Home > Linux, Programming, Security > PreZ: my new injector!

PreZ: my new injector!

Together with my presentation at 0x375 0x2 (check previous post), I wrote a proof of concept program, PreZ! What it does is create a new thread at a running program. I will give a small description of the way it works. The images below are taken from the presentation and refer to the linux version but the same concept is used in all versions, i.e. linux, freebsd and opensolaris.

PreZ consists of three parts, the injector, the thread creation code and the code that will be executed at the new thread (the shell code). The following steps take place each time you run PreZ.

At the beginning the injector stops the traced process, the ‘victim’. It’s state is saved (registers and some other stuff at the opensolaris version) and part of the code at the place where the EIP register points to. This code is then overwritten with the other two parts so we have the modified address space at the image above. The execution then continues and the new code we just injected runs.

What the new code does is mmap a new space with read, write and execute permissions (the orange space at the image above). Then, the shellcode at the end is copied to this new location. All this runs in a single thread (the purple thread of execution at the image). A new thread is spawned and now we have two different threads of execution, the green and the pink at the image above.

Finally, the new thread jumps to the place where we copied the new code and the original thread executes an int3 instruction. When this instruction is executed, the injector catches the trap and knows that the thread has been created successfully. The original code read at the beginning is restored, the state is restored, and finally execution continues. All these are transparent to the original process which can’t understand that the injected code has been executed.

PreZ v1.0 can be downloaded from this link. The sample code for the new thread listens for a connection to port 65226 and when it accepts one it spawns a shell. You can do much more, this is just a simple code to demonstrate the injection process.

Categories: Linux, Programming, Security Tags:
  1. March 25th, 2010 at 02:31 | #1

    I really enjoyed your talk Fotis, nice work.

  2. March 25th, 2010 at 13:56 | #2

    \m/ \m/ *headbang*

  3. Fotis
    March 25th, 2010 at 14:51 | #3

    @argp Thanks!

    @thanasisk Don’t ask me for more warez 😛

  4. March 25th, 2010 at 20:17 | #4

    Yeah, you give them to your XAKER pals!

  5. February 15th, 2012 at 10:36 | #5

    Sweet, I checked the source code , really tasty 🙂

  1. No trackbacks yet.

This site is using OpenAvatar based on

*

SEO Powered by Platinum SEO from Techblissonline
%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close