aaSSfxxx wrote:forgot to link of the post I was talking to, so here it is: http://www.kernelmode.info/forum/viewto ... 505#p23989If I may say. In most of built malware in NIX they might compile it right so, yes, the trace is in there and can be used for sig-building. But using gcc/libc sigs for pattern is very "evadable" easily like : (1) exploit base/shellcode malware..by nature not using them, and (2) infamous object stripping.
I assume this is the file in quest:
Code: Select all
There's 25 section headers starts fr 0x83364, and no ".comment" in it, no way to -$ md5 apache
MD5 (apache) = 371b8b20d4dd207f7b3f61bb30a7cb22
$ file apache
apache: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped
find GCC version, it is stripped off. PoC:
Code: Select all
It's a very basic NIX object stripping commands which (I think) most unixmen might know it (I will NOT expose it HOW in here). [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .note.ABI-tag NOTE 080480d4 0000d4 000020 00 A 0 0 4
[ 2] .rel.plt REL 08048118 000118 000008 08 A 0 4 4
[ 3] .init PROGBITS 08048120 000120 000030 00 AX 0 0 4
[ 4] .plt PROGBITS 08048150 000150 000010 00 AX 0 0 4
[ 5] .text PROGBITS 08048160 000160 0641ac 00 AX 0 0 16
[ 6] __libc_freeres_fn PROGBITS 080ac310 064310 000af7 00 AX 0 0 16
[ 7] .fini PROGBITS 080ace08 064e08 00001c 00 AX 0 0 4
[ 8] .rodata PROGBITS 080ace40 064e40 01885c 00 A 0 0 32
[ 9] __libc_atexit PROGBITS 080c569c 07d69c 000004 00 A 0 0 4
[10] __libc_subfreeres PROGBITS 080c56a0 07d6a0 000030 00 A 0 0 4
[11] .eh_frame PROGBITS 080c56d0 07d6d0 0051dc 00 A 0 0 4
[12] .gcc_except_table PROGBITS 080ca8ac 0828ac 000120 00 A 0 0 1
[13] .tdata PROGBITS 080cb9cc 0829cc 000010 00 WAT 0 0 4
[14] .tbss NOBITS 080cb9dc 0829dc 00002c 00 WAT 0 0 4
[15] .ctors PROGBITS 080cb9dc 0829dc 00000c 00 WA 0 0 4
[16] .dtors PROGBITS 080cb9e8 0829e8 00000c 00 WA 0 0 4
[17] .jcr PROGBITS 080cb9f4 0829f4 000004 00 WA 0 0 4
[18] .data.rel.ro PROGBITS 080cb9f8 0829f8 00002c 00 WA 0 0 4
[19] .got PROGBITS 080cba24 082a24 000008 04 WA 0 0 4
[20] .got.plt PROGBITS 080cba2c 082a2c 000010 04 WA 0 0 4
[21] .data PROGBITS 080cba40 082a40 000840 00 WA 0 0 32
[22] .bss NOBITS 080cc280 083280 005c3c 00 WA 0 0 32
[23] __libc_freeres_pt NOBITS 080d1ebc 083280 000018 00 WA 0 0 4
[24] .shstrtab STRTAB 00000000 083280 0000e4 00 0 0 1
Section to Segment mapping:
00 .note.ABI-tag .plt .init .text __libc_freeres_fn .fini .rodata __libc_atexit __libc_subfreeres .eh_frame .gcc_except_table
01 .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
02 .note.ABI-tag
03 .tdata .tbss
Another "hint" (based on my personal experience) as effect of stripping is, relocation section '.rel.plt' in offset 0x118 contains 1 odd entry ..< I found this similar "glitch" in some cases of object stripping (using malware builder..non-standard..they are using..etc), but this might be caused by other reasons too.
Code: Select all
Point is: better use other vector for sig, rgdsOffset Info Type Sym.Value
080cba38 0x02a unrecognized: 2a