We already talked about volatility so now I will just paste some more analysis dumps of my awesome machine to all of you guys to check out... smiling faces everywhere....
Today is a IDT hook on 0x80 (syscall gate call) used for userland applications to call any system call on a linux system in x86. I have an amd64 version OS but I suspect that it is still used in some "forgotten" compiled application, because gcc uses a macro to substitute the call gate to a sysenter call on x64 architectures.
So I have some stuff like this:
Today is a IDT hook on 0x80 (syscall gate call) used for userland applications to call any system call on a linux system in x86. I have an amd64 version OS but I suspect that it is still used in some "forgotten" compiled application, because gcc uses a macro to substitute the call gate to a sysenter call on x64 architectures.
So I have some stuff like this:
-- linux_hidden_modules --
Offset (V) Name
------------------ ----
0xffffffffc098c400 videobuf2_core
0xffffffffc0c0da28 ?@???????@??????????????????????????????????????
And the IDT table like this:
-- linux_check_idt --And some api hooks (userland libraries hooked) for some crypto functions in libssl, libcrypto, libX11, libfuse, and libgnutls:
Index Address Symbol
------------------ ------------------ ------------------------------
0x0 0xffffffff81526990 divide_error
0x1 0xffffffff81526e60 debug
0x2 0xffffffff815272d0 nmi
0x3 0xffffffff81526ea0 int3
0x4 0xffffffff815269c0 overflow
0x5 0xffffffff815269f0 bounds
0x6 0xffffffff81526a20 invalid_op
0x7 0xffffffff81526a50 device_not_available
0x8 0xffffffff81526a80 double_fault
0x9 0xffffffff81526ab0 coprocessor_segment_overrun
0xa 0xffffffff81526ae0 invalid_TSS
0xb 0xffffffff81526b10 segment_not_present
0xc 0xffffffff81526ee0 stack_segment
0xd 0xffffffff81526fa0 general_protection
0xe 0xffffffff81527000 page_fault
0xf 0xffffffff81526b40 spurious_interrupt_bug
0x10 0xffffffff81526b70 coprocessor_error
0x11 0xffffffff81526ba0 alignment_check
0x12 0xffffffff81527060 machine_check
0x13 0xffffffff81526bd0 simd_coprocessor_error
0x80 0xffffffff815259b4 HOOKED
-- linux_apihooks --
Pid Name Hook VMA Hook Symbol Hooked Address Type Hook Address Hook Library
------- ---------------- ---------------------------------------- ------------------------ ------------------ ----- ------------------ ------------
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_public_encrypt 0x00007ff93ed13d50 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DSA_sign_setup 0x00007ff93ed15500 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DSA_do_verify 0x00007ff93ed154e0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 EVP_DigestUpdate 0x00007ff93ed31080 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_public_decrypt 0x00007ff93ed13d80 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DH_compute_key 0x00007ff93ed19600 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DH_generate_key 0x00007ff93ed195f0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_private_encrypt 0x00007ff93ed13d60 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_private_decrypt 0x00007ff93ed13d70 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DSA_do_sign 0x00007ff93ed154f0 JMP 0x0000000000000000 <Unknown mapping>
1116 clipit /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f5508723e20 JMP 0x0000000000000000 <Unknown mapping>
1167 x-terminal-emul /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f04c0448e20 JMP 0x0000000000000000 <Unknown mapping>
1048 lxpanel /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007f0d6f117000 JMP 0x0000000000000000 <Unknown mapping>
1048 lxpanel /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007f0d6f117040 JMP 0x0000000000000000 <Unknown mapping>
1042 openbox /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcConvert 0x00007fb9e8c7b940 JMP 0x0000000000000000 <Unknown mapping>
1042 openbox /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007fb9e8c7ce20 JMP 0x0000000000000000 <Unknown mapping>
1042 openbox /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcCloseConverter 0x00007fb9e8c7b930 JMP 0x0000000000000000 <Unknown mapping>
1065 notification-da /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f7b2d230e20 JMP 0x0000000000000000 <Unknown mapping>
1049 pcmanfm /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f9cf7daee20 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /lib/x86_64-linux-gnu/libcom_err.so.2.1 com_err_va 0x00007ff942cc8ee0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_private_decrypt 0x00007ff93ed13d70 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...nu/libssl.so.1.0.0 SSL_pending 0x00007ff93f062af0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DH_generate_key 0x00007ff93ed195f0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 RSA_public_encrypt 0x00007ff93ed13d50 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 DH_compute_key 0x00007ff93ed19600 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...nu/libssl.so.1.0.0 SSL_get_default_timeout 0x00007ff93f062dc0 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...libcrypto.so.1.0.0 EVP_DigestUpdate 0x00007ff93ed31080 JMP 0x0000000000000000 <Unknown mapping>
1031 gvfsd-fuse /lib/x86_64-linux-gnu/libfuse.so.2.9.3 fuse_chan_send 0x00007f1d58394d40 JMP 0x0000000000000000 <Unknown mapping>
1049 pcmanfm /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007f9cef945000 JMP 0x0000000000000000 <Unknown mapping>
1049 pcmanfm /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007f9cef945040 JMP 0x0000000000000000 <Unknown mapping>
1087 nm-applet /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007fa813078e20 JMP 0x0000000000000000 <Unknown mapping>
1048 lxpanel /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f0d75336e20 JMP 0x0000000000000000 <Unknown mapping>
1167 x-terminal-emul /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007f04ba243000 JMP 0x0000000000000000 <Unknown mapping>
1167 x-terminal-emul /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007f04ba243040 JMP 0x0000000000000000 <Unknown mapping>
1116 clipit /usr/lib/x86_64-lin...1-2.0.so.0.2400.25 gtk_combo_box_set_active 0x00007f55092d99d0 CALL 0x0000000000000000 <Unknown mapping>
1116 clipit /usr/lib/x86_64-lin...1-2.0.so.0.2400.25 gtk_spin_bu...ate_policy 0x00007f55093cc8f0 CALL 0x0000000000000000 <Unknown mapping>
1116 clipit /usr/lib/x86_64-lin...1-2.0.so.0.2400.25 gtk_entry_new 0x00007f55092ea150 CALL 0x0000000000000000 <Unknown mapping>
1087 nm-applet /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007fa80b8f0000 JMP 0x0000000000000000 <Unknown mapping>
1087 nm-applet /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007fa80b8f0040 JMP 0x0000000000000000 <Unknown mapping>
1065 notification-da /usr/lib/x86_64-lin...u/libltdl.so.7.3.0 __gmon_start__ 0x00007f7b27487266 CALL 0x0000000000000000 <Unknown mapping>
1065 notification-da /usr/lib/x86_64-lin...u/libltdl.so.7.3.0 lt_dlisresident 0x00007f7b27487296 CALL 0x0000000000000000 <Unknown mapping>
1065 notification-da /usr/lib/x86_64-lin...u/libltdl.so.7.3.0 lt_dlloader_find 0x00007f7b27487496 CALL 0x0000000000000000 <Unknown mapping>
1147 menu-cached /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007fc2fb25c000 JMP 0x0000000000000000 <Unknown mapping>
1147 menu-cached /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007fc2fb25c040 JMP 0x0000000000000000 <Unknown mapping>
1116 clipit /usr/lib/x86_64-lin...composite.so.1.0.0 XCompositeQueryExtension 0x00007f5507d14130 CALL 0x0000000000000000 <Unknown mapping>
1050 xscreensaver /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcGetResource 0x00007f6f831cce20 JMP 0x0000000000000000 <Unknown mapping>
1050 xscreensaver /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XlcCloseConverter 0x00007f6f831cb930 JMP 0x0000000000000000 <Unknown mapping>
1031 gvfsd-fuse /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ed_schemes 0x00007f1d5452c000 JMP 0x0000000000000000 <Unknown mapping>
1031 gvfsd-fuse /usr/lib/x86_64-lin...les/libgvfsdbus.so g_vfs_uri_m...ount_types 0x00007f1d5452c040 JMP 0x0000000000000000 <Unknown mapping>
1129 pulseaudio /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XimXTransDisconnect 0x00007f093ec5d0c0 JMP 0x0000000000000000 <Unknown mapping>
1129 pulseaudio /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XimXTransWrite 0x00007f093ec5d090 JMP 0x0000000000000000 <Unknown mapping>
1129 pulseaudio /usr/lib/x86_64-lin...nu/libX11.so.6.3.0 _XimXTransRead 0x00007f093ec5d080 JMP 0x0000000000000000 <Unknown mapping>
1062 applet.py /usr/lib/x86_64-lin...ls-deb0.so.28.41.0 gnutls_priority_deinit 0x00007ff943826780 JMP 0x0000000000000000 <Unknown mapping>
1129 pulseaudio /usr/lib/x86_64-lin...nu/libICE.so.6.3.0 _IceErrorAu...onRejected 0x00007f093e7d7490 CALL 0x0000000000000000 <Unknown mapping>
1129 pulseaudio /usr/lib/x86_64-lin...nu/libICE.so.6.3.0 _IceTransNoListen 0x00007f093e7da290 JMP 0x0000000000000000 <Unknown mapping>
1063 udisksd /usr/lib/x86_64-lin...ibudisks2.so.0.0.0 0x00007fba26532280 JMP 0x0000000000000000 <Unknown mapping>
So I say my computer could be "alive"...or maybe not because a lot of strange things happend in a OS kernel... smiley faces...
Will try to make a better analysis in the meantime. Hugs.
Sem comentários:
Enviar um comentário