0

There are plenty of articles online that describe how DLL Injection works and what it can be used for. There has been lots of software written (both malicious and non) to use this functionality, but there's a question that I can't find the answer to with my Google-Fu and that is...why does Windows have/allow such a technique but Linux (and its ilk) do not?

LD_PRELOAD doesn't count as it doesn't allow runtime injection. I also know about injectso but that's not official.

What problem is DLL Injection supposed to solve, and since Linux doesn't have this functionality, how does it solve that problem? If possible please provide references to backup your answer, ideally first-party ones. Thank you.

Cryptomancer
  • 21
  • 6
  • 1
    *"There are plenty of articles online that describe how DLL Injection works and what it can be used for."* - *"What problem is DLL Injection supposed to solve [...]?"* - Since you found to former, why do you need to ask the latter? – IInspectable Jan 18 '17 at 17:21
  • you can inject libs in linux, the equivalent of DLL injection, using ptrace()/PTRACE_POKEDATA/opcodes for uselib() syscall. i've seen 1 guy at tibiaauto.net forum do it, what was his name, i think he calls himself `*DEAD*` , he was making a cheat program for the linux client of www.tibia.com ( – hanshenrik Jan 18 '17 at 17:24
  • 1
    @IInspectable: Because functionality does not imply intent. For example, your comment is functionally useless, but I have no idea why you felt the need to waste your time making it. Also I have yet to find anything that addresses the second part of the question. – Cryptomancer Jan 18 '17 at 18:27
  • @hanshenrik: That's nice. I mentioned injectso so I know it's *possible*. that doesn't answer the question as it's not part of standard Linux development, but it is in Windows. – Cryptomancer Jan 18 '17 at 18:29
  • *"There are plenty of articles online that describe what [DLL Injection] can be used for."* - Fairly impossible to tell, how that then doesn't imply, that you know the problem that DLL injection solves. – IInspectable Jan 18 '17 at 18:50
  • It depends what sort of injection you're talking about. AppInit_DLLs and LoadAppInit_DLLs are similar to LD_PRELOAD, so there's no difference there. Conventional DLL injection techniques, such as using CreateRemoteThread, aren't supported, so that's similar to injectso. I don't know if there's a Linux equivalent to window message hooking, but if so, it would be part of X rather than part of Linux. – Harry Johnston Jan 18 '17 at 21:10
  • (I'd *guess* that the sort of functionality message hooking gives you on Windows can be implemented on Linux by modifying the window manager.) – Harry Johnston Jan 18 '17 at 21:20
  • @HarryJohnston: CreateRemoteThread is a Windows API function developed by Microsoft. You can't reasonably argue that it's not supported. It's very obviously intended functionality. What I want to know is why. There must have been a design decision that said the functionality is worth the security risk. This is quite literally not a bug, it's a feature. – Cryptomancer Jan 18 '17 at 22:23
  • 1
    What sort of security risk do you have in mind? – IInspectable Jan 18 '17 at 22:55
  • It is my understanding that CreateRemoteThread is primarily intended as a debugging tool. To the best of my knowledge, Microsoft don't encourage using it in a production setting, or as a mechanism to inject DLLs. But if you want to know about CreateRemoteThread in particular, rather than DLL injection in general, you should probably edit the question accordingly. At present it is excessively broad for SO. – Harry Johnston Jan 18 '17 at 23:02
  • (Surely there's *some* way for a Linux debugger to launch a new thread in the target process?) – Harry Johnston Jan 18 '17 at 23:03
  • 1
    To answer my own question: [yes, there is.](http://stackoverflow.com/q/10534841/886887) So the same functionality exists in both operating systems, it's just implemented a bit differently. (Somewhat amusingly, in Windows you might launch a remote thread in order to load a DLL whereas in Linux you might load a DLL in order to launch a remote thread. Neither approach is inherently any better than the other as far as I can see, they're just different.) – Harry Johnston Jan 18 '17 at 23:06

0 Answers0