TBH, this really isn't that amazing. This has been seen in the wild and in fact, some completely benign software also puts code into another process's space without the process's knowledge (things like overlays)
Windows provides an API specifically to do this (NtWriteProcessMemory / NtAllocateVirtualMemory), while on Linux you'd have to use ptrace first to get a stub into the target process to then call mmap.
No, not the actual replacing of code, that is basic stuff. What is brilliant is the way that thread suspension is taking place because current AV apps basically ignore this behavior. This will essentially make security bandits have to re-think how they do on the spot detection.
5 comments
4 u/diodine 08 Mar 2017 02:03
TBH, this really isn't that amazing. This has been seen in the wild and in fact, some completely benign software also puts code into another process's space without the process's knowledge (things like overlays)
Windows provides an API specifically to do this (NtWriteProcessMemory / NtAllocateVirtualMemory), while on Linux you'd have to use ptrace first to get a stub into the target process to then call mmap.
2 u/PlasmaDistortion 08 Mar 2017 04:52
Holy crap this is brilliant.
2 u/prairie 08 Mar 2017 05:42
Replacing code of a process in memory with your code so your code gets executed?
3 u/PlasmaDistortion 08 Mar 2017 06:08
No, not the actual replacing of code, that is basic stuff. What is brilliant is the way that thread suspension is taking place because current AV apps basically ignore this behavior. This will essentially make security bandits have to re-think how they do on the spot detection.
2 u/ShowMeYourKitties 08 Mar 2017 16:13
This is how game hacks get around anticheat systems.