ezuri_unpack

command module
v0.0.0-...-405136f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 28, 2021 License: MIT Imports: 9 Imported by: 0

README

Go Report Card

ezuri_unpack

A simple unpacking script for the Ezuri ELF Crypter. Based on the analysis done by Ofer Caspi and Fernando Martinez of AT&T Alien Labs: https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

ezuri_unpack.go screenshot

How does it work?

The payload is encrypted with AES CFB and will be decrypted and run via memfd_create by the stub. Key and IV are stored in the binary.

Hex Editor, POC executable

Testing the script

  1. Build the test payload gcc test.c -o test
  2. Build and run guitmz/ezuri
  3. To unpack it again: go run ezuri_unpack.go packed.bin

I also tested it with the packed Linux.Cephei sample mentioned in the report. Link to Virustotal

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.