cssrt- lu malware contest
 anonymouse <any_anonymouse yahoo com> |
Thursday, May 18 2006 14:37.02 CDT |
i was reading the analysis of the elf file in the blog by sp about this contest
i had looked at this unrunnable and corrupt file and didnt
find a motive to dig deeper
like he correctly says this file has been tampered by replacing all the 0x00 bytes to 0x20
and it wasnt loading and showing any usefull information
in any of the usual tools
like objdump,ndisasm,hte,idafree,ald,gdb,readelf
all spewed some garbage like corrupt unidentified etc etc strings :)
elfsh was able to load the file but it too wasnt able to
go any further apart from spitting the header details :)
but the elfshs header details gave an inkling about the replace :)
and like he says i did a mass replace of 0x20, to 0x00
some perl oneliner i forgot already
perl -pi -e 's/\20/\00/g' < newelf > modelf
the purpose of this blog being thats not the right way :)
this mass replace though making it loadable in all the utilities :)
just wont let you see the virus that is embedded inside that file aka RST.B
here is a log of elfsh-> hdr details
[*] Started logging session in session.log
(elfsh-0.7-a7p1-brz) load /home/bluffer/seclist/elf
[*] Thu May 18 21:14:37 2006 - New object loaded : /home/bluffer/seclist/elf
(elfsh-0.7-a7p1-brz) elf
[ELF HEADER]
[Object /home/bluffer/seclist/elf, MAGIC 0x464C457F]
Architecture : type 00002003 ELF Version : 538976257
Object type : type 00002002 SHT strtab index : 8218
Data encoding: Little endian SHT foffset : 0538999716
PHT foffset : 0538976308 SHT entries number : 8221
PHT entries number: 8198 SHT entry size : 8232
PHT entry size: 8224 ELF header size : 8244
Runtime PHT offset:1179403657 Fingerprinted OS:Unknown
Entry point:0x0804C2A5 [?]
{OLD PAX FLAGS = 0x20202020}
PAX_PAGEEXEC : Disabled
PAX_EMULTRAMP: Not emulated
PAX_MPROTECT : Restricted
PAX_RANDMAP : Randomized
PAX_RANDEXEC : Not randomized
PAX_SEGMEXEC : Disabled
(elfsh-0.7-a7p1-brz) get 1.hdr.entry
0x0804C2A5
(elfsh-0.7-a7p1-brz) print 1.hdr.machine
00002003 (8195)
(elfsh-0.7-a7p1-brz) exit
[*] Unloading object 1 (/home/bluffer/seclist/elf) *
now elfsh gave me an inkling that some thing is absolutely corrupt the machine cant be 8195 which means efi-32
and pax flags all showed 0x20202020 which normally would have been 000000
loading the modified on hte now loaded the file without problems
hte normally shows the disassembly right from entry point
but this time it was showing me disassembly from the end of hdr
so i wanted to see whats at the ep :)
and hte shows me this
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |