In case you didn't catch it on the
Volatility Labs blog, I found an interesting bug that we've had in the framework since we've had Linux support. If you've had cases that involved Linux samples and plugins like
linux_yarascan,
linux_strings etc, you might want to update to the latest code and have another look over those samples. Of course, there's no reason to think that a piece of malware might have used this trick and used a
sigsegv handler to access the data, but
the idea has been around for years...
No comments:
Post a Comment