|
xzre
|
Public Member Functions | |
| PADDING (0x40) | |
| PADDING (0x4) | |
| PADDING (0x4) | |
| PADDING (0x7) | |
| PADDING (0x30) | |
Data Fields | |
| u32 * | libcrypto_auditstate_bindflags_ptr |
| the location of libcrypto's auditstate::bindflags field More... | |
| u32 | libcrypto_auditstate_bindflags_old_value |
| backup of the old value of libcrypto's libname_list::next field | |
| u32 * | sshd_auditstate_bindflags_ptr |
| the location of sshd's auditstate::bindflags field More... | |
| u32 | sshd_auditstate_bindflags_old_value |
| backup of the old value of sshd's libname_list::next field | |
| void * | sshd_link_map_l_audit_any_plt_addr |
| location of sshd's link_map::l_audit_any_plt flag More... | |
| u8 | link_map_l_audit_any_plt_bitmask |
| bitmask that sets the link_map::l_audit_any_plt flag More... | |
| struct audit_ifaces ** | _dl_audit_ptr |
| location of ld.so's _rtld_global_ro::_dl_audit_ptr field More... | |
| unsigned int * | _dl_naudit_ptr |
| location of ld.so's _rtld_global_ro::_dl_naudit_ptr field More... | |
| struct audit_ifaces | hooked_audit_ifaces |
| the struct audit_ifaces that points to backdoor_symbind() More... | |
| char ** | libcrypto_l_name |
| location of libcrypto's link_map::l_name field More... | |
| void(* | _dl_audit_symbind_alt )(struct link_map *l, const ElfW(Sym) *ref, void **value, lookup_t result) |
| address of ld.so's _dl_audit_symbind_alt() function More... | |
| size_t | _dl_audit_symbind_alt__size |
| code size of ld.so's _dl_audit_symbind_alt() function | |
| pfn_RSA_public_decrypt_t | hook_RSA_public_decrypt |
| pointer to the function that will replace RSA_public_decrypt() | |
| pfn_EVP_PKEY_set1_RSA_t | hook_EVP_PKEY_set1_RSA |
| pfn_RSA_get0_key_t | hook_RSA_get0_key |
| pointer to the function that will replace RSA_get0_key() | |
| imported_funcs_t * | imported_funcs |
| u64 | hooks_installed |
| struct audit_ifaces** ldso_ctx::_dl_audit_ptr |
location of ld.so's _rtld_global_ro::_dl_audit_ptr field
ld.so's _dl_audit_symbind_alt() uses the struct at this location to call the backdor_symbind() callback function
this field is set to hooked_audit_ifaces to activate backdoor_symbind()
| void(* ldso_ctx::_dl_audit_symbind_alt) (struct link_map *l, const ElfW(Sym) *ref, void **value, lookup_t result) |
address of ld.so's _dl_audit_symbind_alt() function
this function is called when ld.so is binding all the dynamic linking symbols between ELFs
| unsigned int* ldso_ctx::_dl_naudit_ptr |
location of ld.so's _rtld_global_ro::_dl_naudit_ptr field
this field controls whether ld.so's _dl_audit_symbind_alt() will expect any struct audit_ifaces
this field is set to 1 to activate backdoor_symbind()
| pfn_EVP_PKEY_set1_RSA_t ldso_ctx::hook_EVP_PKEY_set1_RSA |
this field is set to a value from backdoor_shared_globals_t which is different to the other hook_ fields that are coped from backdoor_hooks_ctx_t
| struct audit_ifaces ldso_ctx::hooked_audit_ifaces |
the struct audit_ifaces that points to backdoor_symbind()
the audit_ifaces::symbind64 field is set to backdoor_symbind()
_dl_audit_symbind_alt() will use this struct to check for a audit_ifaces::symbind64 callback function
| u32* ldso_ctx::libcrypto_auditstate_bindflags_ptr |
the location of libcrypto's auditstate::bindflags field
_dl_audit_symbind_alt() will check this field to see backdoor_symbind() should be called for this ELF
this field is set to LA_FLG_BINDTO to activate backdoor_symbind()
before _dl_naudit is set to 1 this is actually the location of libname_list::next
| char** ldso_ctx::libcrypto_l_name |
location of libcrypto's link_map::l_name field
used by backdoor_setup() to store a pointer to the backdoor_hooks_data_t struct
| u8 ldso_ctx::link_map_l_audit_any_plt_bitmask |
bitmask that sets the link_map::l_audit_any_plt flag
used with ldso_ctx_t::sshd_link_map_l_audit_any_plt_addr to set the correct bit
| u32* ldso_ctx::sshd_auditstate_bindflags_ptr |
the location of sshd's auditstate::bindflags field
_dl_audit_symbind_alt() will check this field to see backdoor_symbind() should be called for this ELF
this field is set to LA_FLG_BINDFROM to activate backdoor_symbind()
before _dl_naudit is set to 1 this is actually the location of libname_list::next
| void* ldso_ctx::sshd_link_map_l_audit_any_plt_addr |
location of sshd's link_map::l_audit_any_plt flag
this flag controls whether ld.so's _dl_audit_symbind_alt() will even check the struct auditstate for sshd
this flag is set to 1 to activate backdoor_symbind()
1.9.1