GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → DavidBuchanan314 → Dlinject

DavidBuchanan314 / Dlinject

Licence: mit
Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace

Programming Languages

python
139335 projects - #7 most used programming language
python3
1442 projects
assembly
5116 projects
shellcode
44 projects

Labels

linuxx86-64ptrace

Projects that are alternatives of or similar to Dlinject

Rappel
A linux-based assembly REPL for x86, amd64, armv7, and armv8
Stars: ✭ 818 (+57.01%)
Mutual labels:  x86-64, ptrace
Mazucc
A minimalist C compiler with x86_64 code generation
Stars: ✭ 437 (-16.12%)
Mutual labels:  x86-64
Pyflame
🔥 Pyflame: A Ptracing Profiler For Python. This project is deprecated and not maintained.
Stars: ✭ 2,930 (+462.38%)
Mutual labels:  ptrace
Beaengine
BeaEngine disasm project
Stars: ✭ 342 (-34.36%)
Mutual labels:  x86-64
Plasma
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
Stars: ✭ 2,956 (+467.37%)
Mutual labels:  x86-64
Wingos
a little 64bit operating system written in c++ with smp support
Stars: ✭ 361 (-30.71%)
Mutual labels:  x86-64
Ddetours
Delphi Detours Library
Stars: ✭ 256 (-50.86%)
Mutual labels:  x86-64
Dynarmic
An ARM dynamic recompiler.
Stars: ✭ 475 (-8.83%)
Mutual labels:  x86-64
Asm Dude
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window
Stars: ✭ 3,898 (+648.18%)
Mutual labels:  x86-64
Sandy
A tiny "sandbox" to run untrusted code 🏖️
Stars: ✭ 335 (-35.7%)
Mutual labels:  ptrace
Toaruos
A completely-from-scratch hobby operating system: bootloader, kernel, drivers, C library, and userspace including a composited graphical UI, dynamic linker, syntax-highlighting text editor, network stack, etc.
Stars: ✭ 4,687 (+799.62%)
Mutual labels:  x86-64
Limine
x86/x86_64 BIOS Bootloader
Stars: ✭ 288 (-44.72%)
Mutual labels:  x86-64
Dora
Dora VM
Stars: ✭ 371 (-28.79%)
Mutual labels:  x86-64
Cuis Smalltalk Dev
Active development of Cuis Smalltalk
Stars: ✭ 276 (-47.02%)
Mutual labels:  x86-64
Unicorn
Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, X86)
Stars: ✭ 4,934 (+847.02%)
Mutual labels:  x86-64
Asmdb
Instructions database and utilities for X86/X64 and ARM (THUMB/A32/A64) architectures.
Stars: ✭ 258 (-50.48%)
Mutual labels:  x86-64
X86 Bare Metal Examples
Dozens of minimal operating systems to learn x86 system programming. Tested on Ubuntu 17.10 host in QEMU 2.10 and real hardware. Userland cheat at: https://github.com/cirosantilli/linux-kernel-module-cheat#userland-assembly ARM baremetal setup at: https://github.com/cirosantilli/linux-kernel-module-cheat#baremetal-setup 学习x86系统编程的数十个最小操作系统。 已在QE…
Stars: ✭ 3,985 (+664.88%)
Mutual labels:  x86-64
Opensmalltalk Vm
Cross-platform virtual machine for Squeak, Pharo, Cuis, and Newspeak.
Stars: ✭ 345 (-33.78%)
Mutual labels:  x86-64
Managarm
Pragmatic microkernel-based OS with fully asynchronous I/O
Stars: ✭ 502 (-3.65%)
Mutual labels:  x86-64
Docker Cloudflare Ddns
A small amd64/ARM/ARM64 Docker image that allows you to use CloudFlare as a DDNS / DynDNS Provider.
Stars: ✭ 467 (-10.36%)
Mutual labels:  x86-64
View All Similar Projects ➔

dlinject.py

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace. Inspired by Cexigua and linux-inject, among other things.

asciicast

Usage

    .___.__  .__            __               __
  __| _/|  | |__| ____     |__| ____   _____/  |_  ______ ___.__.
 / __ | |  | |  |/    \    |  |/ __ \_/ ___\   __\ \____ <   |  |
/ /_/ | |  |_|  |   |  \   |  \  ___/\  \___|  |   |  |_> >___  |
\____ | |____/__|___|  /\__|  |\___  >\___  >__| /\|   __// ____|
     \/              \/\______|    \/     \/     \/|__|   \/

source: https://github.com/DavidBuchanan314/dlinject

usage: dlinject.py [-h] [--stopmethod {sigstop,cgroup_freeze,none}]
                   pid /path/to/lib.so

Inject a shared library into a live process.

positional arguments:
  pid                   The pid of the target process
  /path/to/lib.so       Path of the shared library to load (note: must be
                        relative to the target process's cwd, or absolute)

optional arguments:
  -h, --help            show this help message and exit
  --stopmethod {sigstop,cgroup_freeze,none}
                        How to stop the target process prior to shellcode
                        injection. SIGSTOP (default) can have side-effects.
                        cgroup freeze requires root. 'none' is likely to cause
                        race conditions.

Why?

  • Because I can.

  • There are various anti-ptrace techniques, which this evades by simply not using ptrace.

  • I don't like ptrace.

  • Using LD_PRELOAD can sometimes be fiddly or impossible, if the process you want to inject into is spawned by another process with a clean environment.

How it Works

  • Send the stop signal to the target process. (optional)

  • Locate the _dl_open() symbol.

  • Retreive RIP and RSP via /proc/[pid]/syscall.

  • Make a backup of part of the stack, and the code we're about to overwrite with our shellcode, by reading from /proc/[pid]/mem.

  • Generate primary and secondary shellcode buffers.

  • Insert primary shellcode at RIP, by writing to /proc/[pid]/mem.

  • The primary shellcode:

    • Pushes common registers to the stack.
    • Loads the secondary shellcode via mmap().
    • Jumps to the secondary shellcode.

  • The secondary shellcode:

    • Restores the stack and program code to their original states.
    • Pivots the stack (so we don't touch the original one at all).
    • Calls _dl_open() to load the user-specified library. Any constructors will be executed on load, as usual.
    • Restores register state, un-pivots the stack, and jumps back to where it was at the time of the original SIGSTOP.

Limitations:

  • Sending SIGSTOP may cause unwanted side-effects, for example if another thread is waiting on waitpid(). The --stopmethod=cgroup_freeze option avoids this, but requires root (on most distros, at least).

  • I'm not entirely sure how this will interact with complex multi-threaded applications. There's certainly potential for breakage.

  • x86-64 Linux only (for now - 32-bit support could potentially be added).

  • Requires root, or relaxed YAMA configuration (echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope is useful when testing).

  • If the target process is sandboxed (e.g. seccomp filters), it might not have permission to mmap() the second stage shellcode, or to dlopen() the library.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].