BC INTERNET
Saved by @Mollyycolllinss

Linux code injection paint-by-numbers.

Can we launch a process that looks one way to (superficial) auditors but is, in fact, entirely different? (Think process hollowing and the like on Windows).

Firstly, how are processes created and what does related auditing look like?

 The most common pattern is fork() → execve(). Where the fork() syscall create a duplicate of the running process context and execve() overlays a copy of the target program onto that context.
After calling fork(), we’ll have two processes, the original one and a new - duplicated - one (with a new pid).

Control will return from fork() to both process instances. In the child process, the return value will simply by 0, in the parent it will hold the pid of the child.
Thus we can determine whether we are running in the child context and call execv() accordingly, while allowing the parent to continue.
Now, let’s take a look at where the auditing hooks lie. From calling execve(), we’ll eventually land up in exec_binrpm().
Without delving too deeply, this function resolves the interpreter handler for the target we’re trying to execute. (Here we’re executing an ELF binary, so we’ll get the relevant ELF handler). But that is a topic for another day.
Prior to exec_binrpm() returning, audit hooks will be called.
In our scenario, we *want* these hooks to be called so the original target executable is identified, but we don’t want the target to actually execute.
On Windows, all processes are created suspended; CreateProcess could be called with the CREATE_SUSPENDED flag in order to instruct Kernel32.dll not to get the kernel to resume the target after process setup.
On Linux, process execution will continue immediately after execv() so we must do something different. We can use ptrace() to control execution of the child target.
This is set up by first instructing the kernel from the child context that it wants to be traced (PTRACE_TRACEME) and then instructing the parent process to wait on the first trap.

By default, this will happen on exit of the execve() syscall.
Now that we have a form of suspended process creation, we need to decide what to do with it.

The options here are numerous. In this example, we want to chose a strategy that doesn’t require us doing any image/reloc fix-up foo.

We can use dlopen() to do all the heavy lifting.
The first issue is that we have suspended execution in a state prior to libc being mapped in and made available to the target process. As (almost?) all dynamically linked processes will require libc, we can let this happen naturally by letting the target run until this is done.
It is important to ensure that (1) the execution progresses to a point where libc is mapped and (2) the process is in a state where we can safely hijack execution flow, but (3) is prior to actual target execution (+ generic enough to support various targets).
I initially tried trapping target execution after libc is mapped (executing until relevant close()).
Naturally this failed as the process was not yet sufficiently set up to support stable execution (for e.g. stack sentinel storage via mov    rax,QWORD PTR fs:0x28 in the function prologue would fail; fs is not yet sane).
To achieve a state where (1), (2), and (3) are all honoured, we can trap a little further down. I chose to target brk().
To recap:

We’ve created a child process and halted execution prior to anything too process-specific having been run but after basic setup has taken place.
Now we need to get inject our code.
As mentioned earlier, the plan is to use bog-standard dlopen() to get the code staged in the target.
But how to locate dlopen()?

A cursory glance shows that dlopen() is exported by libdl. But alas this library is not loaded in our process address space.
Ultimately, however, __libc_dlopen_mode() is the underlying libc function that will do the work and that is available to us.
First, we’re going to need to get the offset of the __libc_dlopen_mode() function within libc.
The easiest way I could think of, of doing this programmatically was simply to use the dynamic linker within the parent process context + calculating the offset from the loaded library address.

dlopen(libc) → dlsym(__libc_dlopen_mode)
The library address can be obtained from the link_map structure returned by dlopen().
A caveat to keep in mind here is that taking the fcn_addr - lm->l_addr yields an offset which includes the difference between the address in the ELF binary and where address where it was loaded in memory.

We will account for this offset skew shortly.
Next, we’ll obtain the address of the libc instance that is mapped in our target process.
Procfs exposes mapping info in /proc//maps. We can look up the mapped address of the executable section of libc, accounting for the offset of the in-memory address of the mapped ELF and calculate a final value for __libc_dlopen_mode() in the target.
My implementation of this bit is, regrettably, quick & dirty.
Finally, we need to set the necessary arguments for __libc_dlopen_mode() and call the function within the target process context.
Remembering that we don’t care to continue with the original target flow at any point, we can hijack execution by pointing rip to the address of __libcdl_open_mode() that we just calculated.
The function signature for __libcdl_open_mode() matches that of dlopen() - with the addition of an explicit *dl_caller which I just set to NULL.

x86_64 calling convention dictates that we’ll be using registers rdi (library path), rsi (mode), rdx (dl caller).
rdi holds a pointer to the library path. We need somewhere writeable to put it.

The easy choice here is just to dump it somewhere on the stack (we’re not interested in a sane return from __libc_dlopen_mode() after all).
Everything is now set up. Releasing target execution will result in our code being loaded into the target address space via __libc_dlopen_mode().
At some point, something will break in the target application (remember, we have hijacked rip and corrupted the stack).

This is a great outcome as it’ll trap back into the parent process and allow us to redirect control to our injected code.
(I did initially mess around with getting better control over the return from libc but honestly it didn’t seem worth the bother.)
Calling our injected code is as simple as pointing rip at it and resuming execution. (We discover its loaded address in the very same way that we discovered that of __libc_dlopen_mode() previously.)
Finally we can detach the parent process.

And we’re done.
Now in terms of forensics:

Auditing ptrace() is the obvious go-to for real-time process injection determination

Beyond that; process memory space anomalies (in this example, the injected code will appear as a mapped image) + the usual gamut of behavioural analysis opportunities

More from Internet

Jake Brukhman
Jake Brukhman
@jbrukh
1/The next major problem set in #DeFi is #NFTLiquidity.

It has become very clear that, like fungibles, nonfungibles are their own financial asset class.

One path to see this is to envision the future of NFTs as “liquid

2/Some say that NFTs “shouldn’t be” liquid, yet the innovation process continues.

Just like photography has become much easier to create in the last 100 years, liquid NFTs will surely bring down price points of tokenized digital content but will also open expansive new markets.

3/The key observation is this: #NFTLiquidity is merely a technical problem for #DeFi, and the entire set of economic mechanisms is its solution space.

👉🏻 In particular, because of tokenization, *the NFT liquidity problem reduces to the NFT price discovery problem.*

4/In other words, if we could reliably price a set of NFTs, we could issue a token backed by their reliably priced future resale value.

This is a core mechanism that today is underutilized in the market, and one that — we will soon see — applies to all illiquid assets.

5/Today, NFT price discovery proceeds via three main mechanisms: sales, auctions, and ERC20 fractionalization.

And the fundamental problem with each of these mechanisms is capital efficiency: in each mechanism, participants need to spend *at least* $N to value something at $N.
INTERNET
foone
foone
@Foone
I was hacking a game and accidentally invented a word for when you think someone is trans and you're proud of them for coming out but then you find out they aren't


someone is excited to watch bill nye in science class


This happens because one of the ways I figure out which memory location needs to be modified is by memory-searching for all occurrences and changing the first letter of them

so like if I know the next line of dialog is "Die"
I change it to "Aie" "Bie" "Cie" "Eie" "Fie"

then I see which one shows up in the game
INTERNET
Advertisement
Elky
Elky
@Elky_Style
Company
Permanent suspension of @realDonaldTrump
By Twitter Inc.
Friday, 8 January 2021
After close review of recent Tweets from the @realDonaldTrump account and the context around them — specifically how they are being received and interpreted on and off Twitter —


we have permanently suspended the account due to the risk of further incitement of violence. 

In the context of horrific events this week, we made it clear on Wednesday that additional violations of the Twitter Rules would potentially result in this very course of action.

Our public interest framework exists to enable the public to hear from elected officials and world leaders directly. It is built on a principle that the people have a right to hold power to account in the open. 

However, we made it clear going back years that these accounts are

not above our rules entirely and cannot use Twitter to incite violence, among other things. We will continue to be transparent around our policies and their enforcement. 

The below is a comprehensive analysis of our policy enforcement approach in this case.

Overview

On January 8, 2021, President Donald J. Trump Tweeted:

“The 75,000,000 great American Patriots who voted for me, AMERICA FIRST, and MAKE AMERICA GREAT AGAIN, will have a GIANT VOICE long into the future. They will not be disrespected or treated unfairly in any way, shape or form
INTERNET
Fran\xe7ois Chollet
François Chollet
@fchollet
Here's an overview of key adoption metrics for deep learning frameworks over 2020: downloads, developer surveys, job posts, scientific publications, Colab usage, Kaggle notebooks usage, GitHub data.

TensorFlow/Keras = #1 deep learning solution.


Note that we benchmark adoption vs Facebook's PyTorch because it is the only TF alternative that registers on the scale. Another option would have been sklearn, which has massive adoption, but it isn't really a TF alternative. In the future, I hope we can add JAX.

TensorFlow has seen 115M downloads in 2020, which nearly doubles its lifetime downloads. Note that this does *not* include downloads for all TF-adjacent packages, like tf-nightly, the old tensorflow-gpu, etc.


Also note that most of these downloads aren't from humans, but are automated downloads from CI systems (but none are from Google's systems, as Google doesn't use PyPI).

In a way, this metric reflects usage in production.

There were two worldwide developer surveys in 2020 that measured adoption of various frameworks: the one from StackOverflow, targeting all developers, and the one from Kaggle.
INTERNET
words are weapons \u26a1
words are weapons ⚡...
@vimoh
I have been a Substack and Patreon user for a few years now. And though more than one social media giant has, in recent months, expressed the desire to help writers and journalists monetise their audience, there are very good reasons to take these SOPs with a pinch of salt.

Because the reason Patreon and Substack came into existence was not the need for a new business model. It was as a cure for the old business model - an algorithm-driven ad revenue system that powered the attention economy. The attention economy turned audiences into scrollers...

...who were in it for the next viral hit. Quality of information suffered, the nature of discourse suffered, and as a result, democracy itself suffered. Much of this was enabled by the social media giants who are trying to copy the Substack and Patreon model right now in an...

...attempt to "put creators first". But what we must not lose sight of is that the Substack / Patreon model only emerged as a result of the bad practices the social media giants enabled. The algorithm made a toxic internet possible and they were what hit back. Today, multiple...

...podcasting tools video streaming services have donation buttons built in. But it was not always so. I applaud all attempts that anyone makes to help independent media not have to rely on ad money, but I am not going to ever be able to see Facebook's newsletter tool as a...
INTERNET

You May Also Like

Anumah, Abdulraheem Okehi \U0001f468\u200d\U0001f52c\U0001f1f3\U0001f1ec \U0001f1eb\U0001f1f7 \U0001f1f5\U0001f1f9 \U0001f1ea\U0001f1f8
Anumah, Abdulraheem Ok...
@AnumahABD
Department List of UCAS-China PROFESSORs for ANSO, CSC and UCAS (fully or partial) Scholarship Acceptance
1) UCAS School of physical sciences Professor
https://t.co/9X8OheIvRw
2) UCAS School of mathematical sciences Professor

3) UCAS School of nuclear sciences and technology
https://t.co/nQH8JnewcJ
4) UCAS School of astronomy and space sciences
https://t.co/7Ikc6CuKHZ
5) UCAS School of engineering

6) Geotechnical Engineering Teaching and Research Office
https://t.co/jBCJW7UKlQ
7) Multi-scale Mechanics Teaching and Research Section
https://t.co/eqfQnX1LEQ
😎 Microgravity Science Teaching and Research

9) High temperature gas dynamics teaching and research section
https://t.co/tVIdKgTPl3
10) Department of Biomechanics and Medical Engineering
https://t.co/ubW4xhZY2R
11) Ocean Engineering Teaching and Research

12) Department of Dynamics and Advanced Manufacturing
https://t.co/42BKXEugGv
13) Refrigeration and Cryogenic Engineering Teaching and Research Office
https://t.co/pZdUXFTvw3
14) Power Machinery and Engineering Teaching and Research
EDUCATION
Sahil
Sahil
@sahilypatel
Want to do an MBA for free ?

A thread 👇

1) Leadership: Foundations of Teamwork and Leadership

School: wharton

2) Marketing: Marketing Management

School: wharton

3) Microeconomics: Microeconomics for Managers

School:

4) Financial Theory

School:
ALL , MBA , MBA SERIES
Advertisement
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
DODDA GANAPATHI, BENGALURU
#karnatakatemples

Dodda in Kannada means big. Sri Ganesha here is 18 ft tall in height and 16 ft wide. Dodda Ganesha is also known as Shakthi Ganapathi and Satya Ganapathi.

It is said that Kempe Gowda, the founder of Bengaluru, saw a rock here.


The rock had engravings of Ganesha. His sculptors cut the Ganesha murti from that single rock. Later, a shrine was built around the Ganesh murti.

It is believed that Dodda Ganapathi is the protector of Bengaluru. All auspicious events start by praying to Him.


Benne Alankara is the most famous festival here when about 100 kg of butter is coated over Ganapathi every four years and the rich prasad is offered to the worshippers.

Ganesha is also covered in cream colour and is decorated with golden laces and buttons
@GampaSD


The Dodda Ganapathi murti is believed to be still growing in size, especially towards right.

The weavers from old Bengaluru tie a coconut to their looms before starting work. When the work is completed, they break 100 coconuts here along with the one tied on the loom.
ALL
Delilah S. Dawson
Delilah S. Dawson
@DelilahSDawson
Hello, writers! How about a thread on LITERARY AGENTS? How to get one, how to talk to one, how to keep one happy. Spoiler alert: I am 100% pro agent and can't imagine not having one on my side. 1/

Why would you want a literary agent?
* you want to be traditionally published
* you want someone experienced to help guide your career
* you want to learn how to edit like a pro
* you want to sell foreign and movie rights
* you want answers to your newbie questions 2/

Why you might *NOT* want a literary agent:
* you want to self publish
* you're not willing to compromise on your edits
* you don't think their expertise is worth 15% of your advance
I... can't think this way. Literary agents have been crucial to my career. 3/

So, how do you get a literary agent?
1. Have a finished, revised, edited, polished manuscript.
2. Write a query letter for your book
3. Send your query to agents who rep your genre and are open to submissions
4. Repeat steps 1-4 until you're offered representation. 4/

So, let's go through those four steps. First of all, you must have a finished, revised, edited, polished book, and it must be sellable. That is, you can't sell a 600k picture book or a 40k adult Fantasy, etc. You must read extensively in the genre you're writing. 5/
WRITING
Brianne Kimmel \U0001f4ac
Brianne Kimmel 💬...
@briannekimmel
Shocking fact: Millennial men are less likely to work than any other age and gender demographic in America.

Today, there are 500,000 young men missing from the U.S. workforce.

Research suggests video games & improved leisure tech plays a role in the problem. 👇 Thread:

Following the 2007 to 2009 recession, 25 to 34 year old men exited high school with fewer middle-skill job opportunities than years prior.

During this time, we saw an increased number of men living with parents & choosing unemployment over lower paying jobs.

It's estimated that 24M millennials live w/ their parents.

1 in 4 living in their parents’ home neither go to school nor work.

What's more surprising? 9 in 10 who lived with their parents a year ago are still living there w/ no plans to leave.

Economists are calling millennial men a lost generation.

According to economist David Dorn:

“If you get to the point where you’re turning 30, you’ve never held a real job and you don’t have a college education, then it is very hard to recover at that point.”

Economists suggest this choosiness is a generational trait.

Forbes interview w/ a high school educated man:

"I’m very quick to get frustrated when people refuse to pay me what I’m worth."
“People feel that they have choice nowadays, and they
SOCIETY