Analyze the operating process and key links of the Linux virus prototype

I. & nbsp; Introduction & nbsp; the purpose of this article is to summarize a Linux virus prototype code recently written, at the same time, I would like to give a brief introduction to friends who are interested in this aspect. To read this article, you need to have some knowledge about ELF, read some C code embedded in the assembly, and understand the virus. 1. Introduction

The purpose of this article is to summarize a Linux virus prototype code recently written, and give a brief introduction to friends interested in this aspect. To read this article, you need to have some knowledge about ELF, read some C code embedded in assembly, and understand the basic working principles of viruses.

II. ELF Infector (ELF file Infector)

To create a virus file, we need an ELF file inspector to create the first virus file. For the ELF file infection technology, we already have a very good analysis AND description in the article "unix elf parasites and virus" by the Silvio Cesare, in this regard, I have not found any other places that can be supplemented, so here I will post the Silvio Cesare summary of the ELF Infection process for your reference:

The following is a code snippet:
The final algorithm is using this information is.

* Increase p_shoff by PAGE_SIZE in the ELF header

* Patch the insertion code (parasite) to jump to the entry point

(Original)

* Locate the text segment program header

* Modify the entry point of the ELF header to point to the new

Code (p_vaddr + p_filesz)

* Increase p_filesz by account for the new code (parasite)

* Increase p_memsz to account for the new code (parasite)

* For each phdr who's segment is after the insertion (text segment)

* Increase p_offset by PAGE_SIZE

* For the last shdr in the text segment

* Increase sh_len by the parasite length

* For each shdr who's section resides after the insertion

* Increase sh_offset by PAGE_SIZE

* Physically insert the new code (parasite) and pad to PAGE_SIZE,

The file-text segment p_offset + p_filesz (original)

The gei-ELF Infector used in the Linux virus prototype is based on this principle. In the appendix you can see the source code of this infected tool: the g-elf-infector.cg-elf-infector is independent of the virus, it is used only when making the first virus file. I will briefly introduce how it works, and the g-elf-infector.c can be used to anything you want -- insert binary code into the text segment of the specified file, and is first executed when the target file is executed. The g-elf-infector.c interface is simple and you only need to provide the following three definitions:

* Stores the address of the return address of your binary code. what is needed here is the offset between this address and the starting address of the code, which is used to return the normal entry to the target program.
The following is a code snippet:
# Define PARACODE_RETADDR_ADDR_OFFSET 1232

* Binary code to be inserted (it must be provided as a function because it is written in C)

Void parasite_code (void );

* End of the binary code (for ease of use, an ending function is used to calculate the code length) void parasite_code_end (void );

Parasite_code_end should be the first function definition after the parasite_code function. generally, it should be as follows: void parasite_code (void)

{

...

...

...

}

Void parasite_code_end (void ){}

There is a problem here, that is, the compilation may put parasite_code_end in front of the parasite_code address during compilation, which will cause the code length to fail. to avoid this problem, you can do this void parasite_code (void)

{

...

...

...

}

Void parasite_code_end (void) {parasite_code ();}

With these three definitions, g-elf-infector can be correctly compiled and compiled for use in ELF files to infect face = Verdana.
III. virus prototype work process

1. First, use ELF Infector to infect the virus code to an ELF file. in this way, the first file with virus is created, and subsequent propagation will be completed.

2. when a virus-infected file is executed, the system first jumps to the virus code to start execution.

3. the virus code starts to attack. in this prototype, the virus directly begins to spread.

4. the virus traverses every file in the current directory. if it is an ELF file that meets the conditions, the infection begins.


5 The Virus infection process is similar to that of ELF Infector. However, due to different working environments, code implementation is also quite different.

6. Currently, the basic requirement for ELF file infection is that the text segment must have space to accommodate the virus code. if it cannot be met, the virus will ignore this ELF. For an ELF file that has been infected once, there is no space left in the text segment, so secondary infection does not happen.

7. after the virus code is executed, the stack and all registers are restored (which is important), and the real executable file entry is jumped back to start the normal operation process.

The previous introduction to the prototype of a virus may seem the same. what is the difference between the introduction of a virus that we have long known? Yes, it does. The principle is similar. The key is to implement it. Next we will analyze some technical issues to understand the specific implementation ideas.

IV. key technical issues and solutions
1. ELF file execution process redirection and code insertion

The idea of calling infect_virus during ELF Infector and virus transmission is the same for the issue of ELF file infection:

* Locate the text segment and send the virus code to the end of the text segment. The key to this process is to be familiar with the ELF file format. after the virus code is copied to the end of the text segment, you can adjust the subsequent segments affected by the length change as needed (segment) or the virtual address of a section. At the same time, note that the newly introduced text segment is associated with a. setion to prevent tools such as strip from removing the inserted code. Another point is to pay attention to the alignment problem of increasing the length of text segments. for details, see the description in the ELF document:

The following is a code snippet:
P_align

As ''program loading' later in this part describes, loadable

Process segments must have congruent values for p_vaddr and

P_offset, modulo the page size.

* Code redirection is completed by modifying the entry address in the ELF file header to the virus code address:

Org_entry = ehdr-> e_entry;

Ehdr-> e_entry = phdr [txt_index]. p_vaddr + phdr [txt_index]. p_filesz;

2. how does the virus code return to the real ELF file portal?

There should be many methods and techniques. here we use the PUSH + RET combination: _ asm _ volatile (

...

"Return:/n/t"

"Push $0 xAABBCCDD/n/t"

"Ret/n"

::);

0xAABBCCDD stores the real program entry address, which is entered by the infected program when the virus code is inserted.

V. debugging methods in the new compilation environment
The following is a code snippet:

G-elf-infector.c gsyscall. h gunistd. h gvirus. c gvirus. h foo. c

Makefile parasite-sample.c parasite-sample.h


Adjust the Makefile file and change the compiling mode to the debugging mode, that is, disable the-DNDEBUG option grip2 @ linux :~ /Tmp/virus> cat Makefile

All: foo gei

Gei: g-elf-infector.c gvirus. o

Gcc-O2 $ <gvirus. o-o gei-Wall #-DNDEBUG

Fo foo. c

Gcc $ <-o f