DTrace
Malicious DTrace
Tue, 07/27/2010 - 06:40 — Shawn WebbOne of the great things about being bored sitting at a datacenter waiting for long processes to finish is the opportunity to fill that mind-numbing boredom with useful knowledge. I spent the past little while learning DTrace. I gotta say, I love it. The SolarisInternals site has many good scripts to help teach DTrace. One of the things I'd like to do with DTrace is use it for malicious purposes. In my linux days, I authored a project called Project Hijack, which allows an attacker to effortlessly inject arbitrary code into a process during runtime and hijack dynamically loaded functions. I'd like to port that project, or as much of it as possible, to DTrace.
It took me about 30 minutes to be comfortable writing simple DTrace scripts. Here's one tiny malicious script I wrote:
syscall::open:entry
/copyinstr(arg0) == "/tmp/mal.txt"/
{
copyoutstr("/tmp/haha.txt", arg0, strlen("/tmp/haha.txt"));
}
Any time an application tries to open /tmp/mal.txt, the application will actually open /tmp/haha.txt. This script is simple--the reason why I really love DTrace.
I'll write more about it later. The processes I'm running on our production server is almost finished. Also, I'll be at Defcon. If you wanna meet up, let me know. Drop a comment or send me an email.
Macbook Pro and DTrace
Mon, 06/21/2010 - 12:48 — Shawn WebbA few years back, I researched runtime process infection. I developed a shared library to ease code injection and hijacking. The project, libhijack, only got up to version 0.3 but was full-featured at 0.3. I now own a Macbook Pro and would like to try my hand at porting libhijack to DTrace. I'd like to research how to use DTrace for malicious purposes.
I'll report back when I learn a bit more.
AddToAny
Powered By:
Recent comments
5 weeks 5 days ago
5 weeks 6 days ago
5 weeks 6 days ago
5 weeks 6 days ago
6 weeks 4 days ago
6 weeks 4 days ago
10 weeks 10 hours ago
11 weeks 5 days ago
11 weeks 5 days ago
11 weeks 6 days ago