evolving the process injection
play

Evolving the Process Injection Injecting the Python bytecode - PowerPoint PPT Presentation

Nov 26, 2023 •151 likes •696 views

Evolving the Process Injection Injecting the Python bytecode WhoAmI Red teamer at Sberbank of Russia OSCP/OSCE/SLAE Process Injection purposes Accessing/modifying in-memory data or program execution flow AV evasion &

  1. Evolving the Process Injection Injecting the Python bytecode

  2. WhoAmI ● Red teamer at Sberbank of Russia ● OSCP/OSCE/SLAE

  3. Process Injection purposes ● Accessing/modifying in-memory data or program execution flow ● AV evasion & anti-forensics ● Post-exploitation & maintaining access

  4. Traditional Process Injection ● Linux ○ strace ○ ptrace ○ SO Injection ● Windows ○ DLL Injection ○ Process Hollowing

  5. Software is Evolving ● Interpreted (and VM-based) languages keep growing their popularity, even in non-traditional areas ● New paradigms - microservices, serverless technologies

  6. Evolving & Attacker Benefits ● Injecting VM-based (or other interpreted) languages potentially gives us all benefits of these languages in our payloads — portability, ability to use “high-level” interfaces over “low-level” functions and other ● Also, it is very hard to investigate — how many people can detect and successfully reverse engineer Java or Python bytecode payloads?

  7. Primary Goal ● Find a way to manipulate running Python process to gain required impact on target system (usermode persistence, internal logic modification and other) ● This way should work at least for x86_64 CPU, Linux and CPython 3.5.3

  8. Python ● Interpreted, high-level programming language ● Object-oriented, mostly ● Strong community, great standard library, and perfect extensibility Note: Python itself is just a reference, you can build your own Python engine and decide how it will work with Python code — compile it to special bytecode, interpret it as is, or even translate to Java bytecode and execute it with JVM

  9. CPython ● The reference implementation of Python ● Written in C (and Python) ● Compiles source code to bytecode and interprets it with Python Virtual Machine (PVM)

  10. CPython — Compilation 1. Parse source code into a parse tree 2. Transform parse tree into an Abstract Syntax Tree 3. Transform AST into a Control Flow Graph 4. Emit bytecode based on the Control Flow Graph

  11. CPython — Compilation Example Compilation produces a set of Objects (e.g., CodeObject for handling bytecode) and prepares them for Interpretation in the PVM >>> def hello(): >>> hello.__code__.co_code.hex() ... print("Hello!") '740064018301010064005300' >>> hello >>> dis.dis(hello.__code__) <function hello at 0x10bd210d0> 2 0 LOAD_GLOBAL 0 (print) 2 LOAD_CONST 1 ('Hello!') >>> hello() 4 CALL_FUNCTION 1 Hello! 6 POP_TOP 8 LOAD_CONST 0 (None) 10 RETURN_VALUE

  12. CPython — Python Virtual Machine (PVM) ● Virtual Stack Machine ○ Value Stack, Call Stack, and Block Stack ○ No registers ⇨ Short instructions list ● Custom memory management ○ Huge space mapped as MAP_ANONYMOUS | MAP_PRIVATE ○ Arenas, Pools, and Blocks — internal memory management primitives ⇨ Small amount of system malloc/free calls ● Operates Objects, not raw memory values ⇨ Keeps abstraction level high

  13. CPython — A Short Guide to Objects ● Compilation and Interpretation produce a wide set of memory primitives named Objects ● C is not Object-Oriented, therefore all Objects are described with corresponding structs ● PVM works with these structs , therefore, we have to discover some of them to move forward

  14. CPython — PyObject & PyVarObject ● Universal headers, the Basis for all other Objects ● Every pointer to a CPython Object can be cast to a PyObject* — inheritance built by hand ● PyVarObject is just a PyObject extension to describe Objects with variable-sized part

  15. PyObject — Structure typedef struct _object { _PyObject_HEAD_EXTRA Py_ssize_t ob_refcnt; struct _typeobject *ob_type; } PyObject;

  16. PyVarObject — Structure typedef struct { PyObject ob_base; Py_ssize_t ob_size; } PyVarObject;

  17. CPython — Types ● Every Object in CPython has its own Type specified by PyObject.ob_type field ● Types are Objects too — instances of PyTypeObject struct ● Type Objects are a fundamental part of CPython describing Objects functionality and behavior ● Some Examples: ○ PyUnicodeObject.ob_type → PyUnicode_Type ○ PyBytesObject.ob_type → PyBytes_Type ○ PyCodeObject.ob_type → PyCode_Type

  18. CPython — The Type for Types ● Every Type Object is a PyObject, therefore it has the ob_type field: ○ PyUnicode_Type.ob_type → PyType_Type ○ PyBytes_Type.ob_type → PyType_Type ○ PyCode_Type.ob_type → PyType_Type ● But PyType_Type is a PyObject too: ○ PyType_Type.ob_type → PyType_Type

  19. PyTypeObject — Structure typedef struct _typeobject { PyObject_VAR_HEAD const char *tp_name; Py_ssize_t tp_basicsize, tp_itemsize; ... } PyTypeObject;

  20. A Short Guide to Objects — Subtotals ● We already know the structure of PyObject and PyTypeObject instances — comparatively, low-level structures. ● There is still no place to inject CPython bytecode. ● Let’s check the Object that works with CPython bytecode itself — PyCodeObject.

  21. CPython — PyCodeObject ● PyCodeObject — PyObject extension to describe pieces of Static Code. ● PyCodeObject.ob_type → PyCode_Type ● PyCodeObject is NOT a run-time primitive, it stores only static information about bytecode: ○ PyUnicodeObject* co_name — specifies code name (e.g., function name, <stdin>) ○ PyBytesObject* co_code — opcode sequence ○ PyTupleObject* co_consts — constants used

  22. PyCodeObject — Example >>> def hello(): >>> hello.__code__.co_name ... print("Hello!") 'hello' ... >>> hello.__code__.co_code b't\x00d\x01\x83\x01\x01\x00d\x00S\x00' >>> hello.__code__.co_consts (None, 'Hello!')

  23. PyCodeObject — Structure typedef struct { PyObject_HEAD ... PyObject *co_code; PyObject *co_filename; PyObject *co_name; ... } PyCodeObject;

  24. PyCodeObject — Points of Interest ● Controlling PyCodeObject allows us to play with member fields and pointers like co_code and co_consts ● Changing the co_code (ob_type → PyBytes_Type) field gives us an ability to change existing or inject new bytecode ● Playing with the co_consts (ob_type → PyTuple_Type) field allows us to add some data to our injection

  25. CPython — PyBytesObject ● PyBytesObject — PyVarObject extension to describe byte sequences ● PyBytesObject.ob_type → PyBytes_Type ● Just a container for bytes sequence

  26. PyBytesObject — Structure typedef struct { PyObject_VAR_HEAD Py_hash_t ob_shash; char ob_sval[1]; } PyBytesObject;

  27. CPython — PyTupleObject ● PyTupleObject — PyVarObject extension to describe immutable arrays of object references ● PyTupleObject.ob_type → PyTuple_Type ● Just a container for object references

  28. PyTupleObject — Structure typedef struct { PyObject_VAR_HEAD PyObject *ob_item[1]; } PyTupleObject;

  29. A Short Guide to Objects — Conclusion ● Gaining control on PyCodeObject and corresponding low-level structures allows us to patch bytecode, inject values and do other things in the Virtual Memory ● The main question there — How can we find necessary PyCodeObject?

  30. Finding PyCodeObject The main approach: unraveling pointers chains ● with known code name — targeted impact ○ Code name ⇨ PyUnicodeObject ⇨ PyCodeObject.co_name ○ ● with Symbol Table lookup — requires access to Python binary ○ PyCode_Type (from Symbol Table) ⇨ PyCodeObject.ob_type ○ ● with PyType_Type — potentially gives us access to all Objects ○ “type\x00” ⇨ PyType_Type ⇨ PyCode_Type ⇨ PyCodeObject.ob_type

  31. PyCodeObject.co_code Patching ● When PyCodeObject is located, we can continue our work ● Let’s try to patch existing bytecode and see how can we use that

  32. PyCodeObject.co_code Patching — Example ● An old-school example — patching the “if-then-else” construction def check_password(password): if password == "P@ssw0rd": return True else: return False # bytecode: 7c00006401006b0200721000640200536403005364000053

  33. PyCodeObject.co_code Patching — Example ● Will use NOP instruction with 0x09 opcode # bytecode[9:12] = b”\x09\x09\x09”

  34. PyCodeObject.co_code Patching — The Problem ● There is a chance to crash the application while patching bytecode being executed ● PyCodeObject is not a run-time primitive, there is no flag to show us the Object is executing or not ● But this flag exists in PyFrameObject

  35. CPython — PyFrameObject ● PyFrameObject — PyVarObject extension to describe the Call Stack Frame ● PyFrameObject.ob_type → PyFrame_Type ● PyFrameObject — dynamic object created during Interpretation, it stores arguments during function call and do other things like traditional Stack Frame

  36. PyFrameObject — Structure typedef struct _frame { PyObject_VAR_HEAD struct _frame *f_back; /* previous frame, or NULL */ PyCodeObject *f_code; /* code segment */ ... PyObject *f_locals; /* local symbol table (any mapping) */ ... PyObject *f_localsplus[1]; /* locals+stack, dynamically sized */ } PyFrameObject;

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
The Contact Process on Evolving Scale-free Networks Motivation and results Amitai Linker

The Contact Process on Evolving Scale-free Networks Motivation and results Amitai Linker

The Contact Process on Evolving Scale-free Networks Motivation and results Amitai Linker (Universidad de Chile) Joint work with Peter M orters (University of Bath) Emmanuel Jacob (ENS Lyon) The contact process The contact process Given a

963 views • 71 slides
UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation Shining) Liu Full Stack Developer, Mobile SME, Lead Consultant @ThoughtWorks Tech Lead &amp; Solution Architect. Recently focusing on scale mobile

854 views • 49 slides
DYNAMIC GAS VENTING VALVES WORKING SYSTEM ZS STROKE During the injection process the spring

DYNAMIC GAS VENTING VALVES WORKING SYSTEM ZS STROKE During the injection process the spring

DYNAMIC GAS VENTING VALVES WORKING SYSTEM ZS STROKE During the injection process the spring keeps the sliding insert in open position allowing the gases to pour out through the hole on the top of the valve. When the fmow front reaches SGD

299 views • 6 slides
FABRICATION OF MICRO-PATTERN OF QUARTZ GLASS IN INJECTION MOLDING PROCESS K.Honta 1, 2 , E.Ono 2 ,

FABRICATION OF MICRO-PATTERN OF QUARTZ GLASS IN INJECTION MOLDING PROCESS K.Honta 1, 2 , E.Ono 2 ,

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS FABRICATION OF MICRO-PATTERN OF QUARTZ GLASS IN INJECTION MOLDING PROCESS K.Honta 1, 2 , E.Ono 2 , T.Takayama 2 , H.Ito 2 * 1 Tosoh Quartz Co.,Ltd, Yamagata,Japan 2 Department of Polymer

417 views • 4 slides
ITRC DRAFT Document: Optimizing Injection Strategies &amp; In Situ Remediation Performance FRTR:

ITRC DRAFT Document: Optimizing Injection Strategies &amp; In Situ Remediation Performance FRTR:

ITRC DRAFT Document: Optimizing Injection Strategies &amp; In Situ Remediation Performance FRTR: SYNTHESIZING EVOLVING CSM S WITH APPLICABLE REMEDIATION TECHNOLOGIES Team Leads: Dave Scheer, Minnesota PCA &amp; Janet Waldron, Massachusetts DEP

703 views • 36 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Are plant populations evolving during the process of seed increase for restoration? Julie R.

Are plant populations evolving during the process of seed increase for restoration? Julie R.

Are plant populations evolving during the process of seed increase for restoration? Julie R. Etterson U of MN Duluth Erin K. Espeland Nancy C. Emery Kristin L. Mercer Scott A. Woolbright Karin M. Kettenring Espeland et al. 2017. Evolution

578 views • 39 slides
Metastability for the contact process on evolving scale-free networks Peter M orters K oln

Metastability for the contact process on evolving scale-free networks Peter M orters K oln

Metastability for the contact process on evolving scale-free networks Peter M orters K oln joint work with Emmanuel Jacob (ENS Lyon) Amitai Linker (Universidad de Chile) Aim of the project Motivation: We would like to understand how

698 views • 66 slides
1.PAULSON Training Program on Injection Molding Process Objectives Paulson offers the most

1.PAULSON Training Program on Injection Molding Process Objectives Paulson offers the most

1.PAULSON Training Program on Injection Molding Process Objectives Paulson offers the most comprehensive training and service package available to the plastics industry. Paulson Training Programs provides a board range of molding training

317 views • 16 slides
DSN 2004 INSTITUTO DE COMPUTAO INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS Centro

DSN 2004 INSTITUTO DE COMPUTAO INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS Centro

DSN 2004 INSTITUTO DE COMPUTAO INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS Centro Superior de Educao Tecnolgica AND NETWORK JUNE/2004 Architecture-based Strategy INSTITUTO DE INSTITUTO DE COMPUTAO COMPUTAO for

387 views • 13 slides
WCS Perspectives Regarding Greater Than Class C LLW J. Scott Kirk, CHP, Vice President of

WCS Perspectives Regarding Greater Than Class C LLW J. Scott Kirk, CHP, Vice President of

WCS Perspectives Regarding Greater Than Class C LLW J. Scott Kirk, CHP, Vice President of Licensing &amp; Regulatory Affairs NRC Commissioners Briefing 13 August 2015, Rockville, Maryland 1 SECY-15-0094 WCS commends the NRC, TCEQ ,

463 views • 12 slides
VLSI Design Part 3.1.2: VHDL-4 Liang Liu liang.liu@eit.lth.se 1 Lund University / EITF35/ Liang

VLSI Design Part 3.1.2: VHDL-4 Liang Liu liang.liu@eit.lth.se 1 Lund University / EITF35/ Liang

EITF35: Introduction to Structured VLSI Design Part 3.1.2: VHDL-4 Liang Liu liang.liu@eit.lth.se 1 Lund University / EITF35/ Liang Liu Outline Handling Large Designs: Hierarchical Component Generics Configurations Library

712 views • 33 slides
Hierarchical Design Rewriting with Maude Alberto Lluch Lafuente, Roberto Bruni, Ugo Montanari

Hierarchical Design Rewriting with Maude Alberto Lluch Lafuente, Roberto Bruni, Ugo Montanari

Hierarchical Design Rewriting with Maude Alberto Lluch Lafuente, Roberto Bruni, Ugo Montanari Department of Computer Science Software Engineering for University of Pisa Service-Oriented Overlay Computers { bruni,lafuente,ugo } @di.unipi.it 7th

527 views • 24 slides
Figure 2.25 from page 92 of Exploring the Heart of Ma2er

Figure 2.25 from page 92 of Exploring the Heart of Ma2er

Figure 2.25 from page 92 of Exploring the Heart of Ma2er Temperature Early Universe The Phases of QCD LHC Experiments RHIC Experiments R H I C E n e r g y Quark-Gluon Plasma S c a n

354 views • 4 slides
What is the Hamiltonian for parent high- temperature superconductors Andr-Marie Tremblay,

What is the Hamiltonian for parent high- temperature superconductors Andr-Marie Tremblay,

What is the Hamiltonian for parent high- temperature superconductors Andr-Marie Tremblay, Alexis Gagn-Lebrun CENTRE DE RECHERCHE SUR LES PROPRITS LECTRONIQUES DE MATRIAUX AVANCS Commanditaires: Outline What is the problem?

537 views • 26 slides
Consequences of the LHC results in the interpretation of ray families and giant EAS data

Consequences of the LHC results in the interpretation of ray families and giant EAS data

Consequences of the LHC results in the interpretation of ray families and giant EAS data Jean-Nol CAPDEVIELLE APC, CNRS, Univ. Paris-Diderot Remarkable cosmic ray events in the LHC energy range From X-emulsion Chambers Exotics,

705 views • 35 slides
Cosmology in Tension 5th International E-Conference on Entropy and Its Applications Eleonora Di

Cosmology in Tension 5th International E-Conference on Entropy and Its Applications Eleonora Di

Cosmology in Tension 5th International E-Conference on Entropy and Its Applications Eleonora Di Valentino University of Manchester Introduction to CMB Planck collaboration, 2018 An important tool of research in cosmology is the angular power

881 views • 45 slides

More recommend