<br><font size=2 face="sans-serif">Thinking off the top of my head...</font>
<br>
<br><font size=2 face="sans-serif">Under UNIX, there isn't an API call
(that I know of...) which would do the same thing as Windows, but there
are several ways of injecting code or getting a process to run arbitrary
code:</font>
<br>
<br><font size=2 face="sans-serif">1. R/W access to the Kernel memory -
If you have r/w access, you can access any part of the kernel or any process's
memory. Plus the ghost is up for anything else since you can
easily get root access.</font>
<br><font size=2 face="sans-serif">2. R/W access to the Process memory
- If you have r/w access, you can change code/data in the process's
memory space. And if the process has root permissions, then even
better.</font>
<br><font size=2 face="sans-serif">3. Buffer overflows - If you can overflow
a buffer, you can force the process to execute arbitrary code. See
information on Morris Worm.</font>
<br><font size=2 face="sans-serif">4. Intercepting exec/forks of new processes
- Badly written exec/fork code can be compromised by executing some
other program. </font>
<br><font size=2 face="sans-serif"> </font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Chris Hilton <chris129@cs.iastate.edu></b>
</font>
<br><font size=1 face="sans-serif">Sent by: cialug-bounces@cialug.org</font>
<p><font size=1 face="sans-serif">01/05/2006 01:05 PM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
Central Iowa Linux Users Group <cialug@cialug.org></font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">Central Iowa Linux Users
Group <cialug@cialug.org>, amesfug@amesfug.org</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">[Cialug] Nix Shared Code
Injection</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>I've got a theoretical question. It's come to
my attention that the way in <br>
which a lot of spyware works is through some API's in Windows (apparently
<br>
written for debuggers) by injecting a dll into another running process.
The <br>
standard process permissions apply, but you can inject from say bob.exe
into <br>
iexplorer.exe.<br>
My question is about Nix though. Does anyone know if this can be
done on Nix?<br>
<br>
I've looked into Sys V IPC for shared memory and mmap and neither look
like <br>
you could involuntarily to anything to another processes memory space (it'd
<br>
have to open the same IPC location if I read correctly).<br>
I also looked at processes look like under gdb, and not under it: They
look <br>
exactly the same. I compared /proc/`pidof procName`/maps to compare.<br>
<br>
I'm not finding anything to suggest a way to do this, at least not a way
that <br>
wouldn't be against what the documentation says. Does anyone know
more about <br>
this? It's peaked my curiousity.<br>
<br>
<br>
On a side note. This is why zonealarm doesn't stop nearly as much
spyware as <br>
it used to. Since spyware can hitch its own dll on iexplorer and
do its <br>
sends from there it looks like iexplorer is connecting to the net; and
no one <br>
but a firefox user, who doesn't run updates, would refuse that ;).<br>
<br>
<br>
-- <br>
"The only winning move is not to play."<br>
_______________________________________________<br>
Cialug mailing list<br>
Cialug@cialug.org<br>
http://cialug.org/mailman/listinfo/cialug<br>
</tt></font>
<br>