TrustedSec | XZ Utils Made Me Paranoid
On March 28, 2024, the news about the XZ Utils backdoor came out. Since then, I’ve been thinking about how we could identify these backdoors before packages are released or, at the very least, how to identify them after upgrades. After a week or so, I decided to try to write up a basic scanner to at least identify hooks in memory, which quickly turned into a much larger project than I expected. In this post, we’ll go through what the initial idea was, what needed to be built, and what we ended up with.
If you look at my past blog posts (ELFLoader and COFFLoader), you will notice that I write a lot of in-memory loaders. To test out my idea, I started with one of my old in-memory loaders because I thought I could easily reuse and modify it to fit my needs. This turned out not to be the case, and we’ll cover why shortly.
The full goal of this project was to do a few things. The first part was to identify what libraries were needed for a specific binary. However, that requires parsing the binary on disk identifying the libraries and then identifying all libraries that those libraries load. Then I had to relate those items to each other and compare what was in memory to what was on disk. The bulk of the work is pretty much the same that would be needed for building an in-memory loader, so if you want more details on those, check out my ELFLoader or COFFLoader blog posts. All the differences between a standard loader and what I had to do will be covered below.
