Hackers of India

Linux thread injection - The jugaad way

 Aseem Jakhar 



Windows malware conveniently uses the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my research on creating an API similar to createRemoteThread() on *nix OSes. The aim of the research is to show how a simple debugging functionality in *nix oses can be exploited by a malware to hide itself and delegate(inject) the critical(malicious) operation to an innocent process. The Proof of concept toolkit code named “Jugaad” currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. Jugaad does an in-memory thread injection and hence is stealthy. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection as opposed to shared object injection which reveals the name of the shared object in the process maps file. The payload to be executed runs inside the thread and is independent of the toolkit - you chose your payload, jugaad injects the payload. Finally the talk will conclude with options for protecting against any such kind of attacks.