On 2024-04-01 23:59, Gordon Messmer wrote:
Now gdb can print the GOT with the paths providing the memory section
containing a function. For example, on a Debian 12 system with
liblzma 5.6:
Purely as trivia, and as I haven't seen it discussed elsewhere, the
malware steals a different set of symbols on Fedora, where
RSA_public_decrypt doesn't seem to appear in the GOT at all. On Fedora 40:
gef➤ got RSA
GOT protection: Full RelRO | GOT functions: 503
[0x556ac0b94ff8] RSA_set0_key(a)OPENSSL_3.0.0 → 0x7f4e95dafce0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b951c0] RSA_bits(a)OPENSSL_3.0.0 → 0x7f4e95daf0a0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b951e0] EVP_PKEY_set1_RSA(a)OPENSSL_3.0.0 → 0x7f4e960e23b0 :
/usr/lib64/liblzma.so.5.6.1
[0x556ac0b95310] RSA_set0_crt_params(a)OPENSSL_3.0.0 → 0x7f4e95dafea0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b953c8] RSA_size(a)OPENSSL_3.0.0 → 0x7f4e95daf0b0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95518] RSA_new(a)OPENSSL_3.0.0 → 0x7f4e95db3330 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95778] RSA_get0_crt_params(a)OPENSSL_3.0.0 → 0x7f4e95dae490 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95870] RSA_free(a)OPENSSL_3.0.0 → 0x7f4e95db2f00 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95b90] RSA_get0_key(a)OPENSSL_3.0.0 → 0x7f4e960e1ac0 :
/usr/lib64/liblzma.so.5.6.1
[0x556ac0b95c00] RSA_get0_factors(a)OPENSSL_3.0.0 → 0x7f4e95dae470 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95c88] EVP_PKEY_get1_RSA(a)OPENSSL_3.0.0 → 0x7f4e95d59710 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95da0] RSA_get_ex_data(a)OPENSSL_3.0.0 → 0x7f4e95db3440 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95e50] RSA_set0_factors(a)OPENSSL_3.0.0 → 0x7f4e95dafdc0 :
/usr/lib64/libcrypto.so.3.2.1
[0x556ac0b95f00] RSA_blinding_on(a)OPENSSL_3.0.0 → 0x7f4e95db17f0 :
/usr/lib64/libcrypto.so.3.2.1