Difference between revisions of "Parasite code"

From CRIU
Jump to navigation Jump to search
Line 5: Line 5:
 
=== Running the parasite ===
 
=== Running the parasite ===
  
Injection of a parasite code may be spitted into two phases
+
Injection of a parasite code may be splitted into two phases
  
 
# preparation of a victim task
 
# preparation of a victim task
 
# injection itself
 
# injection itself
  
During preparation stage we move a victim into that named ''seized'' state with help of '''prctl''' system call (in this state the victim does not recognize that it is being manipulated by someone). Once seized we substitute current CS:IP code with '''mmap''' system call allocating shared memory space needed to carry parasite blob.
+
During preparation stage we move a victim into that named ''seized'' state with help of '''prctl''' system call (in this state the victim does not recognize that it is being manipulated by someone). Once seized we substitute current code at '''IP''' (instruction pointer) with '''mmap''' system call allocating a shared memory space needed to carry a parasite blob.
  
Parasite code injection is simple: because we have a shared memory slab allocated inside victim space we can scan <code>/proc/$pid/map_files/</code> directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with '''memcpy'''.
+
Parasite code injection itself is pretty simple: because we have a shared memory slab allocated inside a victim space we can scan <code>/proc/$pid/map_files/</code> directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with '''memcpy'''.
  
At this moment we can run parasite code adjusting CS:IP of the victim and call '''prctl''' again. After that parasite is spinning listening the socket for commands from outside world.
+
At this moment we can run parasite code adjusting '''IP''' of the victim and call '''prctl''' again. After that parasite is spinning listening the socket for commands from outside world.
  
 
=== Parasite internal structure ===
 
=== Parasite internal structure ===

Revision as of 15:44, 16 December 2014

Overview

Parasite code is a binary blob of code built in PIE format for execution inside another process address space. As result in a sake of simplicity parasite code utilize native system calls only.

Running the parasite

Injection of a parasite code may be splitted into two phases

  1. preparation of a victim task
  2. injection itself

During preparation stage we move a victim into that named seized state with help of prctl system call (in this state the victim does not recognize that it is being manipulated by someone). Once seized we substitute current code at IP (instruction pointer) with mmap system call allocating a shared memory space needed to carry a parasite blob.

Parasite code injection itself is pretty simple: because we have a shared memory slab allocated inside a victim space we can scan /proc/$pid/map_files/ directory and open this slab inside CRIU address space. Once opened we simply copy parasite code there with memcpy.

At this moment we can run parasite code adjusting IP of the victim and call prctl again. After that parasite is spinning listening the socket for commands from outside world.

Parasite internal structure

Internally parasite code is represented as two blocks

  1. a bootstrap written in assembly language
  2. a daemon written in C language
Parasite-structure.svg

Parasite bootstrap

Parasite bootstrap lives in parasite-head.S file and simply prepares the own stack (nipping off a few bytes) and literally calls for body execution. Once main body execution is complete we simply call the cpu trap thus CRIU can intercept this moment and cure the victim restoring its original code contents.

Parasite daemon

Parasite daemon lives in pie/parasite.c file and as file extension implies is written in pure C language. The entry point is parasite_service, which simply opens unix socket and reads the command to service.