command
module
Version:
v0.0.0-...-405136f
Opens a new window with list of versions in this module.
Published: Jul 28, 2021
License: MIT
Opens a new window with license information.
Imports: 9
Opens a new window with list of imports.
Imported by: 0
Opens a new window with list of known importers.
README
¶
ezuri_unpack
A simple unpacking script for the Ezuri ELF Crypter. Based on the analysis done by Ofer Caspi and Fernando Martinez of AT&T Alien Labs: https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader
How does it work?
The payload is encrypted with AES CFB and will be decrypted and run via memfd_create by the stub. Key and IV are stored in the binary.
Testing the script
- Build the test payload
gcc test.c -o test
- Build and run guitmz/ezuri
- To unpack it again:
go run ezuri_unpack.go packed.bin
I also tested it with the packed Linux.Cephei sample mentioned in the report. Link to Virustotal
Documentation
¶
There is no documentation for this package.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.