Git Product home page Git Product logo

linux-inject's Introduction

linux-inject

Tool for injecting a shared object into a Linux process

  • Provides the Linux equivalent of using CreateRemoteThread() on Windows to inject a DLL into a running process

  • Performs injection using ptrace() rather than LD_PRELOAD, since the target process is already running at the time of injection

  • Supports x86, x86_64, and ARM

  • Does not require the target process to have been built with -ldl flag, because it loads the shared object using __libc_dlopen_mode() from libc rather than dlopen() from libdl

Caveat about ptrace()

  • On many Linux distributions, the kernel is configured by default to prevent any process from calling ptrace() on another process that it did not create (e.g. via fork()).

  • This is a security feature meant to prevent exactly the kind of mischief that this tool causes.

  • You can temporarily disable it until the next reboot using the following command:

      echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

Compiling

  • arm:

      make arm

  • x86:

      make x86

  • x86_64:

      make x86_64

Usage

./inject [-n process-name] [-p pid] [library-to-inject]

Sample

  • In one terminal, start up the sample target app, which simply outputs "sleeping..." each second:

      ./sample-target

  • In another terminal, inject sample-library.so into the target app:

      ./inject -n sample-target sample-library.so

  • The output should look something like this:

  • First terminal:

         $ ./sample-target
     sleeping...
     sleeping...
     I just got loaded
     sleeping...
     sleeping...

  • Second terminal:

         $ ./inject -n sample-target sample-library.so
     targeting process "sample-target" with pid 31490
     library "sample-library.so" successfully injected
     $

  • If the injection fails, make sure your machine is configured to allow processes to ptrace() other processes that they did not create. See the "Caveat about ptrace()" section above.

  • You can verify that the injection was successful by checking /proc/[pid]/maps:

      $ cat /proc/$(pgrep sample-target)/maps
  [...]
  7f37d5cc6000-7f37d5cc7000 r-xp 00000000 ca:01 267321                     /home/ubuntu/linux-inject/sample-library.so
  7f37d5cc7000-7f37d5ec6000 ---p 00001000 ca:01 267321                     /home/ubuntu/linux-inject/sample-library.so
  7f37d5ec6000-7f37d5ec7000 r--p 00000000 ca:01 267321                     /home/ubuntu/linux-inject/sample-library.so
  7f37d5ec7000-7f37d5ec8000 rw-p 00001000 ca:01 267321                     /home/ubuntu/linux-inject/sample-library.so
  [...]

  • You can also attach gdb to the target app and run info sharedlibrary to see what shared libraries the process currently has loaded:

      $ gdb -p $(pgrep sample-target)
  [...]
  (gdb) info sharedlibrary
  From                To                  Syms Read   Shared Object Library
  0x00007f37d628ded0  0x00007f37d628e9ce  Yes         /lib/x86_64-linux-gnu/libdl.so.2
  0x00007f37d5ee74a0  0x00007f37d602c583  Yes         /lib/x86_64-linux-gnu/libc.so.6
  0x00007f37d6491ae0  0x00007f37d64ac4e0  Yes         /lib64/ld-linux-x86-64.so.2
  0x00007f37d5cc6670  0x00007f37d5cc67b9  Yes         /home/ubuntu/linux-inject/sample-library.so
  (gdb)

Compatibility

  • The x86 and x86_64 versions work on Ubuntu 14.04.02 x86_64.

  • The x86 and x86_64 versions work on Arch x86_64.

  • The ARM version works on Arch on both armv6 and armv7.

  • None of the versions seem to work on Debian. __libc_dlopen_mode() in Debian's libc does not load shared libraries in the same manner as Arch's and Ubuntu's versions do. I tested this on both x86_64 and armv6.

TODOs / Known Issues

  • Better support for targeting multi-thread/multi-process apps

  • I seem to get crashes when trying to inject into larger applications

  • Needs further investigation

  • Support both ARM and Thumb mode

  • Currently only supports ARM mode

  • Should just be a matter of checking LSB of PC and acting accordingly

  • Do better checking to verify that the specified shared object has actually been injected into the target process

  • Check /proc/[pid]/maps rather than just looking at the return value of __libc_dlopen_mode()

  • Support more distros

  • Currently only working on Ubuntu and Arch for certain architectures

  • See "Compatibility" section above

  • Possibly support more architectures?

  • 64-bit ARM

  • MIPS

linux-inject's People

Contributors

gaffe23 avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.