This is shown
in Figure 9-6.
The proxy library shown in the figure effectively replaces the standard C library (for C
programs), redirecting any actions typically sent to the local operating system (system
calls) to the remotely exploited computer. Conceptually, it is as if the hostile program
were actually running on the target computer, yet no file has been uploaded to the target,
and no new process has been created on the target, as the system call proxy payload
can continue to run in the context of the exploited process.
Process Injection Shellcode
The final shellcode technique we will discuss in this section is that of process injection.
Process injection shellcode allows the loading of entire libraries of code running under a
separate thread of execution within the context of an existing process on the target computer.
The host process may be the process that was initially exploited, leaving little indication
that anything has changed on the target system. Alternatively, an injected library
may be migrated to a completely different process that may be more stable than the
exploited process, and that may offer a better place for the injected library to hide. In
either case, the injected library may not ever be written to the hard drive on the target computer,
making forensics examination of the target computer far more difficult.
Pages:
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396