Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).[1][2][3][4]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0448 | Detection Strategy for VDSO Hijacking on Linux | AN1241 |
Detects the redirection of syscall execution flow via modification of VDSO code stubs or GOT entries to load and execute a malicious shared object through mmap and ptrace. |