Infecting foreing processes

#injection#rust#asm#ptrace#os2 min readalemi2023-03-25 13:26

pox

I have always been fascinated by the way my Operating System makes my hardware work.

I understand transistors and logic gates, and I'm familiar in writing userspace programs. But what happens in between those? While my job started teaching me about kernels, I stumbled upon "i'm in ur address space".

This video blew my mind and I absolutely had to do something like that myself! I thus decided to work on pox: an infection framework for processes.

My initial design works with PTRACE syscall (and thus only linux), but Windows injectors are easier due to CreateRemoteThread anyway. I built a set of tools to help mess with remote processes, and then an injector.

The naming comes from diseases (-pox being a common suffix, and injector being a transmission "vector"), because these things will make your processes ill! (:

This is still very much work in progress: it works, but only with root privileges and on unhardened kernels.

source code

cordy

Once I could load custom shared object inside arbitrary processes, I needed something to infect them with!

I built cordy, named from a zombie fungus: it will spawn a new thread in affected process and expose a LUA repl over TCP.

This allows me to "shell into" other processes and dump their stack/heap, allocate/deallocate regions or even overwrite their memory.

source code