0

I am trying to improve in Linux process injection and I have some things that i not fully understand.

the injection method that I am using is the basic ptrace injection in current rip value. the flow is this : ATTACH to the running process using ptrace, get regs and modifying the memory placed in current rip with shellcode contains Linux/x86-x64 /bin/sh using PTRACE_POKETDATA , then DETACH the procss.

the injection file and the target file was taken from https://github.com/0x00pf/0x00sec_code/tree/master/mem_inject

first I ran the target process and saw its pstree hierarchy: running process screenshot process pstree hierarchy

second, I took a look at the memory mapping of the current process (as shown in the picture): process memory mapping - before injection

then I ran the injection (as shown in the picture): injection part

so, the injection occurs at the address 0x7f049990bb96 as we can see in the screenshot. meaning it is in this page in memory (from process memory mapping - before injection picture): injected page in memory

then after the injection I ran again the pstree command to see the process hierarchy and saw memory map: process pstree hierarchy - after injection process memory mapping - after injection

I have two major questions to improve my understanding:

  1. when the injection occurs, it injects into the libc-2.33.so page. the libc-2.33.so file is shared object so it supposed to be loaded one time in memory and every process will reference to the same shared object file. so now, because of COW(Copy-on-write) protection as we can see in the memory mapping of the process (r-xp permissions [p mean private - has COW protection]), we have two versions of libc-2.33.so loaded in memory, the original libc shared object, and the written(injected) libc loaded into the process because of the COW.

does it true or I misunderstand something in the process ?

  1. why all the memory mapping of the process after the injection changed and the pstree hierarchy not contain the /bin/sh as a child process of “target” process but it discards the “target” process ?
Raz Gavriel
  • 1
  • 1
  • I took a peek at https://github.com/0x00pf/0x00sec_code/tree/master/mem_inject (your link was broken), and as for the second question at least, I'm pretty sure the injected shellcode just does an `exec`, hence the process is replaced. – Hasturkun Jul 28 '22 at 20:11
  • @Hasturkun Thank you very much about the answer to the second question, now i understand it better. And about the link, to me it is working but these are direct link to both of the programs: the injector and the target. https://raw.githubusercontent.com/0x00pf/0x00sec_code/master/mem_inject/infect.c https://raw.githubusercontent.com/0x00pf/0x00sec_code/master/mem_inject/target.c – Raz Gavriel Jul 29 '22 at 08:23

0 Answers0