Inject custom code or data into running process

Sayutin Dmitry cdkrot at yandex.ru
Tue Jan 3 14:49:05 EST 2017


Yes, I understand points you provide.

> but a royal pain to sandbox malicious code
My idea is to get some assistance from kernel on it (possible with source patch or kernel module),
but I would like to implement POC [proof-of-concept] myself, before showing it to the community.

Let me return back to the original question (injection of code/data)
LD_PRELOAD is quite a briliant way, but will not work on statically-linked code.

However it may be enough for POC.

03.01.2017, 22:40, "valdis.kletnieks at vt.edu" <valdis.kletnieks at vt.edu>:
> On Tue, 03 Jan 2017 22:24:11 +0300, Sayutin Dmitry said:
>
>>  (If you want to know motivation for this -- I want to implement some new idea on sandboxing).
>
> There's pretty much nothing you can do inside the process to do sandboxing
> against code that doesn't want to be sandboxed. In other words, it's
> easy to sandbox possibly buggy code, but a royal pain to sandbox malicious
> code.
>
> Hint: You can lead a horse to code, but you can't force it to call it.
>
> For instance, using LD_PRELOAD is a good way to front-end calls to glibc
> code - but it doesn't do squat against malware that issues its own syscalls
> inline to avoid your front end.

Sayutin Dmitry <cdkrot at yandex.com>



More information about the Kernelnewbies mailing list