HackerTrans
TopNewTrendsCommentsPastAskShowJobs

MonkeeSage

no profile record

comments

MonkeeSage
·vor 2 Jahren·discuss
Essentially the code patches ifunc resolvers to call into a supplied malicious object by surreptitiously modifying c files at build time (when ./configure && make is run) and links the compromised object files with a `now` linker flag that causes the ifuncs to be resolved immediately at library load time, which calls the patched resolvers while the process linkage table is still writable, which is the important part that allows them to just hijack the RSA_public_decrypt function in memory when the library is loaded.

There's an excellent technical breakdown of the backdoor *injection process here: https://research.swtch.com/xz-script