Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run.
Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshdor sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
Link: https://github.com/blendin/3snake
pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like:
Link: ‣