As we can see, our program injects and executes a shellcode that creates an executable memory mapping, where the payload program is then injected and executed:
Run the host program (the one that you want to infect):
ryan@elfmaster:~$ ./host & [1] 29656 I am but a simple program, please don't infect me.
Run
code_inject
and tell it to inject the program named payload into the process for the host:ryan@elfmaster:~$ ./code_inject `pidof host` payload I am the payload who has hijacked your process! [1]+ Done ./host
You may have noticed that there appears to be no traditional shellcode (byte code) in code_inject.c
. That's because the uint64_t injection_code(void *)
function is our shellcode. Since it is already compiled into machine instructions, we just calculated its length and passed its address to pid_write()
in order to inject it into the process. This, in my opinion, is a more elegant way of doing things than the more common method of including an array...