* Inject custom code or data into running process
@ 2017-01-03 19:24 Sayutin Dmitry
2017-01-03 19:45 ` Mike Krinkin
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
0 siblings, 2 replies; 5+ messages in thread
From: Sayutin Dmitry @ 2017-01-03 19:24 UTC (permalink / raw)
To: kernelnewbies
Hello, how one should inject code or data into allready running process?
There is no need to start code execution at this point, but it should appear in it's virtual memory.
Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes)
(If you want to know motivation for this -- I want to implement some new idea on sandboxing).
Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process
2017-01-03 19:24 Inject custom code or data into running process Sayutin Dmitry
@ 2017-01-03 19:45 ` Mike Krinkin
2017-01-03 19:54 ` Sayutin Dmitry
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
1 sibling, 1 reply; 5+ messages in thread
From: Mike Krinkin @ 2017-01-03 19:45 UTC (permalink / raw)
To: kernelnewbies
On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote:
> Hello, how one should inject code or data into allready running process?
If you have enough priviledges to use ptrace you can write in a target
process memory. Though, AFAIK, you can only overwrite existing memory and
can't create new mapping using ptrace, so in order to overcome this you
need to save original code first, rewrite it with your injection bootstrap
code (bootstrap code for example can load a shared library), execute it
and then return original code back.
>
> There is no need to start code execution at this point, but it should appear in it's virtual memory.
>
> Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes)
>
> (If you want to know motivation for this -- I want to implement some new idea on sandboxing).
>
>
> Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
@ 2017-01-03 19:49 ` Sayutin Dmitry
0 siblings, 0 replies; 5+ messages in thread
From: Sayutin Dmitry @ 2017-01-03 19:49 UTC (permalink / raw)
To: kernelnewbies
Yes, I understand points you provide.
> but a royal pain to sandbox malicious code
My idea is to get some assistance from kernel on it (possible with source patch or kernel module),
but I would like to implement POC [proof-of-concept] myself, before showing it to the community.
Let me return back to the original question (injection of code/data)
LD_PRELOAD is quite a briliant way, but will not work on statically-linked code.
However it may be enough for POC.
03.01.2017, 22:40, "valdis.kletnieks at vt.edu" <valdis.kletnieks@vt.edu>:
> On Tue, 03 Jan 2017 22:24:11 +0300, Sayutin Dmitry said:
>
>> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing).
>
> There's pretty much nothing you can do inside the process to do sandboxing
> against code that doesn't want to be sandboxed. In other words, it's
> easy to sandbox possibly buggy code, but a royal pain to sandbox malicious
> code.
>
> Hint: You can lead a horse to code, but you can't force it to call it.
>
> For instance, using LD_PRELOAD is a good way to front-end calls to glibc
> code - but it doesn't do squat against malware that issues its own syscalls
> inline to avoid your front end.
Sayutin Dmitry <cdkrot@yandex.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process
2017-01-03 19:45 ` Mike Krinkin
@ 2017-01-03 19:54 ` Sayutin Dmitry
2017-01-03 20:11 ` Mike Krinkin
0 siblings, 1 reply; 5+ messages in thread
From: Sayutin Dmitry @ 2017-01-03 19:54 UTC (permalink / raw)
To: kernelnewbies
This sounds like a solution, but it's a bit complicated one.
I would prefer to implement injection in kernel space, because it should be more simple.
Thank you for your idea nevertheless =)
03.01.2017, 22:45, "Mike Krinkin" <krinkin.m.u@gmail.com>:
> On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote:
>> ?Hello, how one should inject code or data into allready running process?
>
> If you have enough priviledges to use ptrace you can write in a target
> process memory. Though, AFAIK, you can only overwrite existing memory and
> can't create new mapping using ptrace, so in order to overcome this you
> need to save original code first, rewrite it with your injection bootstrap
> code (bootstrap code for example can load a shared library), execute it
> and then return original code back.
>
>> ?There is no need to start code execution at this point, but it should appear in it's virtual memory.
>>
>> ?Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes)
>>
>> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing).
>>
>> ?Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru>
>>
>> ?_______________________________________________
>> ?Kernelnewbies mailing list
>> ?Kernelnewbies at kernelnewbies.org
>> ?https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
-----
Sayutin Dmitry <cdkrot@yandex.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Inject custom code or data into running process
2017-01-03 19:54 ` Sayutin Dmitry
@ 2017-01-03 20:11 ` Mike Krinkin
0 siblings, 0 replies; 5+ messages in thread
From: Mike Krinkin @ 2017-01-03 20:11 UTC (permalink / raw)
To: kernelnewbies
On Tue, Jan 03, 2017 at 10:54:55PM +0300, Sayutin Dmitry wrote:
> This sounds like a solution, but it's a bit complicated one.
>
> I would prefer to implement injection in kernel space, because it should be more simple.
> Thank you for your idea nevertheless =)
you are welcome, if you really want to implement injection in kernel
space (IMHO, i'm not sure that it would be easier), you can look at
here:
http://man7.org/linux/man-pages/man7/vdso.7.html
Kernel maps vdso in user space app memory (though it's possible to
disable vdso all together, AFAIK), so if you can add your injection
in vdso, kernel will map your code in an application address space.
>
> 03.01.2017, 22:45, "Mike Krinkin" <krinkin.m.u@gmail.com>:
> > On Tue, Jan 03, 2017 at 10:24:11PM +0300, Sayutin Dmitry wrote:
> >> ?Hello, how one should inject code or data into allready running process?
> >
> > If you have enough priviledges to use ptrace you can write in a target
> > process memory. Though, AFAIK, you can only overwrite existing memory and
> > can't create new mapping using ptrace, so in order to overcome this you
> > need to save original code first, rewrite it with your injection bootstrap
> > code (bootstrap code for example can load a shared library), execute it
> > and then return original code back.
> >
> >> ?There is no need to start code execution at this point, but it should appear in it's virtual memory.
> >>
> >> ?Moreover, i want this data to persist across execve's or clone's (probably can be implemented as hook on appropriate kernel methodes)
> >>
> >> ?(If you want to know motivation for this -- I want to implement some new idea on sandboxing).
> >>
> >> ?Thanks in advance, Sayutin Dmitry <cdkrot@yandex.ru>
> >>
> >> ?_______________________________________________
> >> ?Kernelnewbies mailing list
> >> ?Kernelnewbies at kernelnewbies.org
> >> ?https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
> -----
> Sayutin Dmitry <cdkrot@yandex.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-03 20:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-03 19:24 Inject custom code or data into running process Sayutin Dmitry
2017-01-03 19:45 ` Mike Krinkin
2017-01-03 19:54 ` Sayutin Dmitry
2017-01-03 20:11 ` Mike Krinkin
[not found] ` <114118.1483472426@turing-police.cc.vt.edu>
2017-01-03 19:49 ` Sayutin Dmitry
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.