• 周四. 12月 1st, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

Analysis of Linux malicious elf files

[db:作者]

1月 6, 2022

The cause is a client’s server , As soon as it starts server, In a few seconds it was kill, And then there’s nothing in the error log .
server Is based on jvm Of , How to see a process killed by which process , This can write an article .

Be confident , It’s definitely not a problem with our code JVM Break down , There’s no doubt that it’s the kids who do safe scripting .

Look, look , The routine is nothing more than crontab,mount Camouflage these things . As for tampering ps,top Hiding processes and things like that , I’m sure most script kids don’t have that ability either , Yes, of course , A lot of people in this line of work have inheritance , Can’t hold on to his family , It’s hard to say if there are ancestral artifacts .
ok , The last thing I found was a place to put .log The directory is called x86-64 Executable program of . It’s me who is a gentleman with a mean heart , No hiding ps The operation of , It’s killing every second CPU Most of the program in order not to affect its work .. This cunning bitch , With such a confusing name , I believe you don’t touch the system files ?

cp One copy , Keep the backup ,killall, Then analyze .vim Take a look , It’s not a script , That’s it elf After ather .

Linux It’s used for quick analysis elf There are several tools for files , One is readelf, One is objdump, The other is ldd.
Usually use ldd To analyze dynamically loaded Libraries ,objdump Used to decompile . But these tools don’t always work against malicious files .
For example, for statically compiled programs , Or variant scripts ,ldd It doesn’t work .
For no section table The program ,objdump It may not be possible to get the result .

#objdump -d ./wi
./wi: file format elf64-x86-64

because objdump Need to rely on code sections or section table, It can be used readelf have a look

[[email protected] ~]# readelf -a ./wi
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x5c9e70
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 3
Size of section headers: 64 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x00000000001ca78b 0x00000000001ca78b R E 200000
LOAD 0x0000000000000000 0x00000000005cb000 0x00000000005cb000
0x0000000000000000 0x0000000000597d58 RW 1000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 10
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.

So in this case , You can do that ,-D Represents disassembly of all files ,-b For binary ,-m Represents the instruction set architecture

[[email protected] ~]# objdump -b binary -D -m i386 ./wi
./wi: file format binary
Disassembly of section .data:
00000000 <.data>:
0: 7f 45 jg 0x47
2: 4c dec %esp
3: 46 inc %esi
4: 02 01 add (%ecx),%al
6: 01 00 add %eax,(%eax)
...
10: 02 00 add (%eax),%al
12: 3e 00 01 add %al,%ds:(%ecx)
15: 00 00 add %al,(%eax)

in addition ,strace,gdb And other tools can also help . Of course , On IDA This kind of big weapon is more effective .
It’s just a taste , Even if the dump Out of this pile of assembly code , What’s the use , It’s not that easy to understand .

Why should I make people believe that this thing is not a normal binary ? It’s not enough just for its dirty concealment .

therefore , Good one ELF Executable file , It’s gone section table Well ? It’s simple , Script kids just like to play tricks , It’s easy to think of shelling ,Linux The easiest shell to think of is UPX.

[[email protected] ~]# strings ./wi |grep UPX
nUPX!(
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
UPX!u
UPX!
UPX!

Script boy is still rough , I don’t know how to hide the shell . Take off the bastard

[[email protected] ~]# ./upx -d wi
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
5011080 <- 1878380 37.48% linux/amd64 wi
Unpacked 1 file.

If the script boy puts UPX The information of the shell is hidden , that UPX Self contained -d The order can’t get out of the shell , This is the time to use IDA 了 . The essence of shell is to compress and encrypt all the data of the original program , Cannot parse in static file , With the execution of the program , The runtime releases the code into memory . We can use ida Remote debugging test Program , find upx After shelling OEP, Give the memory to dump come out , It can be shelled manually . How to find OEP, It depends on experience .

After shelling , Keep using strings,strace,netstat Wait for the order to do qualitative analysis .

In fact, at this point ,strings The command is enough to analyze its behavior .

[1;37monnection
* COMMANDS 'h' hashrate, 'p' pause, 'r' resume, 's' results, 'c' connection
>wz
*ctz>3>c)
:w 3
[32m||
[31m ERROR
[32m||
[37m Invalid Port Use In This Range
[36m'1-65535'
[37me.g
[31m ( ./xmrig -p 3333 )
[32m||
[31m ERROR
[32m||
[37m Invalid Class You Can Use Only These Classes
[36m'192.168'
[32m,
[36m'172'
[32m,
[36m'100'
[32m,
[36m'10'
[37m e.g
[31m ( ./xmrig -lan 192.168.0.1 )
[32m||
[31m ERROR
[32m||
[37m Empty Or Invalid Pool Address

It can also be concluded that C++ The Trojan horse of writing . Want to disassemble C++ Source file , You fart .objdump Have to rely on debug It’s information , The script boy will never do that again . want C++ Source file , That can only be used IDA dump 了 , This also leads to a similar source file .

Yes, of course , The simplest is to upload it directly to virustotal, The final result is a Linux.Risk.Bitcoinminer.Tbix.

ha-ha , Script Kiddies .

qrcode: The living fossil of the Internet

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注