The ELF Virus Writing HOWTO

sparc-debian2.2-linux

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision We had joy, we had fun, we had seasons on a Sun.2002-10-23

This is a platform specific volume of TEVWH. See the global part for introduction, copyright, licensing and other legal issues. This part was built on an installation of "Debian GNU/Linux 2.2" [1] running on sparc. The freely downloadable CDs [2] contain all used packages.

bash-2.03-6bc-1.05a-11
binutils-2.9.5.0.37-1bsdmainutils-4.7.1
cpio-2.4.2-32debianutils-1.13.3
debsums-1.2.6dpkg-1.6.15.2
file-3.28-1fileutils-4.0l-8
findutils-4.1-40gcc-1:2.95.2-13
gdb-4.18.19990928-1.0.1grep-2.4.2-1
ldso-1.9.11-9libc6-dev-2.1.3-20
make-3.79.1-1.potato.1man-db-2.3.16-4
manpages-dev-1.29-2perl-5.005-base-5.005.03-7.1
procps-1:2.0.6-5sed-3.02-5
shellutils-2.0-7strace-4.2-4
tcsh-6.09.00-10textutils-2.0-2
vim-5.6.070-1 


Table of Contents
1. Variables & packages
1.1. The owner of files
1.2. The source of man-pages
1.3. Verifying installed packages
2. The magic of the Elf
2.1. How it works
2.2. Strings and dumps
2.3. The address of main
2.4. Other roads to ELF
3. Magic revealed
3.1. GDB to the rescue
3.2. In doubt use force
3.3. Write your name
4. The language of evil
4.1. e_entry
4.2. Devil in disguise
4.3. Infection #1
5. readelf & objdump
5.1. Segments
5.2. Sections
5.3. Bashful glance
5.4. Self modifying code
5.5. Final observations
6. Segment padding infection
6.1. Skim the horizon
6.2. Off we go
6.3. Magnifying glass
6.4. First scan
6.5. Second scan

Notes

[1]

http://www.debian.org/

[2]

http://cdimage.debian.org/