Difference between revisions of "Parasite code"
Line 3: | Line 3: | ||
Parasite code is a binary blob of code built in [http://en.wikipedia.org/wiki/Position-independent_code PIE] format for execution inside another process address space. As result in a sake of simplicity parasite code utilize native system calls only. | Parasite code is a binary blob of code built in [http://en.wikipedia.org/wiki/Position-independent_code PIE] format for execution inside another process address space. As result in a sake of simplicity parasite code utilize native system calls only. | ||
− | === | + | === Running the parasite === |
Injection of a parasite code may be spitted into two phases | Injection of a parasite code may be spitted into two phases | ||
Line 14: | Line 14: | ||
Parasite code injection is simple: because we have a shared memory slab allocated inside victim space we can scan <code>/proc/$pid/map_files/</code> directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with '''memcpy'''. | Parasite code injection is simple: because we have a shared memory slab allocated inside victim space we can scan <code>/proc/$pid/map_files/</code> directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with '''memcpy'''. | ||
− | At this moment we can run parasite code adjusting CS:IP of the victim and call ''' | + | At this moment we can run parasite code adjusting CS:IP of the victim and call '''prctl''' again. After that parasite is spinning listening the socket for commands from outside world. |
[[Category: Under the hood]] | [[Category: Under the hood]] |
Revision as of 18:16, 1 December 2014
Overview
Parasite code is a binary blob of code built in PIE format for execution inside another process address space. As result in a sake of simplicity parasite code utilize native system calls only.
Running the parasite
Injection of a parasite code may be spitted into two phases
- preparation of a victim task
- injection itself
During preparation stage we move a victim into that named seized state with help of prctl system call (in this state the victim does not recognize that it is being manipulated by someone). Once seized we substitute current CS:IP code with mmap system call allocating shared memory space needed to carry parasite blob.
Parasite code injection is simple: because we have a shared memory slab allocated inside victim space we can scan /proc/$pid/map_files/
directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with memcpy.
At this moment we can run parasite code adjusting CS:IP of the victim and call prctl again. After that parasite is spinning listening the socket for commands from outside world.