thank you infinitely, in reality I had already found the document before the suggestion, but I thought it wasn’t useful in my case and therefore to try with shellcode 
.
I did a lot of research looking at the ezuri code: GitHub - guitmz/ezuri: A Simple Linux ELF Runtime Crypter and this: GitHub - droberson/ELFcrypt: Simple ELF crypter. Uses RC4 encryption., https://github.com/0x00pf/0x00sec_code/blob/master/crypter/polycrypt.c
now I will better understand how __atribute__ works.
2 Likes
I found an ioT botnet that executes the following shell script upon start up:
#!/bin/sh
for proc_dir in /proc/*; do
pid=${proc_dir##*/}
result=$(ls -l "/proc/$pid/exe" 2> /dev/null)
if [ "$result" != "${result%(deleted)}" ]; then
kill -9 "$pid"
fi
done
I guess the bypass with the link() will be as well killed by this shell script?
This topic was automatically closed after 121 days. New replies are no longer allowed.