On Tue, Apr 02, 2024 at 12:45:18AM -0700, Gordon Messmer wrote:
On 2024-04-01 23:59, Gordon Messmer wrote:
>Now gdb can print the GOT with the paths providing the memory
>section containing a function. For example, on a Debian 12 system
>with liblzma 5.6:
Purely as trivia, and as I haven't seen it discussed elsewhere, the
malware steals a different set of symbols on Fedora, where
RSA_public_decrypt doesn't seem to appear in the GOT at all. On
Fedora 40:
gef➤ got RSA
GOT protection: Full RelRO | GOT functions: 503
[0x556ac0b94ff8] RSA_set0_key(a)OPENSSL_3.0.0 → 0x7f4e95dafce0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b951c0] RSA_bits(a)OPENSSL_3.0.0 → 0x7f4e95daf0a0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b951e0] EVP_PKEY_set1_RSA(a)OPENSSL_3.0.0 → 0x7f4e960e23b0 :
/usr/lib64/liblzma.so.5.6.1
[0x556ac0b95310] RSA_set0_crt_params(a)OPENSSL_3.0.0 → 0x7f4e95dafea0
: /usr/lib64/libcrypto.so.3.2.1
[0x556ac0b953c8] RSA_size(a)OPENSSL_3.0.0 → 0x7f4e95daf0b0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95518] RSA_new(a)OPENSSL_3.0.0 → 0x7f4e95db3330 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95778] RSA_get0_crt_params(a)OPENSSL_3.0.0 → 0x7f4e95dae490
: /usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95870] RSA_free(a)OPENSSL_3.0.0 → 0x7f4e95db2f00 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95b90] RSA_get0_key(a)OPENSSL_3.0.0 → 0x7f4e960e1ac0 :
/usr/lib64/liblzma.so.5.6.1
[0x556ac0b95c00] RSA_get0_factors(a)OPENSSL_3.0.0 → 0x7f4e95dae470 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95c88] EVP_PKEY_get1_RSA(a)OPENSSL_3.0.0 → 0x7f4e95d59710 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95da0] RSA_get_ex_data(a)OPENSSL_3.0.0 → 0x7f4e95db3440 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95e50] RSA_set0_factors(a)OPENSSL_3.0.0 → 0x7f4e95dafdc0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95f00] RSA_blinding_on(a)OPENSSL_3.0.0 → 0x7f4e95db17f0 :
/usr/lib64/libcrypto.so.3.2.1
Since no one else replied yet, this is a nice bit of analysis.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html