The Linux Virus Writing HOWTO

post link-time code modification of ELF executables under Linux/i386

Alexander Bartolich

alexander.bartolich@gmx.at

Copyright © 2002 by Alexander Bartolich

Revision History
Revision A doomed ship should sail under a courageous flag.	2002-04-13
Changed license, title, stylesheet and some SGML-tags. Finished Doing it in C.
Revision Sinners can repent, but stupid is forever.	2002-04-09

Revision Deliver yesterday, code today, think tomorrow.	2002-04-06

Revision Be different: conform.	2002-04-01

Revision As a computer, I find your faith in technology amusing.	2002-03-28

Revision Caution: Keep out of reach of children.	2002-03-24

Revision Calm down, it's only ones and zeroes.	2002-03-20

Revision What we do not understand we do not possess.	2002-03-19

Revision What we do not understand we do not possess.	2002-03-17

Revision I predict that today will be remembered until tomorrow.	2002-03-15

Revision Genie escaped the bottle.	2002-03-14

Revision Unfinished excerpt sent to David C. Merrill.	2002-03-11

Revision Unfinished excerpt sent to Linux Documentation Project.	2002-03-09

This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.

Table of Contents

1. Introduction

1.1. Behind the stages
1.2. Copyright & trademarks
1.3. Disclaimer
1.4. Credits
1.5. Feedback

2. Before we start

2.1. What exactly is a virus?
2.2. Worm vs. virus
2.3. Freedom is security

3. The magic of the Elf

3.1. In the language of mortals
3.2. How it works
3.3. Showing off some tools
3.4. In doubt use force
3.5. In the language of evil
3.6. Other roads to ELF

4.1. Bashful glance
4.2. Turn the pages
4.3. The plan
4.4. Paranoid android

5. One step closer to the edge

5.1. INFECTION_SIZE
5.2. Target::infection
5.3. main
5.4. The opening
5.5. isSuitable
5.6. Patch entry address
5.7. Patching program headers
5.8. Patching section headers
5.9. Copy & infect
5.10. writeInfection
5.11. Off we go

6. The entry point

6.1. First scan
6.2. Second scan
6.3. Patch me if you can
6.4. Disassemble it again, Sam
6.5. patchEntryAddr 2.0
6.6. Second verse, same as the first
6.7. Use the Source, Luke
6.8. patchEntryAddr 3.0
6.9. Two is company, three is an orgy

7. Remote shell trojan (RST)

7.1. Three years later
7.2. The lighter side
7.3. Another three months later
7.4. The serious side
7.5. Another theory

8. Additional code segments

8.1. A simple plan
8.2. patchPhdr
8.3. newEntryAddr
8.4. patchShdr
8.5. copyAndInfect
8.6. To serve & detect

9. Doing it in C

9.1. System calls
9.2. Position independent code
9.3. writeInfection
9.4. A section called .text
9.5. The stub
9.6. All together now
9.7. Off we go again

A. Revision history

B. GNU Free Documentation License

C. GNU General Public License

		Next
		Introduction