TL;DR

1. Use echo 'print __libc_dlopen_mode("/path/to/library.so", 2)' | gdb -p <PID> for process injection
2. Write a shared library to inject into sshd process
3. In the library, fork a child process to monitor sshd children then attach (PTRACE_ATTATCH) to them
4. For each ssh session, search its memory for …

View comments.

more ...