A Rust crate to load a shared library into a target process without using ptrace.

Overview

Intruducer

A Rust crate to load a shared library into a target process without using ptrace. This is a portable rewrite of dlinject.

example

Compatibility

It should work for x86, x86-64, arm and aarch64, for both Linux and Android.

Example

# Build binary
cargo build --example intruducer
# Build victim
cargo build --example victim
# Build library
rustc ./examples/evil.rs --crate-type cdylib --out-dir ./target/debug/examples

# Execute the victim
cd ./target/debug/examples
./victim

# Within a new shell
cd ./target/debug/examples
./intruducer -l ./libevil.so `pidof victim`

How it works

  1. Retrieve the instruction pointer (ip) of the target process reading /proc/<pid>/syscall;
  2. Open /proc/<pid>/mem and backs up the content at ip;
  3. Generate the two shellcodes, and saves the last one to a file.
  4. Write the first shellcode to the target process memory at ip - the execution flow is now altered.
  5. The first shellcode loads and executes the second shellcode.
  6. The second shellcode restores the original code, calls dlopen and branches to ip - the original execution flow is resumed.

Caveats

  • It makes large applications crash when a lot of computing is going on - this happens when a thread is executing the first shellcode and another one is executing the second shellcode, which restores the original code. A possible solution consists in freezing every thread but one using /sys/fs/cgroup/freezer, let this one perform the whole task and then thawing all the others. However, this only seemed to reduce the chance of crashes.
  • A register (x28) will be clobbered on aarch64 - I found no way to branch to an absolute virtual address without using a register.
  • When targeting an Android application, both library and second shellcode binary blob will be copied to its native library directory - changing the security context to u:object_r:apk_data_file:s0 is not enough for the library file.
You might also like...
Shared memory - A Rust wrapper around native shared memory for Linux and Windows

shared_memory A crate that allows you to share memory between processes. This crate provides lightweight wrappers around shared memory APIs in an OS a

A simple code that will load a shellcode directly into RAM memory in a new process
A simple code that will load a shellcode directly into RAM memory in a new process

「 🔄 」About RustSCLoader RustSCLoader is a simple code that has the intention of loading a shellcode directly into RAM memory in a new process that wi

A memory visualizer in Rust (ptrace + userfaultfd)

mevi A memory visualizer for Linux 5.7+ Made for this video: https://www.youtube.com/watch?v=DpnXaNkM9_M Prerequisite The vm.unprivileged_userfaultfd

secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process.

secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process. More specifically, the crate disables core dumps and tries to disable tracing on unix-like OSes.

A secure and efficient gateway for interacting with OpenAI's API, featuring load balancing, user request handling without individual API keys, and global access control.

OpenAI Hub OpenAI Hub is a comprehensive and robust tool designed to streamline and enhance your interaction with OpenAI's API. It features an innovat

EasyAlgolia is a Rust crate designed for utilizing the Algolia admin client. It simplifies the process of updating and inserting documents into Algolia's search index.
EasyAlgolia is a Rust crate designed for utilizing the Algolia admin client. It simplifies the process of updating and inserting documents into Algolia's search index.

crate link EasyAlgolia is a Rust crate designed for utilizing the Algolia admin client. It simplifies the process of updating and inserting documents

Simple crate that wraps a tokio::process into a tokio::stream

tokio-process-stream tokio-process-stream is a simple crate that wraps a tokio::process into a tokio::stream Having a stream interface to processes is

A Rust on-site channel benchmarking helper. Inter-Process (async / busy) & Intra-Process (async single threaded / async multi threaded)

On-Site Rust Channel Benchmarking Helper Deploy on server to determine which public crates are the fastest for communicating in different architecture

A crate to help you copy things into raw buffers without invoking spooky action at a distance (undefined behavior).

🗜 presser Utilities to help make copying data around into raw, possibly-uninitialized buffers easier and safer. presser can help you when copying dat

Create target folder as a RAMdisk for faster Rust compilation.

cargo-ramdisk This crate is only supported for unix like systems! cargo-ramdisk creates a ramdisk at the target folder of your project for ridiculousl

Enum path && dir on target URL. Powered by Rust ! 🦀

enum-dir 一款快速枚举目录的小工具,使用 Rust 编写,扫起来真的很快。 用于发现目标站点中可能存在的路径信息,同时支持字典模式和暴力枚举模式。 本工具仅用于学习 Rust 以及 Rust 协程 Tokio 使用,严禁用于非法用途。 如果使用本工具从事违法犯罪活动,造成的任何后果,本人不承

Ursa - Hyperledger Ursa is a shared cryptography library

HYPERLEDGER URSA Introduction Features Libursa Libzmix Dependencies Building from source Contributing Introduction Ursa was created because people in

A shared document application akin to Google Docs. Example usage of wasm-peers library.

Live Document Proof of concept application showcasing the usability of wasm-peers crate for easy and costless peer-2-peer WebRTC communication. It's a

A small utility for modifying ELF shared library loading order.

elfpromote A small utility for modifying ELF shared library loading order. Usage $ cargo install elfpromote $ ldd blueboat_server linux-vdso.s

Learn emulator and programming languages, target chip8, nes, gbc, gba ...
Learn emulator and programming languages, target chip8, nes, gbc, gba ...

[WIP]learn emulator go-chip8 go run main.go source https://en.wikipedia.org/wiki/CHIP-8 http://devernay.free.fr/hacks/chip8/C8TECH10.HTM https://githu

👁️ A tool to execute a certain command when a target file is modified.

Ojo Ojo is a simple utility that allows you to execute a specific command each time a certain file is being saved. Usage Let's say you are sick the fo

How to bootstrap support for a no_std target

The Embedonomicon How to bootstrap support for a no_std target This book is hosted at https://docs.rust-embedded.org/embedonomicon/ This project is de

CLI tool that make it easier to perform multiple lighthouse runs towards a single target and output the result in a "plotable" format.

Lighthouse Groupie CLI tool that make it easier to perform multiple lighthouse runs towards a single target and output the result in a "plotable" form

My first attempt at game programming. This is a simple target shooting game built in macroquad.

sergio My first attempt at game programming. This is a simple target shooting game built in macroquad. Rules Hit a target to increase score by 1 Score

Owner
null
Android / iOS app with shared Rust logic

Rust core for native Android and iOS apps [TODO iOS badge] This is an example that shows how to use a shared Rust core in native Android and iOS apps.

null 193 Dec 5, 2022
Using Rust to create an iOS static library

ObjCrust A modified ObjCrust which uses Rust cross-compiler. Cross-compiler needs to be built first (note: it is on a separate branch now, so don't fo

Valerii Hiora 39 May 10, 2021
Cross-platform GUI written in Rust using ADB to debloat non-rooted android devices. Improve your privacy, the security and battery life of your device.

Universal Android Debloater GUI DISCLAIMER: Use it at your own risk. I am not responsible for anything that could happen to your phone. This software

w1nst0n 7k Jan 7, 2023
Tokio based client library for the Android Debug Bridge (adb) based on mozdevice

forensic-adb Tokio based client library for the Android Debug Bridge (adb) based on mozdevice for Rust. Documentation This code has been extracted fro

null 6 Mar 31, 2023
Glue between Rust and Android

deprecated in favor of https://github.com/rust-windowing/android-ndk-rs which works with winit master Android Glue Usage With Docker The easiest way t

Rust Windowing 898 Dec 15, 2022
rust on pebble - functional with limited capabilities

Pebble.rs Pebble.rs is a crate that allows rust to be used to develop Pebble applications. It is compatible with SDK 3.0 and is known to work on the a

Andrew Foote 44 Aug 13, 2022
Fable Rust Raytracer - iOS version

Fable Rust Raytracer - iOS version Originally made by @ncave (https://github.com/ncave/fable-raytracer), port to iOS by @delneg Pre-requisites Rust, b

Denis 4 May 2, 2022
🤖🦀 A rust native replacement for Android's `sdkmanager`

???? A rust native replacement for Android's `sdkmanager`

Traverse Research 13 Dec 13, 2022
APK manifest & resources parser in Rust.

BXMLRS bxmlrs is a Rust library (WIP) for parsing binary Android XML files (AndroidManifest.xml). Usage use bxmlrs::parser; use quick_xml::reader::Rea

null 6 Oct 21, 2023
Rust implementation of NearbyShare/QuickShare from Android for Linux.

rquickshare NearbyShare/QuickShare for Linux (WIP) How to use rquickshare offers two options for using its file sharing capabilities: command line (CM

Martin André 3 Feb 28, 2024