Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-6 | Least Privilege | Protects | T1055.014 | VDSO Hijacking |
| SC-18 | Mobile Code | Protects | T1055.014 | VDSO Hijacking |
| SC-7 | Boundary Protection | Protects | T1055.014 | VDSO Hijacking |
| SI-2 | Flaw Remediation | Protects | T1055.014 | VDSO Hijacking |
| SI-3 | Malicious Code Protection | Protects | T1055.014 | VDSO Hijacking |
| SI-4 | System Monitoring | Protects | T1055.014 | VDSO Hijacking |
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1055.014 | Process Injection: VDSO Hijacking |