linux code inject

0x00 : 基础

产生一个新的进程的方式

1
2
3
sys_clone – creates a copy of the running process with or without shared resources (memory, file descriptors, etc.);
sys_execve – replaces the running process with a new one (has several variations in the C library);
fork - creates a copy of the running process but without any shared resources (Actually, both sys_fork and sys_clone come down to do_fork() function in the kernel).

0x01 : 实例

目标程序代码

1
2
3
4
5
6
7
8
9
10
11
#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>
int main(void){
int i;
for(i = 0;i<10;i++){
printf("counter:%d\n",i);
sleep(2);
}
return 0;
}

注入程序代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#include<stdio.h>
#include<sys/ptrace.h>
#include<stdlib.h>
#include<sys/types.h>
#include<sys/wait.h>
#include<unistd.h>
#include<string.h>
#include<errno.h>
#include<sys/syscall.h>
#include<sys/user.h>
const int long_size = sizeof(long);
void getdata(pid_t child, long addr,char* str,int len){
char * laddr;
int i,j;
union u{
long val;
char chars[long_size];
}data;
i = 0;
j = len/long_size;
laddr = str;
while(i<j){
data.val = ptrace(PTRACE_PEEKDATA,child,addr+i*4,NULL);
memcpy(laddr,data.chars,long_size);
++i;
laddr+=long_size;
}
j = len % long_size;
if(j!=0){
data.val=ptrace(PTRACE_PEEKDATA,child,addr+i*4,NULL);
memcpy(laddr,data.chars,j);
}
str[len]='\0';
}
void putdata(pid_t child, long addr,char* str, int len){
int i,j;
char *laddr;
union u{
long val;
char chars[long_size];
}data;
i = 0;
j = len/long_size;
laddr = str;
while(i<j){
memcpy(data.chars,laddr,long_size);
ptrace(PTRACE_POKEDATA,child,addr+i*4,data.val);
++i;
laddr+=long_size;
}
j = len % long_size;
if(j!=0){
memcpy(data.chars,laddr,j);
ptrace(PTRACE_POKEDATA,child,addr+i*4,data.val);
}
}
int main(int argc,char*argv[]){
pid_t traced_process;
struct user_regs_struct regs,newregs;
long ins;
int k,h;
int len=41;
char shellcode[] = "\xeb\x15\x5e\xb8\x04\x00\x00\x00"
"\xbb\x02\x00\x00\x00\x89\xf1\xba"
"\x0c\x00\x00\x00\xcd\x80\xcc\xe8"
"\xe6\xff\xff\xff\x48\x65\x6c\x6c"
"\x6f\x20\x57\x6f\x72\x6c\x64\x0a\x00";
char backup[len];
long addr;
if(argc!=2){
printf("command input error\n");
exit(1);
}
traced_process = atoi(argv[1]);
//attach to process
ptrace(PTRACE_ATTACH,traced_process,NULL,NULL);
wait(NULL);
//get curren regs
ptrace(PTRACE_GETREGS,traced_process,NULL,&regs);
//print eip
ins = ptrace(PTRACE_PEEKTEXT,traced_process,regs.eip,NULL);
printf("EIP:%lx instruction executed: %lx\n",regs.eip,ins);
getdata(traced_process,regs.eip,backup,len);
//print code
printf("backup is :\n");
for(k = 0;k<41;k++){
printf("%x ",backup[k]);
}
printf("\n");
putdata(traced_process,regs.eip,shellcode,len);
printf("shellcode is :\n");
for(k = 0;k<41;k++){
printf("%x ",shellcode[k]);
}
printf("\n");
//re-set args
ptrace(PTRACE_SETREGS,traced_process,NULL,&regs);
//back
ptrace(PTRACE_CONT,traced_process,NULL,NULL);
//wait for change
wait(NULL);
printf("Press the enter key to continue\n");
getchar();
//recover the code
putdata(traced_process,regs.eip,backup,len);
ptrace(PTRACE_SETREGS,traced_process,NULL,&regs);
printf("excute origion code\n");
ptrace(PTRACE_DETACH,traced_process,NULL,NULL);
return 0;
}

0x02 : 效果

res