The ELF Virus Writing HOWTO

sparc-debian2.2-linux

Alexander Bartolich

alexander.bartolich@gmx.at

Revision History
Revision I'm not a nerd - I'm "socially challenged".2003-01-07

This is a platform specific volume of TEVWH. See the global part for introduction, copyright, licensing and other legal issues. This part was built on an installation of "Debian GNU/Linux 2.2" [1] running on sparc. The freely downloadable CDs [2] contain all used packages.

bash-2.03-6bc-1.05a-11
binutils-2.9.5.0.37-1bsdmainutils-4.7.1
cpio-2.4.2-32debianutils-1.13.3
debsums-1.2.6dpkg-1.6.15.2
file-3.28-1fileutils-4.0l-8
findutils-4.1-40gcc-1:2.95.2-13
gdb-4.18.19990928-1.0.1grep-2.4.2-1
ldso-1.9.11-9libc6-dev-2.1.3-20
make-3.79.1-1.potato.1man-db-2.3.16-4
perl-5.005-base-5.005.03-7.1procps-1:2.0.6-5
sed-3.02-5shellutils-2.0-7
strace-4.2-4tcsh-6.09.00-10
textutils-2.0-2vim-5.6.070-1


Table of Contents
1. Variables & packages
1.1. Variables prefixed with TEVWH_
1.2. Variables prefixed with TEVWH_PATH_
1.3. The name of the X
1.4. The owner of files
1.5. The owner of /usr/bin/perl
1.6. The source of man-pages
1.7. Verifying installed packages
2. The magic of the Elf
2.1. How it works
2.2. Strings and dumps
2.3. The address of main
2.4. Other roads to ELF
3. Magic revealed
3.1. GDB to the rescue
3.2. In doubt use force
3.3. Write your name
4. The language of evil
4.1. Offset of e_entry
4.2. Extracting e_entry
4.3. Devil in disguise
4.4. Infection #1
5. Segments
5.1. objdump -fp
5.2. readelf -l
5.3. Observations
5.4. Segments of /bin/sh
5.5. Self modifying code
6. Sections
6.1. objdump -h
6.2. readelf
6.3. Observations
6.4. Sections of /bin/sh
7. Scanners
7.1. Finding targets
7.2. Scan entry point
7.3. Scan segments
7.4. Scan file size
8. Segment padding infection
8.1. Off we go
8.2. Magnifying glass
8.3. First scan
8.4. Second scan
9. The entry point

Notes

[1]

http://www.debian.org/

[2]

http://www.debian.org/CD/http-ftp/