Home > Cloud Computing > Cloud Applications

Research on viruses in Linux

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Research on viruses in Linux-general Linux technology-Linux programming and kernel information. The following is a detailed description. 1. Introduction

This article discusses how to modify an ELF file to implement redirection of shared library calls. Modifying the program connection Table of an executable file allows an infected file to call external functions. This is much better than modifying the LD_PRELOAD environment variable to implement the redirection of the call. First, the environment variable is not modified, and the second is more concealed. This article provides an implementation based on x86/Linux. If you are interested in UNIX system viruses, refer to the following URL:

Http://virus.beergrave.net/(UNIX virus email list)
Http://www.big.net.au /~ Silvio (author's homepage)

2. Procedure Linkage Table)

The following describes the program connection table in the ELF specification:

Program connection table (PLT)

In the ELF file, the Global Offset Table (GOT) can locate the location-independent address to the absolute address, and the program connection Table also plays a similar role, it can direct location-independent function calls to absolute addresses. The link editor cannot resolve the transfer of a program from an executable file or shared library target to another execution. As a result, the connection editor can only arrange some entries containing the transfer control to the program connection table (PLT. In system V, the program connection tables are located in the shared body, but they use the addresses in the private global offset table. Dynamic connectors, such as ld-2.2.2.so, determine the absolute address of the target and modify the image of the global offset table in memory. As a result, dynamic connectors can redirect these entries without damaging the location independence and sharing features of the program body. The executable files and shared target files have their own program connection tables.

. PLT0ushl got_plus_4
Jmp * got_plus_8
Nop; nop
Nop; nop
. PLT1: jmp * name‑in_got
Pushl $ offset
Jmp. PLT0 @ PC
. PLT2: jmp * name2_in_GOT
Pushl $ offset
Jmp. PLT0 @ PC
.......

. PLT0ushl 4 (% ebx)
Jmp * 8 (% ebx)
Nop; nop
Nop; nop
. PLT1: jmp * name1 @ GOT (% ebx)
Pushl $ offset
Jmp. PLT0 @ PC
. PLT2: jmp name2 @ GOT (% ebx)
Pushl $ offset
Jmp. PLT0 @ PC
....

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
linux virus scanner for windows viruses how to scan for viruses on android how to check for viruses on android how to check for viruses on android how to scan for viruses on android how to check for viruses on android tablet how to check for viruses on android tablet

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More