BC INTERNET
Saved by @Mollyycolllinss

Linux code injection paint-by-numbers.

Can we launch a process that looks one way to (superficial) auditors but is, in fact, entirely different? (Think process hollowing and the like on Windows).

Firstly, how are processes created and what does related auditing look like?

 The most common pattern is fork() → execve(). Where the fork() syscall create a duplicate of the running process context and execve() overlays a copy of the target program onto that context.
After calling fork(), we’ll have two processes, the original one and a new - duplicated - one (with a new pid).

Control will return from fork() to both process instances. In the child process, the return value will simply by 0, in the parent it will hold the pid of the child.
Thus we can determine whether we are running in the child context and call execv() accordingly, while allowing the parent to continue.
Now, let’s take a look at where the auditing hooks lie. From calling execve(), we’ll eventually land up in exec_binrpm().
Without delving too deeply, this function resolves the interpreter handler for the target we’re trying to execute. (Here we’re executing an ELF binary, so we’ll get the relevant ELF handler). But that is a topic for another day.
Prior to exec_binrpm() returning, audit hooks will be called.
In our scenario, we *want* these hooks to be called so the original target executable is identified, but we don’t want the target to actually execute.
On Windows, all processes are created suspended; CreateProcess could be called with the CREATE_SUSPENDED flag in order to instruct Kernel32.dll not to get the kernel to resume the target after process setup.
On Linux, process execution will continue immediately after execv() so we must do something different. We can use ptrace() to control execution of the child target.
This is set up by first instructing the kernel from the child context that it wants to be traced (PTRACE_TRACEME) and then instructing the parent process to wait on the first trap.

By default, this will happen on exit of the execve() syscall.
Now that we have a form of suspended process creation, we need to decide what to do with it.

The options here are numerous. In this example, we want to chose a strategy that doesn’t require us doing any image/reloc fix-up foo.

We can use dlopen() to do all the heavy lifting.
The first issue is that we have suspended execution in a state prior to libc being mapped in and made available to the target process. As (almost?) all dynamically linked processes will require libc, we can let this happen naturally by letting the target run until this is done.
It is important to ensure that (1) the execution progresses to a point where libc is mapped and (2) the process is in a state where we can safely hijack execution flow, but (3) is prior to actual target execution (+ generic enough to support various targets).
I initially tried trapping target execution after libc is mapped (executing until relevant close()).
Naturally this failed as the process was not yet sufficiently set up to support stable execution (for e.g. stack sentinel storage via mov    rax,QWORD PTR fs:0x28 in the function prologue would fail; fs is not yet sane).
To achieve a state where (1), (2), and (3) are all honoured, we can trap a little further down. I chose to target brk().
To recap:

We’ve created a child process and halted execution prior to anything too process-specific having been run but after basic setup has taken place.
Now we need to get inject our code.
As mentioned earlier, the plan is to use bog-standard dlopen() to get the code staged in the target.
But how to locate dlopen()?

A cursory glance shows that dlopen() is exported by libdl. But alas this library is not loaded in our process address space.
Ultimately, however, __libc_dlopen_mode() is the underlying libc function that will do the work and that is available to us.
First, we’re going to need to get the offset of the __libc_dlopen_mode() function within libc.
The easiest way I could think of, of doing this programmatically was simply to use the dynamic linker within the parent process context + calculating the offset from the loaded library address.

dlopen(libc) → dlsym(__libc_dlopen_mode)
The library address can be obtained from the link_map structure returned by dlopen().
A caveat to keep in mind here is that taking the fcn_addr - lm->l_addr yields an offset which includes the difference between the address in the ELF binary and where address where it was loaded in memory.

We will account for this offset skew shortly.
Next, we’ll obtain the address of the libc instance that is mapped in our target process.
Procfs exposes mapping info in /proc//maps. We can look up the mapped address of the executable section of libc, accounting for the offset of the in-memory address of the mapped ELF and calculate a final value for __libc_dlopen_mode() in the target.
My implementation of this bit is, regrettably, quick & dirty.
Finally, we need to set the necessary arguments for __libc_dlopen_mode() and call the function within the target process context.
Remembering that we don’t care to continue with the original target flow at any point, we can hijack execution by pointing rip to the address of __libcdl_open_mode() that we just calculated.
The function signature for __libcdl_open_mode() matches that of dlopen() - with the addition of an explicit *dl_caller which I just set to NULL.

x86_64 calling convention dictates that we’ll be using registers rdi (library path), rsi (mode), rdx (dl caller).
rdi holds a pointer to the library path. We need somewhere writeable to put it.

The easy choice here is just to dump it somewhere on the stack (we’re not interested in a sane return from __libc_dlopen_mode() after all).
Everything is now set up. Releasing target execution will result in our code being loaded into the target address space via __libc_dlopen_mode().
At some point, something will break in the target application (remember, we have hijacked rip and corrupted the stack).

This is a great outcome as it’ll trap back into the parent process and allow us to redirect control to our injected code.
(I did initially mess around with getting better control over the return from libc but honestly it didn’t seem worth the bother.)
Calling our injected code is as simple as pointing rip at it and resuming execution. (We discover its loaded address in the very same way that we discovered that of __libc_dlopen_mode() previously.)
Finally we can detach the parent process.

And we’re done.
Now in terms of forensics:

Auditing ptrace() is the obvious go-to for real-time process injection determination

Beyond that; process memory space anomalies (in this example, the injected code will appear as a mapped image) + the usual gamut of behavioural analysis opportunities

More from Internet

Jake Brukhman
Jake Brukhman
@jbrukh
1/The next major problem set in #DeFi is #NFTLiquidity.

It has become very clear that, like fungibles, nonfungibles are their own financial asset class.

One path to see this is to envision the future of NFTs as “liquid

2/Some say that NFTs “shouldn’t be” liquid, yet the innovation process continues.

Just like photography has become much easier to create in the last 100 years, liquid NFTs will surely bring down price points of tokenized digital content but will also open expansive new markets.

3/The key observation is this: #NFTLiquidity is merely a technical problem for #DeFi, and the entire set of economic mechanisms is its solution space.

👉🏻 In particular, because of tokenization, *the NFT liquidity problem reduces to the NFT price discovery problem.*

4/In other words, if we could reliably price a set of NFTs, we could issue a token backed by their reliably priced future resale value.

This is a core mechanism that today is underutilized in the market, and one that — we will soon see — applies to all illiquid assets.

5/Today, NFT price discovery proceeds via three main mechanisms: sales, auctions, and ERC20 fractionalization.

And the fundamental problem with each of these mechanisms is capital efficiency: in each mechanism, participants need to spend *at least* $N to value something at $N.
INTERNET
Dannielle (Dossy) Blumenthal PhD
Dannielle (Dossy) Blum...
@DrDannielle
SolarWinds follow up. Very good tweet explaining what happened.


Basically what this means is that SolarWinds itself was exploited. Someone posted an infected update as legitimate (digitally signed), leading customers to download a bad update.

“Multiple trojanized updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website” https://t.co/8e3bMFWXYu


FireEye then explains that infected organizations were approached and exploited. This is a separate Step 2.

At this point, information is already going to “malicious domains” without extra intervention, after the malware does nothing for “up to two weeks”
INTERNET
Advertisement
Simon Wardley
Simon Wardley
@swardley
X : Can you apply pace layers to maps?
Me : You can but what is where evolves. However, same rules apply to things, practices, data, knowledge and ethical values. All are forms of evolving capital. In the mapping world, we refer to this with pioneers, settlers and town planners.


X : What's the robot for?
Me : Image from an older presentation slide, don't worry it has no relevance.
X : Is this linked to diffusion?
Me : Not simply. Evolution of a single component can consist of many hundreds of diffusion curves i.e. a virus diffuses but it also evolves.

X : Why have you got DevOps in legacy? We haven't even started yet.
Me : That's not my problem. I would take a look at serverless.
X : DevOps is serverless.
Me : Some of the practices maybe co-opted (see ITIL vs DevOps) but the new faction will decide what it is or isn't.

X : I also disagree with your methods graphic.
Me : Do you mean this? As applied to the following map?
X : Yes. Lean is suitable for innovation.
Me : Ah, that depends upon what you mean by innovation. If you mean Genesis then lightweight XP has it beat.


X : I disagree.
Me : Well, I've had 15 years of people telling me that Agile works everywhere or Lean works everywhere or Six Sigma works everywhere and why all the competing methods don't. I have no interest in the conversation. Use appropriate methods based upon context.
INTERNET
Alex Kaplan
Alex Kaplan
@AlKapDC
New from me, & my final piece of 2020:

In 2020, a false message board conspiracy theory harmed the pandemic response, significantly impacted our political process, & destroyed lives & families.

A deep dive into how QAnon's breakout year harmed us all:
INTERNET
Pratham \U0001f468\u200d\U0001f4bb\U0001f680
Pratham 👨‍💻🚀...
@Prathkum
Dou you want to learn web development but don't have much money to spend on a course?

Don't worry, there are many great YouTubers who are spreading knowledge for free

THREAD🧵

https://t.co/sTbMZpwniq

https://t.co/u9JfUTYTYT

https://t.co/cL5pRKX5fD

https://t.co/tFcRXGlCUC
INTERNET

You May Also Like

Dr Amanda Moehring
Dr Amanda Moehring
@FlyBehaviour
In Academia, people aren’t always supported when they need it. I want to share what @WesternU did when my husband died right after the pandemic shutdown. It should be shared with other uni’s as a model for empathy and proactive care when someone is in crisis.
1/
#AcademicChatter
SCIENCE
Vibhu Vashisth
Vibhu Vashisth
@VIBHU_Tweet
RANI NAIKI DEVI AND THE BATTLE OF KASAHRADA

Mohammad Ghori, the young Ghurid Prince conquered Ghaznavids in Afghanistan in the year 1173 CE. He conducted some successful raids into the Indian territory, which even Mahmud Ghazni & the Persians couldn't do.


First&foremost,Ghori invaded states of Multan &Uch in India.After this he turned to southern states of Gujarat &Rajputana.Everybody knows this about Ghori,but what most pple r unaware of is the defeat he suffered at hands of Chalukyan Queen Naiki Devi in 1178 Battle of Kasahrada.


When he marched southwards, his first target was the prosperous fortified town of Anhilwara Patan.
It was the capital of Chalukyas(also known as Solankis of Gujarat) which was established by Vanraj of Chapotkata Dynasty in 8th century.


American historian Tertius Chandler states that it was the 10th largest city in the world at that time. The history of Chalukyas has been written by many historians, but the valour of the Great Queen Naiki Devi remains unsung.


Born to the Kadamba King Paramardin of Goa,Naiki Devi was well trained in sword fighting, horse riding, strategy & every other subject of Statesmanship. She was married to King Ajaypala of Gujarat who sat on throne in 1171CE. Unfortunately,the King died within 4 yrs of his rule.
ALL
Advertisement
Hindu Media Wiki
Hindu Media Wiki
@HinduMediaWiki
Speech Delay is most common in children nowadays

In ancient times, our grandparents used to follow typical natural way of caring the needs of a child. All they used were more of natural products than chemical based for the growth of child.


One of major step followed was to feed Gurbach Jadd/ Vasa Kommu/ Acorus Calamus for initiating good speech ability in a child. This stem was needed to babies on Tuesdays and Sundays in mother's milk.

Vasa is feed to baby after the 1st bath on 12th day in week. Weekly only thrice it is fed and named as :

Budhwar - Budhi Vasa
Mangalwar - Vaak Vasa
Ravi Vaar - Aayush Vasa

This stem is burnt and rubbed against the grinding stone in mother's milk or warm water to get a paste


The procedure to make it is in the link

https://t.co/uo4sGp7mUm

It should not be given daily to the child. Other main benefits are

1. It clears the phlegm in child's throat caused due to continuous milk intake. It clears the tracts and breathing is effortless.
2. Digestion

For children who haven't got their speech and is delayed than usual should feed this vasa on these days in week atleast for 6months. Don't get carried away with this dialogue
"Some gain speech little late"
CHILDREN
Edwin Hayward
Edwin Hayward
@uk_domain_names
Ok, it's high time to look at the REAL effects of Brexit. As the Tories implode & Labour sits on its hands, companies are executing contingency plans, shifting jobs & assets, slashing investments, or redomiciling (accounting exercise). Happening NOW, not in a fantasy future. 1/95

Barden Corporation is closing down its Plymouth factory after 51 years, putting 400 jobs at risk, as its parent company Schaeffler shifts production to various sites outside the UK due to Brexit.

8 health providers have warned of medicine shortages in the event of a no-deal Brexit: "we do not believe that the current medicine supply plans will suffice, and we will have widespread shortages if we do not respond urgently."

Pfizer - $100 million on Brexit prep: "Pfizer’s preparations are well advanced to make the changes necessary to meet EU legal requirements after the U.K. is no longer a member state, especially in the regulatory, manufacturing and supply chain areas."

The Government has spent £4.2 billion pounds on Brexit preparations (£2.2 billion in previous Budgets, plus an additional £2 billion in the most recent Budget.)
POLITICS
Elon Musk\u2019s Meme \U0001f171\ufe0fot
Elon Musk’s Meme 🅱️ot...
@theMemesBot
why do I hear boss music
FUN