Thursday, February 18, 2010

New injectso -- Debian proof

The new injectso comes with a new technique to find the
address of the needed rtld function. Some systems (Debian based)
make /proc/pid/maps unavailable by default which
former injectso needed to work properly.
It now also works via /proc/pid/auxv to read AT_BASE
and to calculate where rtld functions can be found.
The nm method is also still included for systems where
libc exports symbol names.
The /proc/pid/auxv method has only been tested on x86_64
but should work on x86 too.

Additionally, I am officially sorry for the coding style
of injectso before v0.51. All the exploit coding makes a
terrible style and I will drop that for a while.
The code has been cleaned up and is now readable and
something to learn from.

Friday, February 5, 2010

Runtime hot-patching processes w/o ptrace

I am a fan of achieving the same result with multiple, different,
solutions/implementations. In computer science (and security
in particular) this leads to real benefit and cutting edge
because if you have more ways to do it, you are not limited
or bound to techniques that may change, evolve or are
hardened/dropped completely. One such example is the injectso
I recently published. It uses ptrace(), but if you think
removing ptrace() from the kernel is a plus, have a look
at lasso. It does the same thing without using ptrace().

There is more than one way to Milano. 8-)