I. Introduction to writing this essay aims primarily to recently wrote a Linux virus prototype code to do a summary, in parallel to the interested friends to do a simple introduction.
Read this article you need some knowledge to understand the ELF, capable of reading some embedded compile c code, understand the basic workings of viruses. Second, ELFInfector (ELF file infection) in order to make a virus file, we need an ELF file, used to manufacture the first poison file. For ELF file infection technique, in the UNIXELFPARASITESANDVIRUS SilvioCesare article already has a very good analysis, description, in this regard I have not found can be added, so here I put SilvioCesare on summary of ELFInfection stickers for your reference: Thefinalalgorithmisusingthisinformationis. * Increasep_shoffbyPAGE_SIZEintheELFheader * Patchtheinsertioncode (parasite) tojumptotheentrypoint (original) * Locatethetextsegmentprogramheader * ModifytheentrypointoftheELFheadertopointtothenew code (p_vaddr + p_filesz) * Increasep_fileszbyaccountforthenewcode (parasite) * Increasep_memsztoaccountforthenewcode (parasite) * Foreachphdrwho'ssegmentisaftertheinsertion (textsegment) * increasep_offsetbyPAGE_SIZE * Forthelastshdrinthetextsegment * increasesh_lenbytheparasitelengt * Foreachshdrwho'ssectionresidesaftertheinsertion * Increasesh_offsetbyPAGE_SIZE * andpadtoPAGE_SIZE Physicallyinsertthenewcode (parasite), into thefile-textsegmentp_offset + p_filesz (original) on a Linux virus prototype used gei-ELFInfector that is written in accordance with this principle. In the appendix you can see the source code of this infection: g-elf-infector.c g-elf-infector and viruses are independent, its only in the production of the first virus file is in use. I introduce it using methods can be used for any g-elf-infector.c hope--the binary code is inserted into the specified file of text segments, and target files are executed first when--purposes. G-elf-infector.c interface is very simple, you only need to provide the following three defined: * keep your binary code return address address, here is the address and code offset of the start address, is used to return to the target program of normal entry # definePARACODE_RETADDR_ADDR_OFFSET1232 * you want to insert binary code (as in c, so there needs to be a function of available) voidparasite_code (void); * End of binary code (for easy-to-end, here a function code length calculation) voidparasite_code_end (void); Parasite_code_end should be parasite_code function after the first function definition, typically should represent voidparasite_code (void) {......} voidparasite_code_end (void) {} there is a problem here is that compilation is possible when compiled in the parasite_code_end parasite_code address, this will result in failure when calculating the length of the code, in order to avoid this problem, you can do voidparasite_code (void) {......} voidparasite_code_end (void) {parasite_code ();} With the three defined, g-elf-infector compile correctly, can be used after compilation ELF file infection, the virus prototype work process 1 first pass the virus code ELFInfector infection to an ELF file, thus creating the first poison file, subsequent dissemination by it. 2 when the poison file is executed, will first go to the virus codeBegin execution. 3 virus code began, in this prototype, the virus will directly start communication. 4 virus through the current directory for each file, if you are eligible for ELF file began the infection. 5 virus infection process and the process is similar, ELFInfector but due to the work environment, the implementation of the code is also a large difference. 6 currently transmitted on the basic requirements of ELF file is a text segment must have free space to accommodate the virus code, if you are unable to meet, the virus will ignore this ELF. For infected once ELF file, the text of the paragraph will have the remaining space, therefore secondary infection is not going to happen. 7 after the virus code is executed, it will restore the stack and all register (this is important), and then jumps back to the real executable entry to begin normal running. On the face of the working process of the prototype virus introduction may seem the same, and we have long known about virus introduction there is no difference between? Yes, indeed, the principle is similar, the key is to look at. Here we will pass on some technical problems of the analysis to understand the details of the implementation of ideas. IV. key technology issues and handle 1ELF file execution flow redirection and code to insert in the ELF file infection, ELFInfector and the spread of viruses called infect_virus idea is the same: * to navigate to a piece of text, the virus code from the text section of the tail. The key to this process is to familiarize yourself with the ELF file format, the virus code is copied to the tail piece of text, resize the text as needed segment length changes affect subsequent segment (segment) or section (section) of virtual address. Bearing in mind the introduced text part and an associate, prevent .setion strip such tools will insert the code Strip. It is also important to note the increase in the length of the text paragraph alignment issues, see the description of the ELF document: p_align As would would ProgramLoading''laterinthispartdescribes, loadable processsegmentsmusthavecongruentvaluesforp_vaddrand p_offset, modulothepagesize. * Through over the ELF file header entry address changes for the virus code address to complete the code redirect:/* ModifytheentrypointoftheEL */org_entry = ehdr-> e_entry; ehdr->e_entry=phdr[txt_index].p_vaddr+phdr[txt_index].p_filesz; 2 virus code how to return to the real ELF file entry methods skills should be many, the approach here is to PUSH + RET combinations: __asm__volatile (... "return: \ n\t" "push $ pushret_addr 0xAABBCCDD\n\t"/* */ret\n "::"); Which is deposited 0xAABBCCDD real program entry address, this value when you insert the virus code from infected program to fill in. 3 stack and register recovery virus code must ensure that the run the front and back of the stack and register contents are exactly the same, the adoption of additional code to complete. At the time of entry: __asm__volatile ("%eax\n\t push%" "" "push%%ecx\n\t push%%edx\n\t"::); Exit: __asm__volatile ("popl%%edx\n\t" "popl%%ecx\n\t%eax\n\t popl%" "" "addl $ 0x102c,%%esp\n\t%ebx\n\t popl%" "" "popl%%esi\n\t%edi\n\t popl%" "" "" "popl%%ebp\n\t jmpreturn\n" to note that the above code is based on the specific compiler, compilation options to adjust, in different circumstances if you recompile your program, you may also need to make some adjustments. 4 strings use write (1, "helloworld\n", 12); In the virus code like this to a string is not directly referenced. This is a string of use is an absolute address for the reference, the virus code into a new host, the absolute address of the content is not guaranteed, and therefore the virus code should use relative addresses or indirectly address string access. The following is the SilvioCesare UNIXELFPARASITESANDVIRUS "a solution that leverages a buffer overflow in the preparation of technical shellcode: Inx86Linux, somesyscallsrequiretheuseofanabsoluteaddresspointingtoinitializeddata.Thiscanbemaderelocatablebyusingacommontrickused inbufferoverflowcode. jmpA B: pop%eax;%eaxnowhastheaddressofthestring .; continueasusual . . A: callB .string\"hello\" Bymakingacalldirectlyproceedingthestringofinterest,theaddresso thestringispushedontothestackasthereturnaddress. However, in preparing the linux virus prototype code, I do not use this method, I tried to make the code use C language syntax: chartmpfile [32] = {' ', '/t ', ' m ', ' p ', '/', '. ', ' g ', ' v ', ' I ', ' r ', ' u ', '-s ', ' \0 '}; #ifndefNDEBUG charerr_type[32]={'f','i','l','e','','t','y','p','e','','n','o','t','', 's','u','p','p','o','r','t','e','d','\n','\0'}; charluck[32]={'B','e','t','t','e','r','','l','u','c','k','', 'n','e','x','t','','f','i','l','e','\n','\0'}; # Endi here strings to character array in the form of, compile the code like this: ... movb $ 47,-8312 (% ebp) movb $ 116,-8311 (% ebp) movb $ 109,-8310 (% ebp) movb $ 112,-8309 (% ebp) movb $ 47,-8308 (% ebp) movb $ 46,-8307 (% ebp) movb $ 103,-8306 (% ebp) movb $ 118,-8305 (% ebp) movb $ 105,-8304 (% ebp) movb $ 114,-8303 (% ebp) movb $ 117,-8302 (% ebp) movb
No comments:
Post a Comment