shellcode injection via ptrace()
the injection opcode isn’t really elegant or anything, but i found other articles quite difficult to follow at first because of the advanced styles they are using. the ones i’ve seen involved forking, or ‘call instruction mimicry’, or ‘original register restoration’ or a combination of all of them. i start again, with the simple ‘hello world’. no shell-spawning or stuff like that.
the rundown basically consists of :
1) attaching to a process and read its registers (esp and eip)
2) allocate space in the stack segment for the shellcode
3) point eip to the start of the allocated space
4) give control back to the program. (in most cases, but not here. i simply exit())
first comes the test program i wanna trace. it’s just an infinite for loop that prints some text on the screen. my goal is to insert instructions that will make it print another string and quit.
(more…)
