The ELF Virus Writing HOWTO

i386-redhat-linux

Alexander Bartolich

alexander.bartolich@gmx.at

This is a platform specific volume of TEVWH. See the global part for introduction, copyright, licensing and other legal issues.

I worked with an installation of "Red Hat Linux release 7.3 (Valhalla)". [1] The freely downloadable CDs [2] contain all used tools:

bash-2.05a-13bc-1.06-8binutils-2.11.93.0.2-11file-3.37-5findutils-4.1.7-4
gcc-2.96-110gcc-c++-2.96-110gdb-5.1.90CVS-5glibc-2.2.5-34make-3.79.1-8
man-pages-1.48-2nasm-0.98.22-2perl-5.6.1-34.99.6util-linux-2.11n-12 


Table of Contents
1. The magic of the Elf
1.1. In the language of mortals
1.2. How it works
1.3. Strings and dumps
1.4. The address of main
1.5. Other roads to ELF
2. The language of evil
2.1. In doubt use force
2.2. In the language of evil
2.3. Enter evil
2.4. Evil magic revealed
2.5. Dressing up binary code
3. readelf
3.1. Bashful glance
3.2. Turn the pages
3.3. The plan
3.4. Paranoid android
4. One step closer to the edge
4.1. INFECTION_SIZE
4.2. Target::infection
4.3. main
4.4. The opening
4.5. isSuitable
4.6. Patch entry address
4.7. Patching program headers
4.8. Patching section headers
4.9. Copy & infect
4.10. writeInfection
4.11. Off we go
5. A closer look
5.1. First scan
5.2. Looking around
5.3. Second scan
6. The entry point
6.1. Disassemble it again, Sam
6.2. patchEntryAddr 2.0
6.3. Second verse, same as the first
6.4. Use the Source, Luke
6.5. patchEntryAddr 3.0
6.6. Two is company, three is an orgy
7. Additional code segments
7.1. Magic of the GNU
7.2. A simple plan
7.3. patchPhdr
7.4. newEntryAddr
7.5. patchShdr
7.6. copyAndInfect
7.7. To serve & detect
8. Doing it in C
8.1. System calls
8.2. Position independent code
8.3. writeInfection
8.4. A section called .text
8.5. The stub
8.6. All together now
8.7. Off we go again
9. The stub revisited
9.1. Disassembly
9.2. Stack dump
9.3. Another look at the source
9.4. A few bytes on the stack
9.5. First implementation
9.6. First test
9.7. Second implementation
9.8. Second test
10. Suspicious code
10.1. Extracting sections

Notes

[1]

http://www.redhat.com/

[2]

http://www.redhat.com//download/howto_download.html