Code injection with ptrace
So far we have examined some interesting use cases for ptrace
, including process analysis and process image reconstruction. Another common use of ptrace
is for introducing new code into a running process and executing it. This is commonly done by attackers to modify a running program so that it does something else, such as load a malicious shared library into the process address space.
In Linux, the default ptrace()
behavior is such that it allows you to write Using PTRACE_POKETEXT
to segments that are not writable, such as the text segment. This is because it is expected that debuggers will need to insert breakpoints into the code. This works out great for hackers who want to insert code into memory and execute it. To demonstrate this, we have written code_inject.c
. This attaches to a process and injects a shellcode that will create an anonymous memory mapping large enough to hold our payload executable, payload.c
, which is then injected into the new memory and...