2026-05-29 –, Main Stage
Process injection on Linux is often treated as a solved problem. Yet, many modern tools remain architecture-locked or are easily flagged by basic heuristic analysis. This session introduces Aether, a Linux process injection framework designed for today’s landscape. We will deep-dive into the technical hurdles of building a tool that handles both 32-bit and 64-bit processes seamlessly. Aether utilizes ptrace for attachment and PLT (Procedure Linkage Table) hooking for precise function interception.
The talk goes beyond the basics by exploring a "Polyglot" approach to offensive tooling. We will demonstrate how wrapping a performance-heavy C/C++ injection core within a Rust-based FFI (Foreign Function Interface) tunnel creates a "safe" but powerful parasite. This hybrid architecture increases exploit stability. It also complicates the work of reverse engineers by fragmenting the call stack across language boundaries. Attendees will walk away with a functional understanding of Linux runtime code modification, the state of modern PLT hooking, and a roadmap for "oxidizing" legacy C++ tools to stay ahead of evolving detection engines.
The current landscape of Linux process injection is dominated by aging techniques that are increasingly visible to modern Endpoint Detection and Response (EDR) systems. While tools leveraging LD_PRELOAD or basic shellcode injection remain functional, they often fall victim to heuristic scanners that flag predictable memory allocation patterns and standard C library calls. This presentation introduces Aether, a framework designed to bypass these limitations by utilizing low-level primitive operations, specifically ptrace and Procedure Linkage Table (PLT) hooking, to achieve cross-architecture code execution. By operating at the binary level rather than relying on high-level environment variables, Aether provides a robust foundation for runtime code modification in both 32-bit and 64-bit environments.
The technical core of the talk focuses on the orchestration of ptrace for non-cooperative process attachment. We will examine the mechanics of capturing a running process's execution state, manipulating registers to redirect control flow, and the precise use of PTRACE_POKETEXT to inject our "parasite" shared library. A significant portion of the deep dive is dedicated to PLT Hooking, a technique that allows Aether to intercept specific function calls by overwriting entries in the Global Offset Table (GOT). This method ensures that our injected code remains synchronized with the host process's legitimate activities, allowing for stealthy monitoring or modification of data without crashing the target, a common failure point in traditional "fire-and-forget" injectors.
The research then pivots to the "Oxidation" of the framework: the integration of Rust via a Foreign Function Interface (FFI) tunnel. We explore the hypothesis that mixing programming languages can act as a form of binary-level obfuscation. By wrapping our performance-critical C++ injection engine in a Rust-based daemon, we fragment the call stack and generate machine code signatures that differ significantly from "pure" C++ malware. This section of the presentation will provide a comparative analysis of memory signatures, demonstrating how Rust’s unique binary structure and its "safety-first" memory management can be weaponized to evade modern heuristics and complicate the work of a reverse engineer attempting to trace the hybrid execution flow.
Finally, the session concludes with a series of high-stakes demonstrations. We will first show a baseline "Legacy" injection being detected by standard Linux audit tools, followed by the successful deployment of the Oxidized Aether framework. The demo will highlight the tool's dedicated monitoring daemon, which maintains the health of the injected parasite and ensures persistence even through host process fluctuations. Attendees will be provided with a technical roadmap for porting their own offensive tools to this hybrid architecture, along with access to the Aether source code to further the community's research into polyglot exploitation.
Hey, I'm Lora. I build tools that live in other people’s memory space. I’m a Linux security researcher and the developer of Aether, a 32/64-bit process injection framework. My recent work involves weaponizing Rust’s safety features to create more stable and undetectable C++ hybrids. I’m here to show you how process injection is evolving on Linux and why the future of offensive tooling is polyglot.