On Tue, Apr 02, 2024 at 12:45:18AM -0700, Gordon Messmer wrote: > On 2024-04-01 23:59, Gordon Messmer wrote: > >Now gdb can print the GOT with the paths providing the memory > >section containing a function. For example, on a Debian 12 system > >with liblzma 5.6: > > > Purely as trivia, and as I haven't seen it discussed elsewhere, the > malware steals a different set of symbols on Fedora, where > RSA_public_decrypt doesn't seem to appear in the GOT at all. On > Fedora 40: > > gef➤ got RSA > > GOT protection: Full RelRO | GOT functions: 503 > > [0x556ac0b94ff8] RSA_set0_key@OPENSSL_3.0.0 → 0x7f4e95dafce0 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b951c0] RSA_bits@OPENSSL_3.0.0 → 0x7f4e95daf0a0 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b951e0] EVP_PKEY_set1_RSA@OPENSSL_3.0.0 → 0x7f4e960e23b0 : > /usr/lib64/liblzma.so.5.6.1 > [0x556ac0b95310] RSA_set0_crt_params@OPENSSL_3.0.0 → 0x7f4e95dafea0 > : /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b953c8] RSA_size@OPENSSL_3.0.0 → 0x7f4e95daf0b0 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95518] RSA_new@OPENSSL_3.0.0 → 0x7f4e95db3330 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95778] RSA_get0_crt_params@OPENSSL_3.0.0 → 0x7f4e95dae490 > : /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95870] RSA_free@OPENSSL_3.0.0 → 0x7f4e95db2f00 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95b90] RSA_get0_key@OPENSSL_3.0.0 → 0x7f4e960e1ac0 : > /usr/lib64/liblzma.so.5.6.1 > [0x556ac0b95c00] RSA_get0_factors@OPENSSL_3.0.0 → 0x7f4e95dae470 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95c88] EVP_PKEY_get1_RSA@OPENSSL_3.0.0 → 0x7f4e95d59710 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95da0] RSA_get_ex_data@OPENSSL_3.0.0 → 0x7f4e95db3440 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95e50] RSA_set0_factors@OPENSSL_3.0.0 → 0x7f4e95dafdc0 : > /usr/lib64/libcrypto.so.3.2.1 > [0x556ac0b95f00] RSA_blinding_on@OPENSSL_3.0.0 → 0x7f4e95db17f0 : > /usr/lib64/libcrypto.so.3.2.1 Since no one else replied yet, this is a nice bit of analysis. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
