Process Injection on Linux - Technical Reference

This article is part 5 of a 5 parts series on process injection on Linux.

Injection facilities

• ptrace
• /proc/<pid>/mem, /proc/self/mem
• process_vm_writev (does not have "punch through" capability)

Related facilities:

• brk / sbrk
• execve / fexecve
• memfd_create
• mlock
• mmap
• mprotect
• process_vm_readv
• shm_open

Persistence

• clone
• fork
• setitimer
• sigaction
• signal
• timer_create
• GOT/PLT hooking
• vDSO

Memory destinations

• allocated memory;
• code caves;
• overwritten code/data.

Prevention

• kernel.yama.ptrace_scope
• SELinux: execmem, execheap, execstack, deny_ptrace
• AppArmor
• Secure Computing (seccomp)
• prctl/PR_SET_DUMPABLE
• RELRO and BINDOW linking flags

Detection

• auditd using a ruleset with good coverage and, ideally, a filtering/search tool.

Forensics

Indicators

• /proc/<pid>/status to inspect signals and tracee status
• /proc/<pid>/exe pointing to memory-backed file
• /proc/<pid>/fd/ for memory-backed files
• /proc/<pid>/maps for non-file-backed executable memory regions
• /proc/<pid>/tasks/ to list threads
• /proc/<pid>/tasks/children to list children processes
• /dev/shm and other in-memory file systems (mount -t tmpfs)

Analysis

• ptrace to dump the process or trace its behavior
• /proc/<pid>/mem to dump a process's memory
• /proc/<pid>/exe to get a process's original program

Articles in this series

• Part 1 - Introduction
• Part 2 - Injecting into Processes
• Part 3 - Prevention and Detection
• Part 4 - Advanced Injection Topics
• Part 5 - Technical Reference