Infecting foreing processes
alemi
2023-03-25 13:26pox
I have always been fascinated by the way my Operating System makes my hardware work.
I understand transistors and logic gates, and I'm familiar in writing userspace programs. But what happens in between those? While my job started teaching me about kernels, I stumbled upon "i'm in ur address space".
This video blew my mind and I absolutely had to do something like that myself!
I thus decided to work on pox
: an infection framework for processes.
My initial design works with PTRACE syscall (and thus only linux), but Windows injectors are easier due to CreateRemoteThread
anyway.
I built a set of tools to help mess with remote processes, and then an injector.
The naming comes from diseases (-pox being a common suffix, and injector being a transmission "vector"), because these things will make your processes ill! (:
This is still very much work in progress: it works, but only with root privileges and on unhardened kernels.
cordy
Once I could load custom shared object inside arbitrary processes, I needed something to infect them with!
I built cordy, named from a zombie fungus: it will spawn a new thread in affected process and expose a LUA repl over TCP.
This allows me to "shell into" other processes and dump their stack/heap, allocate/deallocate regions or even overwrite their memory.