20. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The graph is not-super exact, because this function is doggy, but
you get the idea.
This is (should, since the malware is wrongly coded) use a first
method to get symbols, and a second one as fallback.
[0x0000717c]> pdf@sym.search_method_find_in_file
A stupid grep in System.map
[0x00006130]> pdf@sym.search_method_exec_command
Equivalend to ‘cat /proc/kallsyms > /.kallsyms_tmp
21. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Learn to UNIX
[0x00006130]> s sym.execute_command
[0x00006130]> pdf~XREF
; UNKNOWN XREF from 0x00006118 (fcn.000060fc)
; JMP XREF from 0x000061c0 (fcn.00006189)
; CALL XREF from 0x00006184 (fcn.00006189)
; CALL XREF from 0x00006196 (fcn.00006189)
; CALL XREF from 0x000061a4 (fcn.00006189)
; JMP XREF from 0x0000618f (fcn.00006189)
; JMP XREF from 0x0000619d (fcn.00006189)
; CALL XREF from 0x000061b7 (fcn.00006189)
; JMP XREF from 0x000061ae (fcn.00006189)