From 16d71ea76a57ecb5a99ebb1f3c1d60619589bdfe Mon Sep 17 00:00:00 2001 From: alemi Date: Sat, 8 Jul 2023 13:27:10 +0200 Subject: [PATCH] docs: added README --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..a5e162b --- /dev/null +++ b/README.md @@ -0,0 +1,35 @@ +# pox +Pox is an infection framework for processes, with tools to manipulate the remote address space. + +Pox is built with the PTRACE syscall, so its limited to Linux/BSD systems. + +## Usage +Pox itself is a crate providing features to execute remote syscalls, inject remote strings, monitor remote execution and find memory mappings. +Most features can be individually selected while including this crate in your project: `[locator, monitor, rc]`. + +Additionally, with the `bin` feature, a sample infection binary will be produced: `vector`. + +### Vector +Vector can infect running processes, invoking `dlopen()` remotely and loading a shared object. +It will only work on binaries with glibc linked (no musl support yet). +It can both attack a running process (probably will require root privileges) or spawn a child process and infect it. + +Vector will: + * find a syscall instruction and use it to execute remote actions + * invoke a remote mmap to allocate a string + * write shared object path in allocated string + * calculate dlopen address from system glibc and procmaps + * force set registers and execute dlopen with previously injected path + * resume process + +## Status +Pox is still under development. I'm building this to explore Linux OS, processes and memory. + +# Author notes +This could potentially be used to produce malware, since it helps introduce extraneous libraries into running processes. +However, I believe it's still fine to opensource this: + * The injection method is pretty old, described on [Phrack](http://phrack.org/issues/59/8.html) in 2002. + * This only works on Linux/BSD + * On most most modern systems, PTRACE can't attach other processes if not run from root + * There are other available projects doing the same thing +