1

I was wondering if there was an equivalent version either in a library or as a syscall, of the windows APIs which allow a process to interact with other process' space, which would mean modifying the flow of that second process. This is to inject a .so in a running process without killing it.

Thanks!

Alex
  • 103
  • 1
  • 10
  • If this is off-topic then I don't know what is on-topic anymore. – Sandeep Datta Feb 05 '16 at 08:09
  • You should not ask for the equivalent of Windows' `Foo` in Linux, you should explain your goals and motivations and ask how to do these on Linux. There is no reason that every function in Windows has a direct equivalent in Linux (and vice versa) – Basile Starynkevitch Feb 05 '16 at 08:37
  • My goals and motivations are clearly explained at the end of my post, I quote: "This is to inject a .so in a running process without killing it." I realize that there is no reason that every function in windows has a direct equivalent in Linux, this is why I formulated the question in a "yes or no" fashion. – Alex Feb 05 '16 at 18:02
  • How is this off-topic? – Alex Feb 05 '16 at 18:08
  • Not off-topic IMO, but probably a duplicate of http://stackoverflow.com/q/10534841/886887 – Harry Johnston Feb 05 '16 at 23:13
  • IMO this question does not seem like it would "attract opinionated answers and spam" voting to reopen. – Sandeep Datta Feb 09 '16 at 05:31

2 Answers2

4

maybe take a look here: CreateRemoteThread in Linux

I don't know of a simpler way than described there. On Windows you have this fancy API like VirtualProtectEx. On Linux you'd be writing a .so which e.g. executes pthread_create in a __attribute__((constructor)) function. Then you'd load that .so via the LD_PRELOAD mechanism.

The next best thing to CreateRemoteThread would be manipulating the main thread of the process with the ptrace API. But this would involve

  1. Holding a thread
  2. Saving its context
  3. Setting arguments for pthread_create
  4. Set IP to pthread_create and execute
  5. Restore the old context.

I think manipulating the memory access rights would also involve calling mprotect from a process context. As already mentioned above, the simplest way to do that would not be using ptrace but using a precompiled shared object.

Community
  • 1
  • 1
Felix M.
  • 246
  • 1
  • 6
3

On Linux, there is a standard mechanism of injecting your code to a program. You basically define an encironment variable LD_PRELOAD that specifies a .so library that is loaded before all other .so files. Functions in that .so will replace standard versions of the functions. There is no need to modify the assembly code of fuctions manually to insert hooks to your own code like on windows.

Here is a nice tutorial: https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/

Sami Sallinen
  • 3,203
  • 12
  • 16
  • 2
    `LD_PRELOAD` works only in conjunction with starting new processes. The OP seems to be looking for a way to inject code in an already running process as that is what `CreateRemoteThread` does on Windows. Windows has an equivalent of `LD_PRELOAD` too. – Hristo Iliev Feb 05 '16 at 10:11