Process Injection on Linux - Technical Reference

Process Injection on Linux - Technical Reference

Process Injection on Linux - Technical Reference

published on: 2022-05-20

This article is part 5 of a 5 parts series on process injection on Linux.

Injection facilities

ptrace
/proc/<pid>/mem, /proc/self/mem
process_vm_writev (does not have "punch through" capability)

Related facilities:

brk / sbrk
execve / fexecve
memfd_create
mlock
mmap
mprotect
process_vm_readv
shm_open

Persistence

clone
fork
setitimer
sigaction
signal
timer_create
GOT/PLT hooking
vDSO

Memory destinations

allocated memory;
code caves;
overwritten code/data.

Prevention

kernel.yama.ptrace_scope
SELinux: execmem, execheap, execstack, deny_ptrace
AppArmor
Secure Computing (seccomp)
prctl/PR_SET_DUMPABLE
RELRO and BINDOW linking flags

Detection

auditd using a ruleset with good coverage and, ideally, a filtering/search tool.

Forensics

Indicators

/proc/<pid>/status to inspect signals and tracee status
/proc/<pid>/exe pointing to memory-backed file
/proc/<pid>/fd/ for memory-backed files
/proc/<pid>/maps for non-file-backed executable memory regions
/proc/<pid>/tasks/ to list threads
/proc/<pid>/tasks/children to list children processes
/dev/shm and other in-memory file systems (mount -t tmpfs)

Analysis

ptrace to dump the process or trace its behavior
/proc/<pid>/mem to dump a process's memory
/proc/<pid>/exe to get a process's original program

Articles in this series