Analyze the working process and key links of the Linux virus prototype

I. Introduction

The purpose of this article is to summarize a Linux virus prototype Code recently written, and give a brief introduction to friends interested in this aspect. To read this article, you need to have some knowledge about ELF, read some C code embedded in assembly, and understand the basic working principles of viruses.

Ii. ELF Infector (ELF File Infector)

To create a virus file, we need an ELF file inspector to create the first virus file. For the ELF File infection technology, we already have a very good analysis AND description in the article "unix elf parasites and virus" by The Silvio Cesare, in this regard, I have not found any other places that can be supplemented, so here I will post the Silvio Cesare Summary of the ELF Infection process for your reference:

The final algorithm is using this information is.
* Increase p_shoff by PAGE_SIZE in the ELF header
* Patch the insertion code (parasite) to jump to the entry point
(Original)
* Locate the text segment program header
* Modify the entry point of the ELF header to point to the new
Code (p_vaddr + p_filesz)
* Increase p_filesz by account for the new code (parasite)
* Increase p_memsz to account for the new code (parasite)
* For each phdr who's segment is after the insertion (text segment)
* Increase p_offset by PAGE_SIZE
* For the last shdr in the text segment
* Increase sh_len by the parasite length
* For each shdr who's section resides after the insertion
* Increase sh_offset by PAGE_SIZE
* Physically insert the new code (parasite) and pad to PAGE_SIZE,
The file-text segment p_offset + p_filesz (original)

The gei-ELF Infector used in the Linux virus prototype is based on this principle. In the appendix you can see the source code of this infected tool: the g-elf-infector.cg-elf-infector is independent of the virus, it is used only when making the first virus file. I will briefly introduce how it works, And the g-elf-infector.c can be used to anything you want -- insert binary code into the text segment of the specified file, and is first executed when the target file is executed. The g-elf-infector.c interface is simple and you only need to provide the following three definitions:

* Address for storing the return address of your binary code,
What is needed here is the offset between this address and the starting address of the Code,
Returns the normal entry to the Target Program # define PARACODE_RETADDR_ADDR_OFFSET 1232

* Binary code to be inserted (it must be provided as a function because it is written in C)

Void parasite_code (void );

* End of the binary code (For ease of use, an ending function is used to calculate the code length)
Void parasite_code_end (void );

Parasite_code_end should be the first function definition after the parasite_code function,
Generally, it should be void parasite_code (void)
{
...
...
...
}
Void parasite_code_end (void ){}

There is a problem here,
That is, during compilation, parasite_code_end may be placed before the parasite_code address,
This will cause code length calculation failure. To avoid this problem,
You can do this void parasite_code (void)
{
...
...
...
}
Void parasite_code_end (void) {parasite_code ();}

With these three definitions, g-elf-infector can be correctly compiled and compiled for use in ELF files to infect face = Verdana>

Iii. Virus prototype work process

1. First, use ELF Infector to infect the virus code to an ELF file, which creates the first file with virus and will be used for subsequent propagation.

2. When a virus-infected file is executed, it will first jump to the virus code to start execution.

3. The virus code starts to attack. In this prototype, the virus directly begins to spread.

4. The virus traverses every file in the current directory. If it is a qualified ELF file, it will start to be infected.

5. The virus infection process is similar to that of ELF Infector. However, due to different working environments, code implementation is also quite different.

6. Currently, the basic requirement for ELF files to be infected is that the text segment must have sufficient space to accommodate the virus code. If it cannot be met, the virus will ignore this ELF. For an ELF file that has been infected once, there is no space left in the text segment, so secondary infection does not happen.

7. After the virus code is executed, the stack and all registers will be restored (which is important), and the real executable file entry will be jumped back to start the normal operation process.

The previous introduction to the prototype of a virus may seem the same. What is the difference between the introduction of a virus that we have long known? Yes, it does. The principle is similar. The key is to implement it. Next we will analyze some technical issues to understand the specific implementation ideas.

1 2 Next Page

[Content navigation]
Page 1st: analyzes the operating process and key links of the Linux virus prototype	Page 2nd: analyzes the operating process and key links of the Linux virus prototype