Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Runtime Process Infection

Runtime infection is done using the notorious ptrace() syscall, which allows a process to attach to another process, assuming of course, that it has root privileges or has a father-child relationship with some exceptions to it. Once the attached process gets into debugging mode, it is possible to modify its registers and write/read from its address space. These are features that are required to slip in the virus code and activate it. For an in-depth review of the ptrace() injection method, refer to the "Building ptrace Injecting Shellcodes" article in Phrack 59[1].