BC INTERNET
Saved by @Mollyycolllinss

Linux code injection paint-by-numbers.

Can we launch a process that looks one way to (superficial) auditors but is, in fact, entirely different? (Think process hollowing and the like on Windows).

Firstly, how are processes created and what does related auditing look like?

 The most common pattern is fork() → execve(). Where the fork() syscall create a duplicate of the running process context and execve() overlays a copy of the target program onto that context.
After calling fork(), we’ll have two processes, the original one and a new - duplicated - one (with a new pid).

Control will return from fork() to both process instances. In the child process, the return value will simply by 0, in the parent it will hold the pid of the child.
Thus we can determine whether we are running in the child context and call execv() accordingly, while allowing the parent to continue.
Now, let’s take a look at where the auditing hooks lie. From calling execve(), we’ll eventually land up in exec_binrpm().
Without delving too deeply, this function resolves the interpreter handler for the target we’re trying to execute. (Here we’re executing an ELF binary, so we’ll get the relevant ELF handler). But that is a topic for another day.
Prior to exec_binrpm() returning, audit hooks will be called.
In our scenario, we *want* these hooks to be called so the original target executable is identified, but we don’t want the target to actually execute.
On Windows, all processes are created suspended; CreateProcess could be called with the CREATE_SUSPENDED flag in order to instruct Kernel32.dll not to get the kernel to resume the target after process setup.
On Linux, process execution will continue immediately after execv() so we must do something different. We can use ptrace() to control execution of the child target.
This is set up by first instructing the kernel from the child context that it wants to be traced (PTRACE_TRACEME) and then instructing the parent process to wait on the first trap.

By default, this will happen on exit of the execve() syscall.
Now that we have a form of suspended process creation, we need to decide what to do with it.

The options here are numerous. In this example, we want to chose a strategy that doesn’t require us doing any image/reloc fix-up foo.

We can use dlopen() to do all the heavy lifting.
The first issue is that we have suspended execution in a state prior to libc being mapped in and made available to the target process. As (almost?) all dynamically linked processes will require libc, we can let this happen naturally by letting the target run until this is done.
It is important to ensure that (1) the execution progresses to a point where libc is mapped and (2) the process is in a state where we can safely hijack execution flow, but (3) is prior to actual target execution (+ generic enough to support various targets).
I initially tried trapping target execution after libc is mapped (executing until relevant close()).
Naturally this failed as the process was not yet sufficiently set up to support stable execution (for e.g. stack sentinel storage via mov    rax,QWORD PTR fs:0x28 in the function prologue would fail; fs is not yet sane).
To achieve a state where (1), (2), and (3) are all honoured, we can trap a little further down. I chose to target brk().
To recap:

We’ve created a child process and halted execution prior to anything too process-specific having been run but after basic setup has taken place.
Now we need to get inject our code.
As mentioned earlier, the plan is to use bog-standard dlopen() to get the code staged in the target.
But how to locate dlopen()?

A cursory glance shows that dlopen() is exported by libdl. But alas this library is not loaded in our process address space.
Ultimately, however, __libc_dlopen_mode() is the underlying libc function that will do the work and that is available to us.
First, we’re going to need to get the offset of the __libc_dlopen_mode() function within libc.
The easiest way I could think of, of doing this programmatically was simply to use the dynamic linker within the parent process context + calculating the offset from the loaded library address.

dlopen(libc) → dlsym(__libc_dlopen_mode)
The library address can be obtained from the link_map structure returned by dlopen().
A caveat to keep in mind here is that taking the fcn_addr - lm->l_addr yields an offset which includes the difference between the address in the ELF binary and where address where it was loaded in memory.

We will account for this offset skew shortly.
Next, we’ll obtain the address of the libc instance that is mapped in our target process.
Procfs exposes mapping info in /proc//maps. We can look up the mapped address of the executable section of libc, accounting for the offset of the in-memory address of the mapped ELF and calculate a final value for __libc_dlopen_mode() in the target.
My implementation of this bit is, regrettably, quick & dirty.
Finally, we need to set the necessary arguments for __libc_dlopen_mode() and call the function within the target process context.
Remembering that we don’t care to continue with the original target flow at any point, we can hijack execution by pointing rip to the address of __libcdl_open_mode() that we just calculated.
The function signature for __libcdl_open_mode() matches that of dlopen() - with the addition of an explicit *dl_caller which I just set to NULL.

x86_64 calling convention dictates that we’ll be using registers rdi (library path), rsi (mode), rdx (dl caller).
rdi holds a pointer to the library path. We need somewhere writeable to put it.

The easy choice here is just to dump it somewhere on the stack (we’re not interested in a sane return from __libc_dlopen_mode() after all).
Everything is now set up. Releasing target execution will result in our code being loaded into the target address space via __libc_dlopen_mode().
At some point, something will break in the target application (remember, we have hijacked rip and corrupted the stack).

This is a great outcome as it’ll trap back into the parent process and allow us to redirect control to our injected code.
(I did initially mess around with getting better control over the return from libc but honestly it didn’t seem worth the bother.)
Calling our injected code is as simple as pointing rip at it and resuming execution. (We discover its loaded address in the very same way that we discovered that of __libc_dlopen_mode() previously.)
Finally we can detach the parent process.

And we’re done.
Now in terms of forensics:

Auditing ptrace() is the obvious go-to for real-time process injection determination

Beyond that; process memory space anomalies (in this example, the injected code will appear as a mapped image) + the usual gamut of behavioural analysis opportunities

More from Internet

Simon Wardley
Simon Wardley
@swardley
X : Can you apply pace layers to maps?
Me : You can but what is where evolves. However, same rules apply to things, practices, data, knowledge and ethical values. All are forms of evolving capital. In the mapping world, we refer to this with pioneers, settlers and town planners.


X : What's the robot for?
Me : Image from an older presentation slide, don't worry it has no relevance.
X : Is this linked to diffusion?
Me : Not simply. Evolution of a single component can consist of many hundreds of diffusion curves i.e. a virus diffuses but it also evolves.

X : Why have you got DevOps in legacy? We haven't even started yet.
Me : That's not my problem. I would take a look at serverless.
X : DevOps is serverless.
Me : Some of the practices maybe co-opted (see ITIL vs DevOps) but the new faction will decide what it is or isn't.

X : I also disagree with your methods graphic.
Me : Do you mean this? As applied to the following map?
X : Yes. Lean is suitable for innovation.
Me : Ah, that depends upon what you mean by innovation. If you mean Genesis then lightweight XP has it beat.


X : I disagree.
Me : Well, I've had 15 years of people telling me that Agile works everywhere or Lean works everywhere or Six Sigma works everywhere and why all the competing methods don't. I have no interest in the conversation. Use appropriate methods based upon context.
INTERNET
Pasquale "Pat" Scopelliti
Pasquale "Pat" Scopell...
@ThyConsigliori
29 December 2020 #MAGAanalysis #Overturn

Comments On @OptimisticCon Article:

The key supporting effort appears to be underway on Trump’s operational timeline

As we emphasized yesterday, J.E. Dyer commands us: "But do hold the line."
INTERNET
Advertisement
Derek Ross
Derek Ross
@derekmross
Parler has been hacked and user data has been downloaded. The following thread contains information from /u/BlueMountainDace on Reddit:

"so a group of developers latched onto the Press Release that Twilio put out at midnight last night. In that Press Release, Twilio

accidentally revealed which services Parler was using. Turns out it was all of the security authentications that were used to register a user. This allowed anyone to create a user, and not have to verify an email address, and immediately have a logged-on account.

Well,

because of that access, it gave them access to the behind the login box API that is used to deliver content -- ALL CONTENT (parleys, video, images, user profiles, user information, etc) --. But what it also did was revealed which USERS had "Administration" rights,

"Moderation" rights.

Well, then what happened, those user accounts that had Administration rights to the entire platform... The hackers, internet warriors, call it what you will, was able to use the forgot password link to change the password. Why? Because Twilio was no

longer authenticating emails. This meant, they'd get directly to the reset password screen of that Administration user.

This group of Internet Warriors then used that account, to create a handful of other ADMINISTRATION accounts, and then created a script that ended up
INTERNET
Surya Mattu
Surya Mattu
@suryamattu
We’ve spent the last ten months building #CitizenBrowser, a project that aims to peek inside the Black Box of social media algorithms, by building a nationwide panel to share data with us. Today, we are publishing our first story from the project. /1

.@corintxt crunched the numbers and found that after Facebook flipped the switch for political ads, partisan content elbowed out reputable news outlets in our panelists’ news feeds. https://t.co/Z0kibSBeQZ /2

You can learn more in our methodology, where we describe how we did this and what steps we took to ensure that we preserved the panelists' privacy. https://t.co/UYbTXAjy5i /3

Personally, this project is the culmination of years of experiments trying to figure out how to collect data from social media platforms in a way that can lead to meaningful reporting. I’ve described a couple of highlights below 👇 /4

My first attempt was in 2016 at Propublica, when I was working with @JuliaAngwin . We were interested in seeing if there was a difference in the Ad interests FB disclosed to users in their settings and the interests they showed to marketers. /5
INTERNET
That Happy Dude
That Happy Dude
@ThatHappyDudee
1/

Thread on @signalapp:

28th Nov 2011: A deal is made.

Security researcher @Moxie Marlinspike and Roboticist Stuart Anderson's brainchild, Whisper Systems, will be sold off to Twitter for a nice sum of money. It comes as a surprise because all of Whisper System's services


Lemme know of your thoughts on this entire story of the Signal App! Also help dispel the rumors surrounding it!

Cc: @UnSubtleDesi @swati_gs @rahulroushan @bhootnath @PrinceArihan @BefittingFacts @disclosetv @TheWolfpackIN @VertigoWarrior @WarHorizon @ExSecular @RDXThinksThat
INTERNET

You May Also Like

Anu Satheesh \U0001f1ee\U0001f1f3
Anu Satheesh 🇮🇳...
@AnuSatheesh5
Nanganallur Anjaneya Temple
#Chennai
#Tamilnadutemples 🚩

Bhaktha Anjaneya temple at Nanganallur in Chennai is one among tallest Anjaneyar Vigraham. Here Anjaneyar blesses with relief to all illness. Vigraham is about 32 feet height made of single  stone.
Anjaneyar here is 👇


Sri Vishwaroopa Aadhivyathihara Baktha Anjaneya Swamy.

Sthala Puranam says that, this is the place where Indra Deva hit Hanuman on the cheek by his Vajrastram. Sri Raghavendra Swami and Sri Kanchi Paramacharyar were behind in building this temple. Temple is constructed to


Realize power of Anjaneyar who is seen both in Ramayana and Mahabharatha.
Vadamalai is important offering to Anjaneyar here. It is believed that vigraham contain powers to heal any disease. Shri Ramanavami is celebrated here.

Jai Sri Ram
Jai Hanuman
🙏🕉🙏
ALL
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
SRI MOOKAMBIKA DEVI, KOLLUR (KAR)

There was an Asura, Kaumasura, who was doing penance to please Shiva and get a boon. To prevent him from asking for a boon, Devi Saraswati made him dumb (hence called Mookasur)
Later, Adi Parashakti slayed him and came to be called Mookambika.


It is said that Adi Shankaracharya had a vision in which Devi agreed to follow him provided he did not look back. He kept walking and was assured of her presence due to the sound of anklets. When he reached here in Kollur, he turned back as the sound of anklets had stopped.


So Devi stayed here and merged with the lingam. The place came to be called Mookambika Kshetram.
The linga has integrated on it’s left side MahaKali, Maha Lakshmi and Maha Saraswathi and on the right side- Brahma, Vishnu and Shiva.


A swarna rekha (gold line) divides this linga into left and right portion. Adi Shakthi in this Udhbhavlinga form appears only here.
Devi sits in padmasana and has 4 hands.
Adi Shankaracharya installed the Sri Chakra in front of Devi and also composed the Soundarya Lahiri here.
ALL
Advertisement
Edwin Hayward
Edwin Hayward
@uk_domain_names
Ok, it's high time to look at the REAL effects of Brexit. As the Tories implode & Labour sits on its hands, companies are executing contingency plans, shifting jobs & assets, slashing investments, or redomiciling (accounting exercise). Happening NOW, not in a fantasy future. 1/95

Barden Corporation is closing down its Plymouth factory after 51 years, putting 400 jobs at risk, as its parent company Schaeffler shifts production to various sites outside the UK due to Brexit.

8 health providers have warned of medicine shortages in the event of a no-deal Brexit: "we do not believe that the current medicine supply plans will suffice, and we will have widespread shortages if we do not respond urgently."

Pfizer - $100 million on Brexit prep: "Pfizer’s preparations are well advanced to make the changes necessary to meet EU legal requirements after the U.K. is no longer a member state, especially in the regulatory, manufacturing and supply chain areas."

The Government has spent £4.2 billion pounds on Brexit preparations (£2.2 billion in previous Budgets, plus an additional £2 billion in the most recent Budget.)
POLITICS
Zen Black
Zen Black
@z3nblack
1/ Thread: "A Silicon Valley Ponzi Scheme"

Thanks to @chamath for laying this out in Social Capital's 2018 annual letter.

I've always appreciated his outspokenness.

2/ The hardest thing for most startups today is the path to market: first finding product-market fit & a way to reach customers, then building a ruthless machine to acquire, monetize & retain them.

3/ Because of this, when the VC industry invests capital into fast growing startups today, the plurality (if not majority) of invested capital will go into user acquisition and ad spending, for better or worse— usually worse.

4/ Todays massive venture-backed advertising, sales, and user acquisition playbook has morphed into one that champions growth at any cost.

This is creating a big bill that will soon come due...

5/ Ad impressions and click-throughs are bid up to outrageous prices by startups flush with venture money, and prospective users demand more and more subsidized products to gain their initial attention.
TECH , STARTUPS , {TEST FOLDER}
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
JWALAMUKHI TRIPURASUNDARI, UTHANAHALLI, MYSURU (KAR)
#bharatmandir

Jwalamukhi Tripursundari is believed to be the sister of Devi Chamundeshwari, the presiding deity of Mysuru
It is also that she represents the flaming mouth of Jalandhara, the demon whom Shiva crushed to death.


When Devi Chamundeswari was fighting Mahishasura, she observed that from every drop of blood that spilled out of Mahishasura, another demon was born. So she created Tripurasundari to ensure that no blood dripped from Mahishasura.


Tripura Sundari means beauty of the three worlds.
The murti was installed during Wodeyar rule. An utsava murti made of pancha loha is kept in the sanctum sanctorum.
Another shrine here is dedicated to Siddeshwara / Shiva surrounded by a beautiful wooden Mantapa.
@GunduHuDuGa
ALL