-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathHC_Dropper_ID.java
More file actions
37 lines (28 loc) · 1.01 KB
/
HC_Dropper_ID.java
File metadata and controls
37 lines (28 loc) · 1.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//
//@author Lacework Labs
//@category Analysis
//@keybinding
//@menupath
//@toolbar
import ghidra.app.script.GhidraScript;
import ghidra.program.model.address.Address;
import ghidra.program.model.symbol.Reference;
import ghidra.program.model.symbol.Symbol;
public class HC_Dropper_ID extends GhidraScript {
static String insmod_str = "/sbin/insmod";
static String ELF = "ELF";
@Override
protected void run() throws Exception {
Address insmodAddr = find(insmod_str);
println("[Dropper] insmod string identified at " + insmodAddr.toString());
Reference[] ref = getReferencesTo(insmodAddr);
Address insmodInMain = ref[0].getFromAddress();
println("[Dropper] insmod referenced at "+ insmodInMain.toString());
println("[Dropper - KO ELF] " + insmodInMain.subtract(14));
Symbol main = getSymbolBefore(insmodAddr);
Address[] embeddedELFs = findBytes(main.getAddress(), ELF, 2);
for (int x = 0; x < embeddedELFs.length; x++) {
println("[+] Found embedded ELF " + embeddedELFs[x].toString());
}
}
}