Description
The current landscape of Linux process injection is dominated by aging techniques that are increasingly visible to modern Endpoint Detection and Response (EDR) systems. While tools leveraging LD_PRELOAD or basic shellcode injection remain functional, they often fall victim to heuristic scanners that flag predictable memory allocation patterns and standard C library calls. This presentation introduces Aether, a framework designed to bypass these limitations by utilizing low-level primitive operations, specifically ptrace and Procedure Linkage Table (PLT) hooking, to achieve cross-architecture code execution. By operating at the binary level rather than relying on high-level environment variables, Aether provides a robust foundation for runtime code modification in both 32-bit and 64-bit environments.
The technical core of the talk focuses on the orchestration of ptrace for non-cooperative process attachment. We will examine the mechanics of capturing a running process's execution state, manipulating registers to redirect control flow, and the precise use of PTRACE_POKETEXT to inject our "parasite" shared library. A significant portion of the deep dive is dedicated to PLT Hooking, a technique that allows Aether to intercept specific function calls by overwriting entries in the Global Offset Table (GOT). This method ensures that our injected code remains synchronized with the host process's legitimate activities, allowing for stealthy monitoring or modification of data without crashing the target, a common failure point in traditional "fire-and-forget" injectors.
The research then pivots to the "Oxidation" of the framework: the integration of Rust via a Foreign Function Interface (FFI) tunnel. We explore the hypothesis that mixing programming languages can act as a form of binary-level obfuscation. By wrapping our performance-critical C++ injection engine in a Rust-based daemon, we fragment the call stack and generate machine code signatures that differ significantly from "pure" C++ malware. This section of the presentation will provide a comparative analysis of memory signatures, demonstrating how Rust’s unique binary structure and its "safety-first" memory management can be weaponized to evade modern heuristics and complicate the work of a reverse engineer attempting to trace the hybrid execution flow.
Finally, the session concludes with a series of high-stakes demonstrations. We will first show a baseline "Legacy" injection being detected by standard Linux audit tools, followed by the successful deployment of the Oxidized Aether framework. The demo will highlight the tool's dedicated monitoring daemon, which maintains the health of the injected parasite and ensures persistence even through host process fluctuations. Attendees will be provided with a technical roadmap for porting their own offensive tools to this hybrid architecture, along with access to the Aether source code to further the community's research into polyglot exploitation.
Optional: Speaker / convener biography
Hey, I'm Lora. I build tools that live in other people’s memory space. I’m a Linux security researcher and the developer of Aether, a 32/64-bit process injection framework. My recent work involves weaponizing Rust’s safety features to create more stable and undetectable C++ hybrids. I’m here to show you how process injection is evolving on Linux and why the future of offensive tooling is polyglot.
| Length | 30 minutes |
|---|