2

I mainly use Linux so I'm not well-versed on how Windows and its privileges work. I've recently learned to use Metasploit and meterpreter on Windows boxes.

Previous research

This answer has given an overview of how meterpreter migrates on Windows.
This article has addressed process migration on Linux

My questions

  1. What allows process migration to work?
  2. What are the main differences between Windows and Linux in process migration?
  3. Is this migration a feature or a vulnerability?
  4. How can I defend it?
  5. Should I try to prevent process migration?
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • Can you explain what you mean by "Is it a feature or a vulnerability?". That seems to depend on your PoV –  Jul 13 '20 at 20:52
  • @MechMK1 I mean if this was something intentionally implemented and should be there or is just something like a bug. This is tied to question 5, whether or not I should try to disable or nerf it for security. – ChocolateOverflow Jul 14 '20 at 03:39

2 Answers2

1

What allows process migration to work?

Process migration happens because of process injection,a technique where a process can run its code in the virtual address space of another process

Specifically in meterpreter payload its

  1. Open current process token to set SE_DEBUG PRIVILAGE
  2. Virtualallocexe to allocate memory in target process
  3. Writeprocessmemory to write the payload in target process virtual memory space
  4. Call the routine of the thread via Create remote thread

source

What are the main differences between Windows and Linux in process migration?

For starters Linux doesn't use DLL,although there are more process injection that doesn't use Dll in windows(PE Injection),in linux you would uses LD_PRELOAD or ptrace

Is this migration a feature or a vulnerability?

Feature,since there are many use cases of process injection like debugging,game hacking,using themes,changing functionality of programs and anti virus stuff.

How can I defend it?

Most likely you would want to hook functions that might be used and then perform checks if you want to allow it to happen(Might break stuff), further read

Should I try to prevent process migration?

It mostly used in malwares to hide,even without using it,you can do just as much damage.So....no

yeah_well
  • 3,699
  • 1
  • 13
  • 30
0

Control of memoryspaces and job control — such as the ability to launch a process into userspace runtime, allows for process migration.

In other words, it’s a feature called “an Operating System”.

atdre
  • 18,885
  • 6
  • 58
  • 107