- No 0day Necessary - Bank SSL
- The Spaces Between
- OPSEC for Honeypots
- Out of Step - We are killing the thing we love
- Mail scams and Social Engineering
- No 0day Necessary - Cross Domain Misconfigurations
- Hiding in Plain Sight - A Raspberry Pi VoIP phone covert device
- SteelCon 2014 - Process Injection with Python
- Human Interface Devices - Countering the Threat
- Passwords: Viable or Redundant?
- Introducing Kiryos: UK Content Filtering Bypass Device
- Paranoid Android: From Phone to Spy Tool
- The Autopsy of a Phishing Scam: A Walkthrough of a Typical Phishing Email
- Kicking the Bucket
- XSS: So how is this a problem?
- An Intern's Tale
- Watch out for wireless technologies: Common risk assessment blind spots
- The Problem With North Korea
- Once More Unto The Breach!
- ...And we're back
SteelCon 2014 - Process Injection with Python
Posted by: Darren Martyn | Posted on: 2014-08-07 00:00:00 +0100
Recently I presented at the SteelCon conference on using Python for manipulating processes memory, using the process injection technique as an example, to demonstrate how higher level scripting languages can be used to perform tasks normally only doable from compiled, lower level languages, such as C.
The whole purpose of this talk was to show how incredibly flexible, platform independent tools could be developed rapidly, by even relatively inexperienced developers, and how we could leverage the abstraction offered by higher level languages to perform complicated, low level tasks, easily. While process injection is not a new topic, having been well covered in various papers (several Phrack articles cover the topic, and there are a number of excellent tools - written in C, or assembly, that will permit you to do it), there was very little information out there on doing it from a scripting language. In fact, the Python module I used to achieve the task, python-ptrace, was incredibly poorly documented (in my personal opinion). Despite poor documentation, it was quite easy to develop the proof of concept tools demonstrated in the talk.
In the talk I was able to quickly and easily cover process injection across x86, x86_64, and ARMv7l architectures. This was possible due to the fact Python will run on anything, and by writing a script that automatically detects what platform it is running on, we could write portable tools that intelligently “did the right thing”. I was also able to demonstrate the risks inherent with this, by showing off a memory-resident, fire and forget backdoor that not only had no files written to disc when deployed to target over SSH, but also had no process of its own, infecting a host process on the target machine.
While I kept my example limited to process injection (as it provides an interesting usecase that is immediately understandable to a competent, security-minded audience), other things could also have been shown. Such as writing in-memory fuzzers. This has already been done using the python-ptrace module by some others, in fact, as has writing debuggers and the likes.
About the Author
Darren Martyn Darren is an Irish ex-pat, presently employed by Xiphos Research to break things and research how to break things, and has yet to learn the refined skill of referring to himself in the third person (like the queen).