Synful Knock questions...

• Previous message (by thread): Synful Knock questions...
• Next message (by thread): Synful Knock questions...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas  
<Michael.Douglas at ieee.org> wrote:
> Does anyone have a sample of a backdoored IOS image?

The IOS image isn't what gets modified. ROMMON is altered to patch IOS  
after decompression before passing control to it.  I don't know WTF  
they're going on and on about "file size". There are many reasons to  
overwrite. The most likely reason the hack does this is because it's  
easier than a dynamic allocation of executable memory. Plus, modifications  
done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite  
existing code SOMEWHERE.

Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY  
before starting IOS.

• Previous message (by thread): Synful Knock questions...
• Next message (by thread): Synful Knock questions...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]