The Linux Virus Writing HOWTO

post link-time code modification of ELF executables under Linux/i386

Alexander Bartolich

alexander.bartolich@gmx.at
      

Revision History
Revision When you don't know what you are doing, do it neatly.2002-04-18
Changed some SGML-tags, A closer look, The entry point and started Suspicious code.

This document describes how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection.


Table of Contents
1. Introduction
1.1. Behind the stages
1.2. Copyright & trademarks
1.3. Disclaimer
1.4. Credits
1.5. Feedback
2. Before we start
2.1. What exactly is a virus?
2.2. Worm vs. virus
2.3. Freedom is security
3. The magic of the Elf
3.1. In the language of mortals
3.2. How it works
3.3. Showing off some tools
3.4. In doubt use force
3.5. In the language of evil
3.6. Other roads to ELF
4. readelf
4.1. Bashful glance
4.2. Turn the pages
4.3. The plan
4.4. Paranoid android
5. One step closer to the edge
5.1. INFECTION_SIZE
5.2. Target::infection
5.3. main
5.4. The opening
5.5. isSuitable
5.6. Patch entry address
5.7. Patching program headers
5.8. Patching section headers
5.9. Copy & infect
5.10. writeInfection
5.11. Off we go
6. A closer look
6.1. First scan
6.2. Looking around
6.3. Second scan
7. The entry point
7.1. Disassemble it again, Sam
7.2. patchEntryAddr 2.0
7.3. Second verse, same as the first
7.4. Use the Source, Luke
7.5. patchEntryAddr 3.0
7.6. Two is company, three is an orgy
8. Remote shell trojan (RST)
8.1. Three years later
8.2. The lighter side
8.3. Another three months later
8.4. The serious side
8.5. Another theory
9. Additional code segments
9.1. A simple plan
9.2. patchPhdr
9.3. newEntryAddr
9.4. patchShdr
9.5. copyAndInfect
9.6. To serve & detect
10. Doing it in C
10.1. System calls
10.2. Position independent code
10.3. writeInfection
10.4. A section called .text
10.5. The stub
10.6. All together now
10.7. Off we go again
11. Suspicious code
11.1. Extracting sections
A. Revision history
B. GNU Free Documentation License
C. GNU General Public License