Detecting the ET_DYN injection
I think that the most prevalent type of process infection is DLL injection, also known as
.so injection. It is a clean and effective solution that suits the needs of most attackers and runtime malware. Let's take a look at an infected process, and I will highlight the ways in which we can identify parasite code.
The terms shared object, shared library, DLL, and ET_DYN are all used synonymously throughout this book, especially in this particular section.
Azazel userland rootkit detection
Our infected process is a simple test program named
./host that is infected with the Azazel userland rootkit. Azazel is the newer version of the popular Jynx rootkit. Both of these rootkits rely on
LD_PRELOAD to load a malicious ...