Detecting the ET_DYN injection
I think that the most prevalent type of process infection is DLL injection, also known as .so injection. It is a clean and effective solution that suits the needs of most attackers and runtime malware. Let's take a look at an infected process, and I will highlight the ways in which we can identify parasite code.
Note
The terms shared object, shared library, DLL, and ET_DYN are all used synonymously throughout this book, especially in this particular section.
Azazel userland rootkit detection
Our infected process is a simple test program named ./host that is infected with the Azazel userland rootkit. Azazel is the newer version of the popular Jynx rootkit. Both of these rootkits rely on LD_PRELOAD to load a malicious shared library that hijacks various glibc shared library functions. We will inspect the infected process using various GNU tools and the Linux environment, such as the /proc filesystem.
Mapping out the process address space
The first step while analyzing...
