Simple unpacking script for Ezuri ELF Crypter

Go Report Card

ezuri_unpack

A simple unpacking script for the Ezuri ELF Crypter. Based on the analysis done by Ofer Caspi and Fernando Martinez of AT&T Alien Labs: https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

ezuri_unpack.go screenshot

How does it work?

The payload is encrypted with AES CFB and will be decrypted and run via memfd_create by the stub. Key and IV are stored in the binary.

Hex Editor, POC executable

Testing the script

  1. Build the test payload gcc test.c -o test
  2. Build and run guitmz/ezuri
  3. To unpack it again: go run ezuri_unpack.go packed.bin

I also tested it with the packed Linux.Cephei sample mentioned in the report. Link to Virustotal

Owner
Marius Genheimer
Computer Science Student (IT-Sec) | Malware Analysis and Reverse Engineering
Marius Genheimer
Similar Resources

Lightweight, Simple, Quick, Thread-Safe Golang Stack Implementation

stack Lightweight, Simple, Quick, Thread-Safe Golang Stack Implementation Purpose Provide a fast, thread safe, and generic Golang Stack API with minim

May 3, 2022

Simple profiling for Go

profile Simple profiling for Go. Easy management of Go's built-in profiling and tracing Based on the widely-used pkg/profile: mostly-compatible API Su

Sep 23, 2022

simple i18n support that relies on standard go libraries

The i18n package mainly includes a set of methods for managing the data. Start by creating a en.json file.

Jun 29, 2021

A simple thread-safe, fixed size LRU written in Go. Based on dominictarr's Hashlru Algorithm. 🔃

go-hashlru A simple thread-safe, fixed size LRU written in Go. Based on dominictarr's Hashlru Algorithm. 🔃 Uses map[interface{}]interface{} to allow

Dec 5, 2022

Simple expression evaluation engine for Go

🌶️ chili Currently in development, Unstable (API may change in future) Simple expression evaluation engine. Expression is one liner that evalutes int

Nov 8, 2022

A simple tool to auto remove unused imports in rust

rust_strip A simple tool to remove unused imports in RUST. Call Cargo build/test Process the warning logs of unused imports Then replace the involved

Oct 15, 2022

A simple business indicator tool that uses a sliding window to detect whether the indicator exceeds the threshold

melon A simple business indicator tool that uses a sliding window to detect whether the indicator exceeds the threshold Usage //create the metric //th

Jul 11, 2021

Simple HTML Modification in Go

Simple HTML Modification in Go Do you grin at the sight of html.Node ? Me too. Modifying HTML in Go should be simple. 🧘🏻 Human friendly: query langu

Sep 29, 2021

simple GitHub action to parse Markdown Links into a .yaml file for Hugo

Obsidian Link Scrapper Used by Quartz This repository comes to you in two parts. GitHub Action (scrapes links into a .yml file) Hugo Partial (turns .y

Dec 30, 2022
Little helper to create tar balls of an executable together with its ELF shared library dependencies.

Little helper to create tar balls of an executable together with its ELF shared library dependencies. This is useful for prototyping with gokrazy: htt

Sep 7, 2022
流媒体NetFlix解锁检测脚本 / A script used to determine whether your network can watch native Netflix movies or not
流媒体NetFlix解锁检测脚本 / A script used to determine whether your network can watch native Netflix movies or not

netflix-verify 流媒体NetFlix解锁检测脚本,使用Go语言编写 在VPS网络正常的情况下,哪怕是双栈网络也可在几秒内快速完成IPv4/IPv6的解锁判断 鸣谢 感谢 @CoiaPrant 指出对于地域检测更简便的方法 感谢 @XmJwit 解决了IPV6 Only VPS无法下载脚

Dec 29, 2022
Script Based Alerting Manager
Script Based Alerting Manager

A Project in active development. Features may have breaking changes at any time before v1.0.0 version Telegram Group Balerter is a scripts based alert

Dec 27, 2022
Go-generics-simple-doubly-linked-list - A simple doubly linked list implemented using generics (Golang)

Welcome to Go-Generics-Simple-Doubly-Linked-List! Hi, This repository contains a

Jun 30, 2022
Simple in Pure Go in Browser Interactive Interpreter
Simple in Pure Go in Browser Interactive Interpreter

GoBook This project is a PoC Don't take it seriously The main point of this project is the use of the library: github.com/brendonmatos/golive Maybe th

Feb 22, 2022
Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.

tc-skeleton Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.

Dec 23, 2022
EGo lets you build, debug und run Go apps on Intel SGX - as simple as conventional Go programming!

EGo lets you build, debug und run Go apps on Intel SGX - as simple as conventional Go programming!

Dec 28, 2022
A super simple Lodash like utility library with essential functions that empowers the development in Go
A super simple Lodash like utility library with essential functions that empowers the development in Go

A simple Utility library for Go Go does not provide many essential built in functions when it comes to the data structure such as slice and map. This

Jan 4, 2023
egg - the simple error aggregator

egg - the simple error aggregator egg ingests errors and aggregates them egg has 1st class support for sentry SDKs so you dont have to change any code

May 1, 2022
Procswap is a simple application that allows you to prioritize processes on a Windows machine.
Procswap is a simple application that allows you to prioritize processes on a Windows machine.

Procswap is a simple application that allows you to prioritize processes on a Windows machine.

Mar 8, 2022