I. Introduction
The purpose of this article is to summarize a Linux virus prototype Code recently written, and give a brief introduction to friends interested in this aspect. To read this article, you need to have some knowledge about ELF, read some C code embedded in assembly, and understand the basic working principles of viruses.
Ii. ELF Infector (ELF File Infector)
To create a virus file, we need an ELF file inspector to create the first virus file. For the ELF File infection technology, we already have a very good analysis AND description in the article "unix elf parasites and virus" by The Silvio Cesare, in this regard, I have not found any other places that can be supplemented, so here I will post the Silvio Cesare Summary of the ELF Infection process for your reference:
The final algorithm is using this information is.* Increase p_shoff by PAGE_SIZE in the ELF header* Patch the insertion code (parasite) to jump to the entry point(original)* Locate the text segment program header* Modify the entry point of the ELF header to point to the newcode (p_vaddr + p_filesz)* Increase p_filesz by account for the new code (parasite)* Increase p_memsz to account for the new code (parasite)* For each phdr who's segment is after the insertion (text segment)* increase p_offset by PAGE_SIZE* For the last shdr in the text segment* increase sh_len by the parasite length* For each shdr who's section resides after the insertion* Increase sh_offset by PAGE_SIZE* Physically insert the new code (parasite) and pad to PAGE_SIZE, intothe file - text segment p_offset + p_filesz (original) |
The gei-ELF Infector used in the Linux virus prototype is based on this principle. In the appendix you can see the source code of this infected tool: the g-elf-infector.cg-elf-infector is independent of the virus, it is used only when making the first virus file. I will briefly introduce how it works, And the g-elf-infector.c can be used to anything you want -- insert binary code into the text segment of the specified file, and is first executed when the target file is executed. The g-elf-infector.c interface is simple and you only need to provide the following three definitions:
* Stores the address of the return address of your binary code. What is needed here is the offset between this address and the starting address of the Code, which is used to return the normal entry to the target program.
#define PARACODE_RETADDR_ADDR_OFFSET 1232 |
* The binary code to be inserted is written in C, so it must be provided in the form of a function)
void parasite_code(void); |
* The End of the binary code is easy to use. Here, an ending function is used to calculate the code length)
void parasite_code_end(void); |
Parasite_code_end should be the first function definition after the parasite_code function, which is usually represented as follows
void parasite_code(void){.........}void parasite_code_end(void) {} |
There is a problem here, that is, the compilation may put parasite_code_end In Front Of The parasite_code address during compilation, which will cause the code length to fail. To avoid this problem, you can do this.
void parasite_code(void){.........}void parasite_code_end(void) {parasite_code();} |
With these three definitions, g-elf-infector can be correctly compiled and compiled to infect ELF files.
Iii. Virus prototype work process
1. First, use ELF Infector to infect the virus code to an ELF file. In this way, the first file with virus is created, and subsequent propagation will be completed.
2. When a virus-infected file is executed, the system first jumps to the virus code to start execution.
3. The virus code starts to attack. In this prototype, the virus directly begins to spread.
4. The virus traverses every file in the current directory. If it is an ELF file that meets the conditions, the infection begins.
5 The virus infection process is similar to that of ELF Infector. However, due to different working environments, code implementation is also quite different.
6. Currently, the basic requirement for ELF File infection is that the text segment must have space to accommodate the virus code. If it cannot be met, the virus will ignore this ELF. For an ELF file that has been infected once, there is no space left in the text segment, so secondary infection does not happen.
7. After the virus code is executed, it is important to restore the stack and all registers), and then jump back to the real Executable File portal to start the normal operation process.
The previous introduction to the prototype of a virus may seem the same. What is the difference between the introduction of a virus that we have long known? Yes, it does. The principle is similar. The key is to implement it. Next we will analyze some technical issues to understand the specific implementation ideas.
