Hackers of India

Runtime thread injection and execution in Linux processes

By  Aseem Jakhar  on 06 Sep 2011 @ Securitybyte

This talk covers following tools where the speaker has contributed or authored
JUGAAD

Abstract

Windows malware conveniently uses the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my research on creating an API similar to createRemoteThread() on *nix OSes. The aim of the research is to show how a simple debugging functionality in *nix oses can be exploited by a malware to hide itself and delegate(inject) the critical(malicious) operation to an innocent process. The Proof of concept toolkit code named “Jugaad” currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. The talk will conclude with options for protecting against any such kind of attacks.