pox/README.md

# pox
Pox is an infection framework for processes, with tools to manipulate the remote address space.

Pox is built with the PTRACE syscall, so its limited to Linux/BSD systems.

## Usage
Pox itself is a crate providing features to execute remote syscalls, inject remote strings, monitor remote execution and find memory mappings.
Most features can be individually selected while including this crate in your project: `[locator, monitor, rc]`.

Additionally, with the `bin` feature, a sample infection binary will be produced: `vector`.

### Vector
Vector can infect running processes, invoking `dlopen()` remotely and loading a shared object.
It will only work on binaries with glibc linked (no musl support yet).
It can both attack a running process (probably will require root privileges) or spawn a child process and infect it.

Vector will:
 * find a syscall instruction and use it to execute remote actions
 * invoke a remote mmap to allocate a string
 * write shared object path in allocated string
 * calculate dlopen address from system glibc and procmaps
 * force set registers and execute dlopen with previously injected path
 * resume process

## Status
Pox is still under development. I'm building this to explore Linux OS, processes and memory.

# Author notes
This could potentially be used to produce malware, since it helps introduce extraneous libraries into running processes.
However, I believe it's still fine to opensource this:
 * The injection method is pretty old, described on [Phrack](http://phrack.org/issues/59/8.html) in 2002.
 * This only works on Linux/BSD
 * On most most modern systems, PTRACE can't attach other processes if not run from root
 * There are other available projects doing the same thing
docs: added README 2023-07-08 13:27:10 +02:00			`# pox`
			`Pox is an infection framework for processes, with tools to manipulate the remote address space.`

			`Pox is built with the PTRACE syscall, so its limited to Linux/BSD systems.`

			`## Usage`
			`Pox itself is a crate providing features to execute remote syscalls, inject remote strings, monitor remote execution and find memory mappings.`
			Most features can be individually selected while including this crate in your project: `[locator, monitor, rc]`.

			Additionally, with the `bin` feature, a sample infection binary will be produced: `vector`.

			`### Vector`
			Vector can infect running processes, invoking `dlopen()` remotely and loading a shared object.
			`It will only work on binaries with glibc linked (no musl support yet).`
			`It can both attack a running process (probably will require root privileges) or spawn a child process and infect it.`

			`Vector will:`
			`* find a syscall instruction and use it to execute remote actions`
			`* invoke a remote mmap to allocate a string`
			`* write shared object path in allocated string`
			`* calculate dlopen address from system glibc and procmaps`
			`* force set registers and execute dlopen with previously injected path`
			`* resume process`

			`## Status`
			`Pox is still under development. I'm building this to explore Linux OS, processes and memory.`

			`# Author notes`
			`This could potentially be used to produce malware, since it helps introduce extraneous libraries into running processes.`
			`However, I believe it's still fine to opensource this:`
			`* The injection method is pretty old, described on [Phrack](http://phrack.org/issues/59/8.html) in 2002.`
			`* This only works on Linux/BSD`
			`* On most most modern systems, PTRACE can't attach other processes if not run from root`
			`* There are other available projects doing the same thing`