Jugaad - Linux Thread Injection Kit

Presented at DEF CON 19 (2011), Aug. 5, 2011, 2 p.m. (50 minutes)

Windows malware conveniently use the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my work on creating an API similar to createRemoteThread() on *nix OSes. The kit currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces like the name and path of the injected library which can easily be found by reading the process maps file. Jugaad does an in-memory thread injection and hence is stealthier as there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection. The payload to be executed runs inside the thread and is independent of the kit - you chose your payload, jugaad injects the payload.

Presenters:

• Aseem Jakhar - Founder, null - The open security community (registered non-profit organization)
  Aseem Jakhar is an Independent security researcher with 7 years of experience in system programming, security research and consulting. He has worked on various security software including UTM appliances, Messaging/security appliances, Anti-Spam/antivirus engines, multicast packet reflector, Transparent HTTPS proxy with Captive portal, Bayesian spam filter to name a few. He has been a speaker at various security conferences like Xcon 2009, Blackhat EU 2008, Clubhack 2008/2009/2010, IBM Security and Privacy 2009, Cocon 2010, ISACA Bangalore 2010, Gnunify 2007/2009/2011. He is the founder of null - The open security community(a registered non-profit organization, http://null.co.in ) , the largest security community in India. null is now planning to expand outside India as well. Currently he is working full-time on null initiatives. One of the null initiatives is nullcon security conference (http://nullcon.net ) which is a favourite go-to destination of hackers and security professionals in the Indian sub-continent. Before starting on his own he was working with IBM. Twitter: @aseemjakhar

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Jakhar
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Aseem Jakhar - Jugaad Linux Thread Injection Kit - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=vju6tq1lp0k

Similar Presentations:

• BSidesLV 2019 / Please inject me, a x64 code injection
• Black Hat USA 2017 / Evil Bubbles or How to Deliver Attack Payload via the Physics of the Process
• DEF CON 22 (2014) / Generating ROP payloads from numbers