Research on viruses in Linux

Source: Internet
Author: User
Research on viruses in Linux-general Linux technology-Linux programming and kernel information. The following is a detailed description. 1. Introduction

This article discusses how to modify an ELF file to implement redirection of shared library calls. Modifying the program connection Table of an executable file allows an infected file to call external functions. This is much better than modifying the LD_PRELOAD environment variable to implement the redirection of the call. First, the environment variable is not modified, and the second is more concealed. This article provides an implementation based on x86/Linux. If you are interested in UNIX system viruses, refer to the following URL:

Http://virus.beergrave.net/(UNIX virus email list)
Http://www.big.net.au /~ Silvio (author's homepage)

2. Procedure Linkage Table)

The following describes the program connection table in the ELF specification:

Program connection table (PLT)

In the ELF file, the Global Offset Table (GOT) can locate the location-independent address to the absolute address, and the program connection Table also plays a similar role, it can direct location-independent function calls to absolute addresses. The link editor cannot resolve the transfer of a program from an executable file or shared library target to another execution. As a result, the connection editor can only arrange some entries containing the transfer control to the program connection table (PLT. In system V, the program connection tables are located in the shared body, but they use the addresses in the private global offset table. Dynamic connectors, such as ld-2.2.2.so, determine the absolute address of the target and modify the image of the global offset table in memory. As a result, dynamic connectors can redirect these entries without damaging the location independence and sharing features of the program body. The executable files and shared target files have their own program connection tables.

. PLT0ushl got_plus_4
Jmp * got_plus_8
Nop; nop
Nop; nop
. PLT1: jmp * name‑in_got
Pushl $ offset
Jmp. PLT0 @ PC
. PLT2: jmp * name2_in_GOT
Pushl $ offset
Jmp. PLT0 @ PC
.......

. PLT0ushl 4 (% ebx)
Jmp * 8 (% ebx)
Nop; nop
Nop; nop
. PLT1: jmp * name1 @ GOT (% ebx)
Pushl $ offset
Jmp. PLT0 @ PC
. PLT2: jmp name2 @ GOT (% ebx)
Pushl $ offset
Jmp. PLT0 @ PC
....
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.