The ELF Virus Writing HOWTO

i386-redhat7.3-linux

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision We had joy, we had fun, we had seasons on a Sun.2002-10-23

This is a platform specific volume of TEVWH. See the global part for introduction, copyright, licensing and other legal issues. This part was built on an installation of "Red Hat Linux release 7.3 (Valhalla)" [1] running on i386. The freely downloadable CDs [2] contain all used packages.

bash-2.05a-13bc-1.06-8binutils-2.11.93.0.2-11
file-3.37-5fileutils-4.1-10findutils-4.1.7-4
gcc-2.96-110gdb-5.1.90CVS-5glibc-common-2.2.5-34
glibc-devel-2.2.5-34grep-2.5.1-1make-3.79.1-8
man-1.5j-6man-pages-1.48-2mt-st-0.7-3
nasm-0.98.22-2perl-5.6.1-34.99.6rpm-4.0.4-7x.18
sed-3.02-11sh-utils-2.0.11-14strace-4.4-4
tcsh-6.10-6textutils-2.0.21-1util-linux-2.11n-12
vim-common-6.1-2which-2.13-3 


Table of Contents
1. Variables & packages
1.1. The owner of files
1.2. The source of man-pages
1.3. Verifying installed packages
2. The magic of the Elf
2.1. How it works
2.2. Strings and dumps
2.3. The address of main
2.4. Other roads to ELF
3. Magic revealed
3.1. GDB to the rescue
3.2. In doubt use force
3.3. Write your name
4. The language of evil
4.1. e_entry
4.2. Devil in disguise
4.3. Infection #1
5. readelf & objdump
5.1. Segments
5.2. Sections
5.3. Bashful glance
5.4. Self modifying code
5.5. Final observations
6. Segment padding infection
6.1. Skim the horizon
6.2. Off we go
6.3. Magnifying glass
6.4. First scan
6.5. Second scan
7. The entry point
7.1. Disassemble it again, Sam
7.2. target_patch_entry_addr #2
7.3. Second verse, same as the first
7.4. Use the Source, Luke
7.5. target_patch_entry_addr #3
7.6. Two is company, three is an orgy
8. Additional code segments
8.1. Magic of the GNU
8.2. A simple plan
8.3. target_patch_phdr #2
8.4. target_new_entry_addr #2
8.5. target_patch_shdr #2
8.6. m/magic.of.elf.xml
8.7. To serve & detect
9. Doing it in C
9.1. System calls
9.2. Position independent code
9.3. target_write_infection #2
9.4. A section called .text
9.5. The stub
9.6. All together now
9.7. Off we go again
10. The stub revisited
10.1. Disassembly
10.2. Stack dump
10.3. Another look at the source
10.4. A few bytes on the stack
10.5. First implementation
10.6. First test
10.7. Second implementation
10.8. Second test
11. Suspicious code
11.1. Extracting sections

Notes

[1]

http://www.redhat.com/

[2]

http://www.redhat.com//download/howto_download.html