From f4180d5f6c5be26354bbaed4e53d68c024db579b Mon Sep 17 00:00:00 2001
From: Matt Miller <mmiller@hick.org>
Date: Wed, 20 Apr 2005 16:05:41 +0000
Subject: [PATCH] more

git-svn-id: file:///home/svn/incoming/trunk@2434 4d416f70-5f16-0410-b530-b9f4589650da
---
 dev/bh/outline.txt | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/dev/bh/outline.txt b/dev/bh/outline.txt
index 8c9b16fc4e..c97aa60bdd 100644
--- a/dev/bh/outline.txt
+++ b/dev/bh/outline.txt
@@ -110,7 +110,7 @@ III. Post-exploitation
                 provided by AV companies
             iii. Not touching the disk means no forensic trace
             iv. VirtualLock prevents swapping to disk, but requires admin
-      3. In-memory library injection overview
+      3. In-memory library injection on Windows
          a. System calls used by the library loader are hooked
             i. NtCreateFile
             ii. NtMapViewOfSection
@@ -122,6 +122,19 @@ III. Post-exploitation
          d. Alternative approaches
             i. Could do client-side relocations, but would need to handle
                import processing
+      4. In-memory library injection on Linux/BSD
+         a. No known public implementations
+         b. Requires alternate approach
+            i. Hooking API routines not always possible -- symtab not
+               mapped into memory
+            ii. libc symbol version mismatches lead to linking nightmare
+         c. Client-side relocations seem most feasible
+            i. Remote side maps a region of memory and sends the client 
+               the base address
+            ii. Client processes relocations and transmits the relocated
+                image as its mapped segment would appear
+            iii. Requires locating rtld base so that PLT lookups will
+                 work
    B. VNC Injection
       1. Implements VNC as an injectable DLL
          a. Uses RealVNC as the code-base