the Shadows: A Deep Dive into Linux Process Injection & Modern Detection Techniques

Listen to this Post

Featured Image

Introduction:

Linux process injection is a sophisticated offensive security technique that allows attackers to hijack the execution flow of a running process. This module from Hack The Box Academy explores the abuse of ELF sections and dynamic linking, providing both red and blue teams with critical knowledge for exploitation and defense.

Learning Objectives:

  • Understand the fundamental principles of local and remote process injection on Linux systems.
  • Learn to abuse ELF structures and dynamic linking for execution flow hijacking.
  • Develop skills to detect, analyze, and mitigate process injection attacks.

You Should Know:

1. The /proc Filesystem and Process Memory Inspection

`cat /proc/[bash]/maps`

`cat /proc/[bash]/mem`

`pmap [bash]`

`ps aux | grep [bash]`

`readelf -l [bash]`

The `/proc` directory is a virtual filesystem providing a window into kernel and process information. Each running process has a subdirectory named by its PID. The `maps` file reveals the memory layout, including readable, writable, and executable segments. The `mem` file provides a direct view of the process’s entire memory space, though reading it requires appropriate privileges. `pmap` offers a cleaner, formatted output of the memory map. Understanding this layout is the first step in identifying potential injection targets and vulnerable memory regions.

2. Ptrace: The Debugger’s Double-Edged Sword

`ptrace(PTRACE_ATTACH, pid, NULL, NULL);`

`ptrace(PTRACE_PEEKDATA, pid, addr, NULL);`

`ptrace(PTRACE_POKEDATA, pid, addr, data);`

`ptrace(PTRACE_DETACH, pid, NULL, NULL);`

`gdb -p [bash]`

Ptrace is the system call used by debuggers to control another process. While essential for development and debugging, it is a primary vector for process injection. The `PTRACE_ATTACH` command stops the target process and gives the attacker control. `PTRACE_PEEKDATA` and `PTRACE_POKEDATA` allow reading from and writing to the process’s memory, respectively. This can be used to inject shellcode. Finally, `PTRACE_DETACH` resumes the process. Monitoring for unexpected ptrace attachments is a key detection strategy.

3. Shellcode Injection with ptrace and /proc/mem

`unsigned char shellcode[] = “\x31\xc0\x50\x68…”;`

`long addr = ptrace(PTRACE_PEEKTEXT, pid, ip, NULL); // Get Instruction Pointer`
`for(int i = 0; i < len; i+=4) { ptrace(PTRACE_POKETEXT, pid, addr + i, (long)(shellcode + i)); }` `ptrace(PTRACE_SETREGS, pid, NULL, &new_regs); // Set registers to point to shellcode` `printf "\\x%02x" shellcode.bin | xxd -r -p > shellcode.raw`

This is the core of a classic injection. First, position-independent shellcode is generated. The attacker then attaches to the process via ptrace. The current instruction pointer is retrieved to find a suitable location. The shellcode is written into the process’s memory page by page using PTRACE_POKETEXT. The process’s registers are then modified to point to the start of the injected shellcode. When execution is resumed, the process runs the attacker’s code.

4. Advanced Technique: Abusing Dynamic Linker Structures

`LD_PRELOAD=/path/to/malicious_lib.so victim_program`

`readelf -d [bash] | grep NEEDED`

`objdump -T [bash]`

`pldd [bash]`

The dynamic linker/loader is responsible for loading shared libraries. `LD_PRELOAD` is a well-known method to inject a shared library, forcing it to be loaded before all others. For more stealthy injections, attackers can directly manipulate dynamic linking structures in memory, such as the Global Offset Table (GOT) or the Procedure Linkage Table (PLT). By overwriting function pointers in the GOT, an attacker can redirect legitimate function calls to malicious code without modifying the text segment, often bypassing simple integrity checks.

  1. Remote Process Injection: The Power of Shared Memory

`int shm_id = shmget(IPC_PRIVATE, size, IPC_CREAT | 0666);`

`void shm_addr = shmat(shm_id, NULL, 0);`

`memcpy(shm_addr, shellcode, size);`

`// In the target process (injected via ptrace or other means)`

`void remote_addr = shmat(shm_id, NULL, 0);`

For remote injection (across different process trees), shared memory provides a powerful mechanism. The attacker creates a shared memory segment using `shmget` and attaches to it with shmat. The shellcode is copied into this segment. The attacker then forces the target process to attach to the same shared memory segment (using the same shm_id). The shellcode is now accessible within the target process’s address space without a direct `write` operation, making it harder to detect.

6. Detection with Linux Auditing Subsystem (auditd)

`auditctl -a always,exit -S ptrace -k process_injection`

`auditctl -a always,exit -S execve -k process_injection`

`ausearch -k process_injection`

`aureport –summary`

The Linux audit framework (auditd) is a cornerstone for detection. You can create rules to log specific system calls. The rule `-S ptrace` will log all ptrace calls, which is a high-fidelity signal for injection activity. The `-k` flag tags the event for easy searching. The `ausearch` tool is then used to query the logs for these tags. Correlating unexpected ptrace usage with subsequent `execve` calls from a foreign process can reveal a successful injection.

7. Forensic Memory Analysis with Volatility on Linux

`volatility -f [memory_dump.img] imageinfo`

`volatility -f [memory_dump.img] –profile=[bash] linux_pslist`

`volatility -f [memory_dump.img] –profile=[bash] linux_proc_maps -p [bash]`

`volatility -f [memory_dump.img] –profile=[bash] linux_check_modules`

`volatility -f [memory_dump.img] –profile=[bash] linux_malfind -p [bash]`

For post-incident forensics, memory analysis is irreplaceable. The Volatility framework, with its Linux plugins, can dissect a memory capture. `linux_pslist` lists running processes. `linux_proc_maps` shows the memory regions of a specific process, where you can look for anomalous executable mappings in writable memory or unexpected shared libraries. The `linux_malfind` plugin is specifically designed to scan for chunks of memory that have executable attributes but contain what looks like shellcode, automatically flagging potential injection sites.

What Undercode Say:

  • The line between legitimate debugging and malicious injection is dangerously thin, with `ptrace` sitting squarely in the middle.
  • Modern attacks are shifting from crude shellcode writes to sophisticated runtime manipulation of dynamic linking structures, making detection based on text-section integrity less effective.

The HTB Academy module signifies a maturation of Linux offensive security, moving it closer to the complexity long seen in Windows environments. The focus on abusing ELF and dynamic linking is particularly insightful, as it targets the very foundations of how Linux executes programs. For blue teams, this means traditional file-based AV scanning is insufficient; deep runtime behavioral monitoring and memory analysis are now non-negotiable. The techniques outlined force a defense-in-depth strategy, combining strict seccomp filters to block ptrace, vigilant auditd logging, and proactive threat hunting using memory forensics tools. This knowledge is critical for building resilient systems against the next generation of Linux-based threats.

Prediction:

The normalization and education of advanced Linux process injection techniques will lead to a significant rise in sophisticated Linux malware and post-exploitation frameworks in the wild. This will push the cybersecurity industry to develop more robust EDR solutions for Linux servers and embedded devices, a market traditionally underserved compared to its Windows counterpart. The arms race between injection methods and in-memory detection capabilities will define Linux security for the next decade.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Yazid Benjamaa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky