* Inject custom code or data into running process
@ 2017-01-03 19:24 Sayutin Dmitry
2017-01-03 19:45 ` Mike Krinkin
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
0 siblings, 2 replies; 5+ messages in thread
From: Sayutin Dmitry @ 2017-01-03 19:24 UTC (permalink / raw)
To: kernelnewbies
Hello, how one should inject code or data into allready running process?
There is no need to start code execution at this point, but it should appear in it's virtual memory.
Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes)
(If you want to know motivation for this -- I want to implement some new idea on sandboxing).
Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru>
^ permalink raw reply [flat|nested] 5+ messages in thread* Inject custom code or data into running process 2017-01-03 19:24 Inject custom code or data into running process Sayutin Dmitry @ 2017-01-03 19:45 ` Mike Krinkin 2017-01-03 19:54 ` Sayutin Dmitry [not found] ` <114118.1483472426@turing-police.cc.vt.edu> 1 sibling, 1 reply; 5+ messages in thread From: Mike Krinkin @ 2017-01-03 19:45 UTC (permalink / raw) To: kernelnewbies On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote: > Hello, how one should inject code or data into allready running process? If you have enough priviledges to use ptrace you can write in a target process memory. Though, AFAIK, you can only overwrite existing memory and can't create new mapping using ptrace, so in order to overcome this you need to save original code first, rewrite it with your injection bootstrap code (bootstrap code for example can load a shared library), execute it and then return original code back. > > There is no need to start code execution at this point, but it should appear in it's virtual memory. > > Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes) > > (If you want to know motivation for this -- I want to implement some new idea on sandboxing). > > > Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru> > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process 2017-01-03 19:45 ` Mike Krinkin @ 2017-01-03 19:54 ` Sayutin Dmitry 2017-01-03 20:11 ` Mike Krinkin 0 siblings, 1 reply; 5+ messages in thread From: Sayutin Dmitry @ 2017-01-03 19:54 UTC (permalink / raw) To: kernelnewbies This sounds like a solution, but it's a bit complicated one. I would prefer to implement injection in kernel space, because it should be more simple. Thank you for your idea nevertheless =) 03.01.2017, 22:45, "Mike Krinkin" <krinkin.m.u@gmail.com>: > On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote: >> ?Hello, how one should inject code or data into allready running process? > > If you have enough priviledges to use ptrace you can write in a target > process memory. Though, AFAIK, you can only overwrite existing memory and > can't create new mapping using ptrace, so in order to overcome this you > need to save original code first, rewrite it with your injection bootstrap > code (bootstrap code for example can load a shared library), execute it > and then return original code back. > >> ?There is no need to start code execution at this point, but it should appear in it's virtual memory. >> >> ?Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes) >> >> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing). >> >> ?Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru> >> >> ?_______________________________________________ >> ?Kernelnewbies mailing list >> ?Kernelnewbies at kernelnewbies.org >> ?https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ----- Sayutin Dmitry <cdkrot@yandex.com> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process 2017-01-03 19:54 ` Sayutin Dmitry @ 2017-01-03 20:11 ` Mike Krinkin 0 siblings, 0 replies; 5+ messages in thread From: Mike Krinkin @ 2017-01-03 20:11 UTC (permalink / raw) To: kernelnewbies On Tue, Jan 03, 2017 at 10:54:55PM +0300, Sayutin Dmitry wrote: > This sounds like a solution, but it's a bit complicated one. > > I would prefer to implement injection in kernel space, because it should be more simple. > Thank you for your idea nevertheless =) you are welcome, if you really want to implement injection in kernel space (IMHO, i'm not sure that it would be easier), you can look at here: http://man7.org/linux/man-pages/man7/vdso.7.html Kernel maps vdso in user space app memory (though it's possible to disable vdso all together, AFAIK), so if you can add your injection in vdso, kernel will map your code in an application address space. > > 03.01.2017, 22:45, "Mike Krinkin" <krinkin.m.u@gmail.com>: > > On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote: > >> ?Hello, how one should inject code or data into allready running process? > > > > If you have enough priviledges to use ptrace you can write in a target > > process memory. Though, AFAIK, you can only overwrite existing memory and > > can't create new mapping using ptrace, so in order to overcome this you > > need to save original code first, rewrite it with your injection bootstrap > > code (bootstrap code for example can load a shared library), execute it > > and then return original code back. > > > >> ?There is no need to start code execution at this point, but it should appear in it's virtual memory. > >> > >> ?Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes) > >> > >> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing). > >> > >> ?Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru> > >> > >> ?_______________________________________________ > >> ?Kernelnewbies mailing list > >> ?Kernelnewbies at kernelnewbies.org > >> ?https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > ----- > Sayutin Dmitry <cdkrot@yandex.com> ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <114118.1483472426@turing-police.cc.vt.edu>]
* Inject custom code or data into running process [not found] ` <114118.1483472426@turing-police.cc.vt.edu> @ 2017-01-03 19:49 ` Sayutin Dmitry 0 siblings, 0 replies; 5+ messages in thread From: Sayutin Dmitry @ 2017-01-03 19:49 UTC (permalink / raw) To: kernelnewbies Yes, I understand points you provide. > but a royal pain to sandbox malicious code My idea is to get some assistance from kernel on it (possible with source patch or kernel module), but I would like to implement POC [proof-of-concept] myself, before showing it to the community. Let me return back to the original question (injection of code/data) LD_PRELOAD is quite a briliant way, but will not work on statically-linked code. However it may be enough for POC. 03.01.2017, 22:40, "valdis.kletnieks at vt.edu" <valdis.kletnieks@vt.edu>: > On Tue, 03 Jan 2017 22:24:11 +0300, Sayutin Dmitry said: > >> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing). > > There's pretty much nothing you can do inside the process to do sandboxing > against code that doesn't want to be sandboxed. In other words, it's > easy to sandbox possibly buggy code, but a royal pain to sandbox malicious > code. > > Hint: You can lead a horse to code, but you can't force it to call it. > > For instance, using LD_PRELOAD is a good way to front-end calls to glibc > code - but it doesn't do squat against malware that issues its own syscalls > inline to avoid your front end. Sayutin Dmitry <cdkrot@yandex.com> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-03 20:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-03 19:24 Inject custom code or data into running process Sayutin Dmitry
2017-01-03 19:45 ` Mike Krinkin
2017-01-03 19:54 ` Sayutin Dmitry
2017-01-03 20:11 ` Mike Krinkin
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
2017-01-03 19:49 ` Sayutin Dmitry
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.