15 Sep
2015
15 Sep
'15
3:27 p.m.
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas <Michael.Douglas@ieee.org> wrote:
Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS after decompression before passing control to it. I don't know WTF they're going on and on about "file size". There are many reasons to overwrite. The most likely reason the hack does this is because it's easier than a dynamic allocation of executable memory. Plus, modifications done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite existing code SOMEWHERE. Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY before starting IOS.