[Cialug] Nix Shared Code Injection

[Chris Hilton]

I've got a theoretical question.  It's come to my attention that the way in 
which a lot of spyware works is through some API's in Windows (apparently 
written for debuggers)  by injecting a dll into another running process.  The 
standard process permissions apply, but you can inject from say bob.exe into 
iexplorer.exe.
My question is about Nix though.  Does anyone know if this can be done on Nix?

I've looked into Sys V IPC for shared memory and mmap and neither look like 
you could involuntarily to anything to another processes memory space (it'd 
have to open the same IPC location if I read correctly).
I also looked at processes look like under gdb, and not under it:  They look 
exactly the same.  I compared /proc/`pidof procName`/maps to compare.

I'm not finding anything to suggest a way to do this, at least not a way that 
wouldn't be against what the documentation says.  Does anyone know more about 
this?  It's peaked my curiousity.


On a side note.  This is why zonealarm doesn't stop nearly as much spyware as 
it used to.  Since spyware can hitch its own dll on iexplorer and do its 
sends from there it looks like iexplorer is connecting to the net; and no one 
but a firefox user, who doesn't run updates, would refuse that ;).


-- 
"The only winning move is not to play."