Monday, November 7, 2011

DEFCON 19: Jugaad -- Linux Thread Injection Kit

Speaker: Aseem "@" Jakhar Founder, null -- The open security community (registered non-profit organization)

Windows malware conveniently use the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my work on creating an API similar to createRemoteThread() on *nix OSes. The kit currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread.

There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces like the name and path of the injected library which can easily be found by reading the process maps file. Jugaad does an in-memory thread injection and hence is stealthier as there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection. The payload to be executed runs inside the thread and is independent of the kit - you chose your payload, jugaad injects the payload.


Post a Comment