
ELF Shared Library Injection Forensics - luu
http://backtrace.io/blog/blog/2016/04/22/elf-shared-library-injection-forensics/
======
loeg
> We cannot rule out possible infection methods, but it is highly unlikely
> that attackers will reliably insert a phony DT_NEEDED entry that is
> contiguous with the ones generated by the linker.

It seems pretty trivial to delete the DT_DEBUG entry, shift the entries in
front of it forward by one, and then add a (now contiguous) DT_NEEDED entry.
That shouldn't affect the offset of the GOT/PLT segment.

Edit: The Saruman backdoor injection detection at the end seems pretty
simplistic too. E.g. on FreeBSD you could arrive at the same data with just
`procstat -kk pid_of_host`.

------
elfmaster
Yes, you have made a good point. You could delete DT_DEBUG and shift the
entries forward by one. However this would also likely open up another door
for heuristics, since having no DT_DEBUG entry is suspicious. As far as
procstat goes; the real point that was being conveyed shown in the bottom
pane: "Unknown shared object:", the stack frame information was just a side
note. In the blog post I didn't make this very clear though since I only
pointed out the pane with the stack frames. Thank you.

