SteelCon 2014 - Process Injection with Python

Posted by: Darren Martyn | Posted on: 2014-08-07 00:00:00 +0100

Recently I presented at the SteelCon conference on using Python for manipulating processes memory, using the process injection technique as an example, to demonstrate how higher level scripting languages can be used to perform tasks normally only doable from compiled, lower level languages, such as C.

The whole purpose of this talk was to show how incredibly flexible, platform independent tools could be developed rapidly, by even relatively inexperienced developers, and how we could leverage the abstraction offered by higher level languages to perform complicated, low level tasks, easily. While process injection is not a new topic, having been well covered in various papers (several Phrack articles cover the topic, and there are a number of excellent tools - written in C, or assembly, that will permit you to do it), there was very little information out there on doing it from a scripting language. In fact, the Python module I used to achieve the task, python-ptrace, was incredibly poorly documented (in my personal opinion). Despite poor documentation, it was quite easy to develop the proof of concept tools demonstrated in the talk.

In the talk I was able to quickly and easily cover process injection across x86, x86_64, and ARMv7l architectures. This was possible due to the fact Python will run on anything, and by writing a script that automatically detects what platform it is running on, we could write portable tools that intelligently “did the right thing”. I was also able to demonstrate the risks inherent with this, by showing off a memory-resident, fire and forget backdoor that not only had no files written to disc when deployed to target over SSH, but also had no process of its own, infecting a host process on the target machine.

While I kept my example limited to process injection (as it provides an interesting usecase that is immediately understandable to a competent, security-minded audience), other things could also have been shown. Such as writing in-memory fuzzers. This has already been done using the python-ptrace module by some others, in fact, as has writing debuggers and the likes.

Anyway, without further ado, below is the slides (hosted on Slideshare), the demonstration videos (embedded in slideshare), and the github repository of PoC code.

About the Author

Darren Martyn Darren is an Irish ex-pat, presently employed by Xiphos Research to break things and research how to break things, and has yet to learn the refined skill of referring to himself in the third person (like the queen).