Attack N Defence - 0101 - JD 

Notice • Solution is not perfect. • Also, sample is not perfect. • So, we should have imagine. 

Process Product Attack Defence 

Setup • docker pull jongsu253/dev-seminar:0.1 • docker run --privileged --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it ed79ba87900b /bin/bash 

Let’s do it now! 

Section I - Hooking Dynamic Linking libc.so program call printf@PLT PLT[0]: call resolver PLT[X]: jmp *GOT[X] push XX jmp PLT[0] GOT[X]: &printf printf:
 … ld.so resolver: … program call printf@PLT PLT[0]: call resolver PLT[X]: jmp *GOT[X] push XX jmp PLT[0] GOT[X]: &hooker libc.so printf:
 … ld.so resolver: … hook.so hooker:
 … 

Section I - Hooking Dynamic Loading ld.so libc.so libm.so libhook.so printf read write pow sqrt ceil printf read write libraries:
 libc.so libm.so libhook.so ld.so libraries:
 libhook.so libc.so libm.so libc.so libm.so libhook.so printf read write printf read write pow sqrt ceil 

Section II - Debugger Process A Process B name phone address … Process A Process B name phone address … access / control kernel access / control 

Section II - Debugger Process A Process B name phone address … kernel access / control Process C 1 2 

Section II - Debugger Process A Process B name phone address … kernel Process B` fork Attached Not Attached 

Section II - Debugger Process A Process B kernel Attached Thread 1 Thread 2 Thread 3 Thread N 

Section II - Debugger Process A Process B kernel Thread 1 Thread 2 Thread 3 Thread N Attached Process C 

What do you think …? 

Q & A 

Thank you!