2,257
edits
Changes
Jump to navigation
Jump to search
Created page with "== Usage ideas == One thing parasite code can do is call clone() and create thread having access to main process VM, FDT, FS, etc. The new thread can then * Check socket FDs..."
== Usage ideas ==
One thing parasite code can do is call clone() and create thread having access to main process VM, FDT, FS, etc. The new thread can then
* Check socket FDs to get stuck/closed by polling them
* Apply "logrotate" on the fly
* Garbage collector
* Catch SIGSEGV, do smth with mappings and act upon "illegal" memory access
** Remote swap for task
** WSS detection
Another is to do some activity on the victim and then just unload. With this we can
* Death detection. Open pipe/socket and pass the other end outside. Once the victim dies the pipe/socket will wake up.
* Binary updates. E.g. live patching or libs relink
* Tunneling -- replace opened socket with unix one, and send the former one to the caller
** Inject socket spy
** Pack/Unpack
** Crypt/Decrypt
** Traffic analyzer
** Traffic fanout (multiplex)
* The same for files on disks -- proxy via pipe(s)
** Filter/split logs
* Do "nohup" on the fly
* Debug stuff by MSG_PEEK-ing sockets messages of tee+splice sockets
* Re-connect sleeping sockets to other addresses (not 100% safe)
* "Soft" restart of a service -- call execve() from it's context
* Force entering into CT (except pid namespace, probably)
* Re-open all files (and cwd, root) to facilitate moving on new / (e.g. for disk replacement)
* Remove leaks from e.g. malloc/free heap
* Force reparent (pid change!)
** Re-open all files -- force daemonize
[[Category: Compel]]
One thing parasite code can do is call clone() and create thread having access to main process VM, FDT, FS, etc. The new thread can then
* Check socket FDs to get stuck/closed by polling them
* Apply "logrotate" on the fly
* Garbage collector
* Catch SIGSEGV, do smth with mappings and act upon "illegal" memory access
** Remote swap for task
** WSS detection
Another is to do some activity on the victim and then just unload. With this we can
* Death detection. Open pipe/socket and pass the other end outside. Once the victim dies the pipe/socket will wake up.
* Binary updates. E.g. live patching or libs relink
* Tunneling -- replace opened socket with unix one, and send the former one to the caller
** Inject socket spy
** Pack/Unpack
** Crypt/Decrypt
** Traffic analyzer
** Traffic fanout (multiplex)
* The same for files on disks -- proxy via pipe(s)
** Filter/split logs
* Do "nohup" on the fly
* Debug stuff by MSG_PEEK-ing sockets messages of tee+splice sockets
* Re-connect sleeping sockets to other addresses (not 100% safe)
* "Soft" restart of a service -- call execve() from it's context
* Force entering into CT (except pid namespace, probably)
* Re-open all files (and cwd, root) to facilitate moving on new / (e.g. for disk replacement)
* Remove leaks from e.g. malloc/free heap
* Force reparent (pid change!)
** Re-open all files -- force daemonize
[[Category: Compel]]