Home > Linux, Programming, Security > My 0x375 presentation – injecting code at a running process!

My 0x375 presentation – injecting code at a running process!

It’s been a LOT of time since I last posted to my blog. Unfortunately, I’ve been too busy to write something even if I had some ideas. So, here is my first post after more than a month of absence!

I recently made a presentation at the 0x375 (Thessaloniki Tech Talk Sessions). You can find more info about 0x375 at the grhack site. In short, it is a series of some tech talk session where anyone can present his work on a subject. Submissions are open for everyone. There are no regular dates but if you watch the site you can find info about when and where the next event will take place (always at Thessaloniki and till now at the Aristotle University).

My presentation was about injecting code at a running process and running it as a separate thread. You can download it here. Since 0x375 takes place in Greece the presentation is written in Greek, sorry if you can’t ready it! In short what the technique I presented and the accompanying program does is create a new thread at a running process. The presentation talks about Linux, however a freebsd and an opensolaris version are ready. I will put them online soon so you can check it out. Wait for the next post!

Categories: Linux, Programming, Security Tags:
  1. March 23rd, 2010 at 13:44 | #1

    Nice approach Fotis. Nice apprach indeed.
    As I understand, you actual make a process (this is your program) then inject the attacked prcoess by creating an “interrupt” on it. This interrupt points to your process. After your process finish, return the functionality to the attacked process.
    I like your method because, you did all these @ run time…
    I have, also, had test by myself a more simple method (@ Win boxes) that you actually inject an executable file by embeding aseembly code to the (well known) code caves modifing the PE header…

  2. Fotis
    March 24th, 2010 at 22:04 | #2

    What I do is interrupt the program, save its state and then overwrite the code at the place where eip points to with my own code. All these are done by the first part of the program, the injector. When the program resumes execution, this new code is executed. After finishing the injected code executes an int3 command which makes it return to the injector. The injector restores the state of the program and overwrites the injected code with the original one.
    The code that was injected is the second part of the program. It is responsible for reserving some space, copying there the third part of the program, the code that will be executed in the new thread, and finally creating this thread.
    I believe that until tomorrow the new post will be ready, so wait for a few hours!

  1. March 25th, 2010 at 02:07 | #1

This site is using OpenAvatar based on

*

SEO Powered by Platinum SEO from Techblissonline
%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close