SlideShare una empresa de Scribd logo

Steelcon 2014 - Process Injection with Python

Descargar como PPTX, PDF
I
infodox

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

Internet
1 de 56
Python: Process Injection for Everyone! Darren Martyn Xiphos Research darren.martyn@xiphosresearch.co.uk
whoami • Darren Martyn / infodox • Penetration Tester & Researcher @ Xiphos Research Ltd • Forensics & Chemistry Student @ GMIT
what • Manipulating what another process is doing in memory • Memory-resident, process-less backdoors • Doing all this in Python
Use Cases • Getting around weird runtime packers, such as those used by malware developers to obfuscate code. • Cheating in video games! • Extending / Modifying a programs functionality at runtime! • Developing forensically challenging code.
Today… • We will talk about being bad guys! • Because, quite frankly, using this to develop a proof of concept version of a sneaky malware is the best way to demonstrate risk.
Today…
Forensically Challenging • The concepts outlined here will demonstrate how to create a forensically-challenging to detect piece of malware. • Note that this is not impossible to detect or mitigate against, we will discuss mitigations and suchlike later in the talk.
Before I begin… The basics. • First off, before we begin, we need to understand how the stack works. • Quite simple, will use the x86 stack as an example.
Stack – General Registers
Stack – General Layout
Stack – How code gets executed… • The EIP, or Extended Instruction Pointer, is the place on the stack where the next instruction to be executed sits. • In exploit development, overwriting the EIP with a return to an attacker controlled address is the “normal” way to get code to execute. • Conceptually, what we are doing is somewhat similar to exploit development, in that we wish to gain control of EIP and point it at our code.
Stack – How we are executing code • Instead of triggering a vulnerability such as in a buffer overflow exploit to gain control of the EIP, we are simply overwriting it using the powers of ptrace(). • The ptrace() system call is used for debugging software. It can both read and write arbitrary data to a process’s memory. • This allows us to directly manipulate the stack, and execute code or alter the programs state at runtime.
Process Injection 101 • Attach to process • Pause Process (this happens when attach) • Get EIP/RIP • Overwrite EIP/RIP with shellcode • Set EBX/RBX to 0 • Continue Process • Shellcode runs
Process Injection 101
Prior art of note… • Process injection has been done before on Linux. • One example of prior art is “Cymothoa”, by Crossbower. • Written in C, and released via Phrack magazine (a publication in which hackers publish research), it worked on x86 Linux and was extremely effective for injecting backdoors into other processes.
Prior art of note… • There is also some research done by elfmaster in vx-heaven. • Libhijack, by lattera, implements a whole library of functions to do this in an easy-to-use format. • Parasite, by jtripper, also uses these techniques to inject a bind shell into running processes. • None of the prior art to the best of my knowledge has been in anything other than C/ASM.
Python Code (warning: wall of text) process = attach(pid) # Attach to target PID rip = process.getInstrPointer() # get RIP bytes = process.writeBytes(rip, shellcode) # overwrite RIP with shellcode… process.setreg("rbx", 0) # set RBX to 0 process.cont() # Let process continue :)
Live Demo
Lets recap a little… Quick recap and suchlike to ensure everyone here is up to speed…
Problems • Host process usually crashes after shellcode exits • If it doesn’t crash, it will at LEAST act really weirdly • This is ugly • What do?
Problems
So we need a solution… • We have our code running in the infected processes memory • We need our code to not interfere with the process, and run along side it • How?
So we need a solution…
Let’s Fork() • Prepend our payload with some fork() shellcode • Process is forked, new clone runs with our shellcode running in it • Original process continues (theoretically) unchanged
Prepending Fork • “Prepending” means we affix something ahead of our main payload. • The fork syscall basically creates a new process, identical to the parent, as a “child” process. • This helps us avoid killing/damaging the parent process and causing possible loss of data or alerting administrators to our presence.
Prepending Fork • We prepend a shellcode to our shellcode which does the following: Step 1: Fork parent process. Step 2: Run our shellcode. Note: I even drew a terrible picture to explain this!
Prepending Fork Parent Process Parent Process Continues Child process spawned with shellcode in it, so it is infected fork() Execution flow of process….
Lets fork() – a demonstration of forking • Demo of forking (probably pre-recorded if live not working out).
Problems with forking • With fork, we create a new process • New process shows up in process listings • In future, I will be playing with clone() ala Cymothoa, but simply could not get it working for this yet
Back to the python • So far, we have scratched the surface of memory injection • So why Python for this? • Simplicity.
Python: Making the hard stuff easy • The injection code is incredibly short • We can very easily improve it if we feel the need • Can spend more time working on the rest of the project (like, say, the hard bit: shellcode!)
Enhancing our injector • So, the more astute of you may be wondering why I am clobbering the stack here, and leaving it in a fairly clobbered- state… • In this bit, I am going to *attempt* to restore the registers post-injection. This is not always successful, mind…
Enhancing our injector
Restoring the Registers (1) • This is a bit of a filthy hack, but worked well enough for me to consider it • Method I am using is a filthy hack and I should feel terrible • Again, be warned. This might crash
Restoring the Registers (2) • After process.cont(), we sleep for a second • We then restore the registers to pre-injection state • We then pray the fork prepender worked and that the stack is now unclobbered
Live Demo (this may well fail) No, really. You might want to close your eyes for this one
Moving swiftly on… • Now for the extra shiny fun part • Because its Python, our injector is portable • Write once, pwn everything • Well, kind of...
Writing a multi-arch injector • Our next toy is a process injector that magically determines if its on an x86 or x84_64 system, and reacts accordingly • So, let’s write the getArch() function, eh? • This is easy… 2 lines of code
Getting OS Architecture import platform # import platform module arch = platform.machine() # get architecture print arch # print architecture Test on 64bit Test on 32bit
Porting to x86 • Step 1 (hard bit). Rewrite shellcode for x86. • Step 2 (easy bit). Rewrite injector part for x86. • Porting injector part is easy! • s/rip/eip/ • s/rbx/ebx/
Demo of injection on x86 This is a demo of injecting a bindshell on x86. Not live, this box is x86_64.
Bonus! Porting to ARM (last minute addition) • x86 and x86_64 not too much of a challlenge… • Realized I could chroot Linux on Nexus 7 tablet… Which is ARMv7l. • Let’s explore ARMv7l…
ARMv7l – the important bits… • On ARM, the “EIP” is the PC register. • Our EBX equivalent is the R1 register. • Other registers not so important for our purposes.
ARMv7l – Challenges • First attempts were failures because my shellcodes seemed to simply be too large, causing segfaults. • Segfault, or segmentation fault, being a crash. This is bad, and will set off alarms. • Not an ARM expert, but guessing I was clobbering other registers with my bulky shellcodes. • Ended up using a staged Metasploit payload. No prepend-fork yet, so this is a work in progress! On exit, the parent does get killed!
ARMv7l – IT WORKS!
Adding Logic to our injector… • We can autodetect target machines architecture. • We can inject into all three architectures demonstrated. • One injector to rule them all!
Testing EnchantedMushroom… • Wrote a quick “stager” that runs python code in memory over SSH. “DiabolicalMouse”. • Decided to use this to test our newly created cross architecture injector tool, to see if we could get it working without dropping anything to disc… • Fairly hacky code, works for this demos purposes!
Demo of EnchantedMushroom/DiabolicalMouse Prerecorded demo as setting it up was a bit complex!
Future Ideas… • Explore this further on OSX/*BSD and Windows. • Automatic OS detection to go with Architecture detection? • More architectures! MIPSLE/BE, SPARC, PPC? • Improved shellcodes? • Remove python-ptrace dependency entirely…
Future Ideas… (2) • Implement our own ptrace using ctypes to avoid any non- native dependencies? • Lots of further research to do! Stuff like injecting entire ELF files in memory and suchlike! • Barrier of entry to exploring this stuff very low, anyone and everyone can make some research!
Limitations as an attack vector • As is, the attacker has to be able to execute code on your system to employ these kinds of techniques. • This means that by the time the attacker can do this, you are already compromised, by, say, weak login passwords, or exploitation of vulnerable software on your system. • *POST* exploitation technique, will not gain you any further access to a system.
Forensically Detecting This… • Forensic analysts should be aware of this vector of attack. • Some analysts only investigate artifacts written to disc. • This kind of analysis is useless against this kind of attack, wherin nothing is written to disc. • Analysts should dump the RAM on a suspected-compromised host to determine if anything exists in-memory.
Forensically Detecting This… • By comparing dumped memory against “good” samples, it may be possible to actually detect this after the fact. • Anti-malware solutions that actively scan memory might also be a decent defence against this kind of thing. • Network forensics may also assist in detection – observing the attack actually happening, unusual network connections, etc, could be a good indicator something has gone terribly wrong.
Possible Mitigations • Prevent access to ptrace() system call by non-root users. • Some distributions take this approach, but badly. • Disable ptrace() entirely on production webservers where debugging access is not required. • This is doable with certain kernel patches. Grsecurity locks down ptrace quite well (but is bypassable) • Monitor process memory and alert on any “unusual” alterations to said memoryspace.
Summary • Python makes hard things like memory hacking easy! • Writing cross architecture in-memory malware/implants is accessible to anyone! • Most architectures can be owned with very little effort/modification of existing code! • Further research needed into forensic detection of process manipulation and in-memory backdoors.
Thanks! Thanks to the SteelCon organizers for having me here today and allowing me to give this talk! Also thanks to my co-workers at Xiphos Research for helping me get this off the ground. Finally, thanks to all of you for listening!

Recomendados

Packers
PackersPackers
PackersAnge Albertini
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 

Recomendados

Packers
PackersPackers
PackersAnge Albertini
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 

Más contenido relacionado

La actualidad más candente

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 

La actualidad más candente (20)

Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 

Similar a Steelcon 2014 - Process Injection with Python

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Marc Wickenden
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 

Similar a Steelcon 2014 - Process Injection with Python (20)

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 

Último

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Último (20)

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

Steelcon 2014 - Process Injection with Python

  • 1. Python: Process Injection for Everyone! Darren Martyn Xiphos Research darren.martyn@xiphosresearch.co.uk
  • 2. whoami • Darren Martyn / infodox • Penetration Tester & Researcher @ Xiphos Research Ltd • Forensics & Chemistry Student @ GMIT
  • 3. what • Manipulating what another process is doing in memory • Memory-resident, process-less backdoors • Doing all this in Python
  • 4. Use Cases • Getting around weird runtime packers, such as those used by malware developers to obfuscate code. • Cheating in video games! • Extending / Modifying a programs functionality at runtime! • Developing forensically challenging code.
  • 5. Today… • We will talk about being bad guys! • Because, quite frankly, using this to develop a proof of concept version of a sneaky malware is the best way to demonstrate risk.
  • 7. Forensically Challenging • The concepts outlined here will demonstrate how to create a forensically-challenging to detect piece of malware. • Note that this is not impossible to detect or mitigate against, we will discuss mitigations and suchlike later in the talk.
  • 8. Before I begin… The basics. • First off, before we begin, we need to understand how the stack works. • Quite simple, will use the x86 stack as an example.
  • 9. Stack – General Registers
  • 11. Stack – How code gets executed… • The EIP, or Extended Instruction Pointer, is the place on the stack where the next instruction to be executed sits. • In exploit development, overwriting the EIP with a return to an attacker controlled address is the “normal” way to get code to execute. • Conceptually, what we are doing is somewhat similar to exploit development, in that we wish to gain control of EIP and point it at our code.
  • 12. Stack – How we are executing code • Instead of triggering a vulnerability such as in a buffer overflow exploit to gain control of the EIP, we are simply overwriting it using the powers of ptrace(). • The ptrace() system call is used for debugging software. It can both read and write arbitrary data to a process’s memory. • This allows us to directly manipulate the stack, and execute code or alter the programs state at runtime.
  • 13. Process Injection 101 • Attach to process • Pause Process (this happens when attach) • Get EIP/RIP • Overwrite EIP/RIP with shellcode • Set EBX/RBX to 0 • Continue Process • Shellcode runs
  • 15. Prior art of note… • Process injection has been done before on Linux. • One example of prior art is “Cymothoa”, by Crossbower. • Written in C, and released via Phrack magazine (a publication in which hackers publish research), it worked on x86 Linux and was extremely effective for injecting backdoors into other processes.
  • 16. Prior art of note… • There is also some research done by elfmaster in vx-heaven. • Libhijack, by lattera, implements a whole library of functions to do this in an easy-to-use format. • Parasite, by jtripper, also uses these techniques to inject a bind shell into running processes. • None of the prior art to the best of my knowledge has been in anything other than C/ASM.
  • 17. Python Code (warning: wall of text) process = attach(pid) # Attach to target PID rip = process.getInstrPointer() # get RIP bytes = process.writeBytes(rip, shellcode) # overwrite RIP with shellcode… process.setreg("rbx", 0) # set RBX to 0 process.cont() # Let process continue :)
  • 19. Lets recap a little… Quick recap and suchlike to ensure everyone here is up to speed…
  • 20. Problems • Host process usually crashes after shellcode exits • If it doesn’t crash, it will at LEAST act really weirdly • This is ugly • What do?
  • 22. So we need a solution… • We have our code running in the infected processes memory • We need our code to not interfere with the process, and run along side it • How?
  • 23. So we need a solution…
  • 24. Let’s Fork() • Prepend our payload with some fork() shellcode • Process is forked, new clone runs with our shellcode running in it • Original process continues (theoretically) unchanged
  • 25. Prepending Fork • “Prepending” means we affix something ahead of our main payload. • The fork syscall basically creates a new process, identical to the parent, as a “child” process. • This helps us avoid killing/damaging the parent process and causing possible loss of data or alerting administrators to our presence.
  • 26. Prepending Fork • We prepend a shellcode to our shellcode which does the following: Step 1: Fork parent process. Step 2: Run our shellcode. Note: I even drew a terrible picture to explain this!
  • 27. Prepending Fork Parent Process Parent Process Continues Child process spawned with shellcode in it, so it is infected fork() Execution flow of process….
  • 28. Lets fork() – a demonstration of forking • Demo of forking (probably pre-recorded if live not working out).
  • 29. Problems with forking • With fork, we create a new process • New process shows up in process listings • In future, I will be playing with clone() ala Cymothoa, but simply could not get it working for this yet
  • 30. Back to the python • So far, we have scratched the surface of memory injection • So why Python for this? • Simplicity.
  • 31. Python: Making the hard stuff easy • The injection code is incredibly short • We can very easily improve it if we feel the need • Can spend more time working on the rest of the project (like, say, the hard bit: shellcode!)
  • 32. Enhancing our injector • So, the more astute of you may be wondering why I am clobbering the stack here, and leaving it in a fairly clobbered- state… • In this bit, I am going to *attempt* to restore the registers post-injection. This is not always successful, mind…
  • 34. Restoring the Registers (1) • This is a bit of a filthy hack, but worked well enough for me to consider it • Method I am using is a filthy hack and I should feel terrible • Again, be warned. This might crash
  • 35. Restoring the Registers (2) • After process.cont(), we sleep for a second • We then restore the registers to pre-injection state • We then pray the fork prepender worked and that the stack is now unclobbered
  • 36. Live Demo (this may well fail) No, really. You might want to close your eyes for this one
  • 37. Moving swiftly on… • Now for the extra shiny fun part • Because its Python, our injector is portable • Write once, pwn everything • Well, kind of...
  • 38. Writing a multi-arch injector • Our next toy is a process injector that magically determines if its on an x86 or x84_64 system, and reacts accordingly • So, let’s write the getArch() function, eh? • This is easy… 2 lines of code
  • 39. Getting OS Architecture import platform # import platform module arch = platform.machine() # get architecture print arch # print architecture Test on 64bit Test on 32bit
  • 40. Porting to x86 • Step 1 (hard bit). Rewrite shellcode for x86. • Step 2 (easy bit). Rewrite injector part for x86. • Porting injector part is easy! • s/rip/eip/ • s/rbx/ebx/
  • 41. Demo of injection on x86 This is a demo of injecting a bindshell on x86. Not live, this box is x86_64.
  • 42. Bonus! Porting to ARM (last minute addition) • x86 and x86_64 not too much of a challlenge… • Realized I could chroot Linux on Nexus 7 tablet… Which is ARMv7l. • Let’s explore ARMv7l…
  • 43. ARMv7l – the important bits… • On ARM, the “EIP” is the PC register. • Our EBX equivalent is the R1 register. • Other registers not so important for our purposes.
  • 44. ARMv7l – Challenges • First attempts were failures because my shellcodes seemed to simply be too large, causing segfaults. • Segfault, or segmentation fault, being a crash. This is bad, and will set off alarms. • Not an ARM expert, but guessing I was clobbering other registers with my bulky shellcodes. • Ended up using a staged Metasploit payload. No prepend-fork yet, so this is a work in progress! On exit, the parent does get killed!
  • 45. ARMv7l – IT WORKS!
  • 46. Adding Logic to our injector… • We can autodetect target machines architecture. • We can inject into all three architectures demonstrated. • One injector to rule them all!
  • 47. Testing EnchantedMushroom… • Wrote a quick “stager” that runs python code in memory over SSH. “DiabolicalMouse”. • Decided to use this to test our newly created cross architecture injector tool, to see if we could get it working without dropping anything to disc… • Fairly hacky code, works for this demos purposes!
  • 48. Demo of EnchantedMushroom/DiabolicalMouse Prerecorded demo as setting it up was a bit complex!
  • 49. Future Ideas… • Explore this further on OSX/*BSD and Windows. • Automatic OS detection to go with Architecture detection? • More architectures! MIPSLE/BE, SPARC, PPC? • Improved shellcodes? • Remove python-ptrace dependency entirely…
  • 50. Future Ideas… (2) • Implement our own ptrace using ctypes to avoid any non- native dependencies? • Lots of further research to do! Stuff like injecting entire ELF files in memory and suchlike! • Barrier of entry to exploring this stuff very low, anyone and everyone can make some research!
  • 51. Limitations as an attack vector • As is, the attacker has to be able to execute code on your system to employ these kinds of techniques. • This means that by the time the attacker can do this, you are already compromised, by, say, weak login passwords, or exploitation of vulnerable software on your system. • *POST* exploitation technique, will not gain you any further access to a system.
  • 52. Forensically Detecting This… • Forensic analysts should be aware of this vector of attack. • Some analysts only investigate artifacts written to disc. • This kind of analysis is useless against this kind of attack, wherin nothing is written to disc. • Analysts should dump the RAM on a suspected-compromised host to determine if anything exists in-memory.
  • 53. Forensically Detecting This… • By comparing dumped memory against “good” samples, it may be possible to actually detect this after the fact. • Anti-malware solutions that actively scan memory might also be a decent defence against this kind of thing. • Network forensics may also assist in detection – observing the attack actually happening, unusual network connections, etc, could be a good indicator something has gone terribly wrong.
  • 54. Possible Mitigations • Prevent access to ptrace() system call by non-root users. • Some distributions take this approach, but badly. • Disable ptrace() entirely on production webservers where debugging access is not required. • This is doable with certain kernel patches. Grsecurity locks down ptrace quite well (but is bypassable) • Monitor process memory and alert on any “unusual” alterations to said memoryspace.
  • 55. Summary • Python makes hard things like memory hacking easy! • Writing cross architecture in-memory malware/implants is accessible to anyone! • Most architectures can be owned with very little effort/modification of existing code! • Further research needed into forensic detection of process manipulation and in-memory backdoors.
  • 56. Thanks! Thanks to the SteelCon organizers for having me here today and allowing me to give this talk! Also thanks to my co-workers at Xiphos Research for helping me get this off the ground. Finally, thanks to all of you for listening!