Ptrace System Calls is a process injection technique used by adversaries to execute malicious code within a legitimate process on Linux and Unix-based systems. This technique exploits the ptrace system call, which is typically used for debugging purposes. By attaching to a running process, attackers can manipulate its memory, modify register values, and inject arbitrary code, effectively hijacking execution to run malicious payloads within a trusted application.
In this blog post, we explain the T1055.008 Ptrace System Calls technique of the MITRE ATT&CKĀ® framework and explore how adversaries employ ptrace system call injection with real-world attack examples in detail.
|
|
The ptrace() function is a system call in Unix and Unix-like operating systems that enables one process, controller, to manipulate and observe the internal state of another process, tracee. Ptrace system call injection is a technique that involves utilizing the ptrace() system call to attach to an already running process and modify its memory and registers. This technique can be utilized for a range of purposes, including injecting code into a process to alter its behavior.
Ptrace is a system call that allows one process (the tracer) to control another process (the tracee) and observe its execution. It is used by debuggers and other tools to perform tasks such as inspecting the memory and registers of a process, modifying its execution, and single-stepping its instructions.
Ptrace is implemented as a set of system calls in Unix-like operating systems, such as Linux. It is used by specifying the ptrace function and a set of arguments that specify the operation to be performed and the process to be traced.
Some common operations that can be performed using ptrace include:
Reading and writing the memory and registers of the tracee
Setting breakpoints in the tracee's code
Single-stepping the tracee's instructions
Attaching to and detaching from a running process
Ptrace is a powerful tool that can be used for a variety of purposes, including debugging, reverse engineering, and malware analysis. It can also be used by adversaries to inspect and modify the execution of processes on a system, which can be used to evade detection and achieve persistence.
Here's how an attacker might use the ptrace system call to perform code injection:
Attaching to the Target Process: The attacker's process uses ptrace with the PTRACE_ATTACH option to attach to the target process. This causes the target process to pause execution and become traceable by the attacker's process.
Waiting for the Target Process to Stop: The attacker's process waits for a signal from the target process that indicates it has stopped and is ready for tracing. This is typically done by listening for a SIGSTOP signal.
Injection Preparation: The attacker locates or allocates a section of memory within the target process's address space, where the malicious code (often referred to as shellcode) will be injected. This may involve searching for existing executable memory regions or allocating new memory using ptrace to invoke the mmap system call in the target process.
Copying the Shellcode: Using ptrace with the PTRACE_POKEDATA or PTRACE_POKETEXT operation, the attacker writes the shellcode byte by byte into the allocated memory space of the target process.
Setting Instruction Pointer: With the shellcode in place, the attacker uses ptrace to set the instruction pointer (IP) register (e.g., EIP on x86, RIP on x86_64) of the target process to the address of the injected code.
Resuming Target Process Execution: After the shellcode is in place and the instruction pointer is set, the attacker resumes the execution of the target process using ptrace with the PTRACE_CONT option, causing the target process to jump to and execute the injected shellcode.
Detaching from the Target Process (if applicable): Once the code has been executed, and if further interaction with the target process is not needed, the attacker process can use ptrace with the PTRACE_DETACH option to detach from the target process and allow it to continue execution normally.
Ptrace system call injection is a powerful method of executing arbitrary code in the context of another process and can be used by attackers to manipulate or spy on target applications, or to run malicious payloads without requiring a binary file on disk. However, modern Linux distributions have security mechanisms like Yama and SELinux that can restrict ptrace usage to prevent debugging by unauthorized users and, thus, mitigate this kind of attack.