to this note

Recent Posts

Linux Persistence: atd

2025-04-01 DFIR CTF linux persistence at atd

Linux Persistence: SSH

2025-03-29 DFIR CTF SSH hardening hunting persistence linux persistence hunting hardening SSH PAM

Linux Hardening: SSH

2025-03-06 DFIR SSH hardening linux hardening SSH PAM

Linux Anti-Forensics: Timestomping

2025-03-05 DFIR linux anti-forensics

Finding Bad with Linux Package Managers

2025-03-03 DFIR linux persistence