|
| ▲ | CGamesPlay 2 hours ago | parent | next [-] |
| Proc title is very easily forged (without root even). Obviously a real privileged process could modify the kernel and do whatever it wants, but if I were trying to detect this I would start with /proc/$id/exe. |
| |
| ▲ | Retr0id 2 hours ago | parent | next [-] | | /proc/pid/exe is also easily forged, without root. For example you can do LD_PRELOAD=evil.so /bin/foo on any dynamic executable, or spawn /bin/foo unmodified and inject code via ptrace or /proc/pid/mem. I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...) | | |
| ▲ | jeffbee an hour ago | parent [-] | | Yeah the whole system is based on the ability of one task to apparently become another task, that's how Unix works. So the indicators in /proc are just that: indicative at best. There's no reason the task should even be assumed to be executing code in a file. A process can map code into anonymous memory and continue executing there without even branching. Again this is considered a feature of the system rather than a flaw. |
| |
| ▲ | jeffbee 2 hours ago | parent | prev [-] | | Maybe, but there's a prctl to change that reference which a root process can use. |
|
|
| ▲ | dboreham 2 hours ago | parent | prev | next [-] |
| They might just compute a hash over the binary, or the code space in memory. |
|
| ▲ | parliament32 2 hours ago | parent | prev [-] |
| It's curious they're just "monitoring" rather than preventing. In a serious environment you'd run IPE with dm-verity/fs-verity to ensure binaries are whitelisted and integrity-checked at every execution. |
| |
| ▲ | staticassertion an hour ago | parent [-] | | lol no one does that (edit: or, rather, that is extremely uncommon, even in "serious" environments, for a ton of reasons). |
|
