[saagarjha]

> Why did we have to mess with this shellcode within the injector (dlinject.py) rather than just somehow identifying the PID of the target and loading the injected code directly? Is it not possible via some simply python call to perform the injection, and is that why we're playing with the x86?

Yes, there is no simple way to do this. Injecting arbitrary code into a process is always finicky, and this project is even more so because it eschews the API used for doing stuff like this (ptrace, which is still on the level of registers and memory addresses) and going through other kernel interfaces to try to perform similar things.

> Also, would this work on systems with ASLR?

It does, because it defeats ASLR by looking at the process’s memory mappings and finding libc in that (which it uses for dlopen).

> Could malicious code be obfuscated, transformed, and then subsequently injected into a process like explorer with this dlinject.py? What are our limitations here?

None, it can inject pretty much anything. The only limitation is security protections that the OS provides to stop you from touching other processes in this way.