[Cialug] Nix Shared Code Injection

Chris Hilton chris129 at cs.iastate.edu
Thu Jan 5 14:04:19 CST 2006 

How could you have read write access to another process's memory without it 
explicitly giving it to you via shared memory?

On Thursday 05 January 2006 13:31, John.Lengeling at radisys.com wrote:
> Thinking off the top of my head...
>
> Under UNIX, there isn't an API call (that I know of...) which would do the
> same thing as Windows, but there are several ways of injecting code or
> getting a process to run arbitrary code:
>
> 1. R/W access to the Kernel memory - If you have r/w access, you can
> access any part of the kernel or any process's memory.  Plus the ghost is
> up for anything else since  you can easily get root access.
> 2. R/W access to the Process memory - If  you have r/w access, you can
> change code/data in the process's memory space.  And if the process has
> root permissions, then even better.
> 3. Buffer overflows - If you can overflow a buffer, you can force the
> process to execute arbitrary code.  See information on Morris Worm.
> 4. Intercepting exec/forks of new processes -  Badly written exec/fork
> code can be compromised by executing some other program.
>
>
>
>
> Chris Hilton <chris129 at cs.iastate.edu>
> Sent by: cialug-bounces at cialug.org
> 01/05/2006 01:05 PM
> Please respond to
> Central Iowa Linux Users Group <cialug at cialug.org>
>
>
> To
> Central Iowa Linux Users Group <cialug at cialug.org>, amesfug at amesfug.org
> cc
>
> Subject
> [Cialug] Nix Shared Code Injection
>
>
>
>
>
>
> I've got a theoretical question.  It's come to my attention that the way
> in
> which a lot of spyware works is through some API's in Windows (apparently
> written for debuggers)  by injecting a dll into another running process.
> The
> standard process permissions apply, but you can inject from say bob.exe
> into
> iexplorer.exe.
> My question is about Nix though.  Does anyone know if this can be done on
> Nix?
>
> I've looked into Sys V IPC for shared memory and mmap and neither look
> like
> you could involuntarily to anything to another processes memory space
> (it'd
> have to open the same IPC location if I read correctly).
> I also looked at processes look like under gdb, and not under it:  They
> look
> exactly the same.  I compared /proc/`pidof procName`/maps to compare.
>
> I'm not finding anything to suggest a way to do this, at least not a way
> that
> wouldn't be against what the documentation says.  Does anyone know more
> about
> this?  It's peaked my curiousity.
>
>
> On a side note.  This is why zonealarm doesn't stop nearly as much spyware
> as
> it used to.  Since spyware can hitch its own dll on iexplorer and do its
> sends from there it looks like iexplorer is connecting to the net; and no
> one
> but a firefox user, who doesn't run updates, would refuse that ;).

-- 
"The only winning move is not to play."

More information about the Cialug mailing list