We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This code
0xffffa00031c2: 48 8b 7d e8 mov rdi, qword ptr [rbp - 0x18] 0xffffa00031c6: 48 be 4c 4b c7 06 80 88 ff ff movabs rsi, 0xffff888006c74b4c # envd_bpf.rodata + 0x14c 0xffffa00031d0: ba 13 00 00 00 mov edx, 0x13 0xffffa00031d5: e8 d6 7c 1a e1 call 0xffff811aaeb0 # bpf_probe_write_user
Should correspond to
if (bpf_probe_write_user((void*)env, "LD_PRELOAD=libv.so\0", 19)) {
However, we do not recover the string in the map dump
# vol -f /io/dumps/azazel+envd_systemd-unit_libv-8733ce65-d799c7b011ae.elf linux.bpf_listmaps Volatility 3 Framework 2.4.2 Progress: 100.00 Stacking attempts finished OFFSET (V) ID NAME TYPE KEY SIZE VALUE SIZE MAX ENTRIES 0xc90000045ef0 2 iterator.rodata BpfMapType.BPF_MAP_TYPE_ARRAY 4 98 1 0x888006c74a00 5 envd_bpf.rodata BpfMapType.BPF_MAP_TYPE_ARRAY 4 116 1 0x888006c74e00 6 .rodata.str1.1 BpfMapType.BPF_MAP_TYPE_ARRAY 4 16 1 # cat -- -1.0x888006c74a00_map_5 {"0": "section (.rodata) = {\n (tp_sys_exit_execve.____fmt) b'debug: %s\\x00'\n (tp_sys_exit_execve.____fmt.1) b'debug: bail out!\\x00'\n (tp_sys_exit_execve.____fmt.2) b'error: write to AT_SECURE failed\\x00'\n (tp_sys_exit_execve.____fmt.4) b'error: write of fake env var failed\\x00'\n"}
The text was updated successfully, but these errors were encountered:
No branches or pull requests
This code
Should correspond to
However, we do not recover the string in the map dump
The text was updated successfully, but these errors were encountered: