nanog mailing list archives
Re: Synful Knock questions...
From: "Ricky Beam" <jfbeam () gmail com>
Date: Tue, 15 Sep 2015 15:27:47 -0400
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas <Michael.Douglas () ieee org> wrote:
Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS after decompression before passing control to it. I don't know WTF they're going on and on about "file size". There are many reasons to overwrite. The most likely reason the hack does this is because it's easier than a dynamic allocation of executable memory. Plus, modifications done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite existing code SOMEWHERE.
Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY before starting IOS.
Current thread:
- Synful Knock questions... eric-list (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Ricky Beam (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jared Mauch (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Marcin Cieslak (Sep 15)
- Re: Synful Knock questions... Stephen Satchell (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Alain Hebert (Sep 15)