The ELF Virus Writing HOWTO

i386-redhat8.0-linux

Alexander Bartolich

alexander.bartolich@gmx.at

Copyright © 2002, 2003 by Alexander Bartolich

Revision History
Revision If you don't care where you are, then you ain't lost.2003-02-15

This is a platform specific volume of TEVWH. See the global part for introduction, copyright, licensing and other legal issues. This part was built on an installation of "Red Hat Linux release 8.0 (Psyche)" running on i386. [1] The freely downloadable CDs [2] contain all used packages.

bash-2.05b-5bc-1.06-10binutils-2.13.90.0.2-2
file-3.37-8fileutils-4.1.9-11findutils-4.1.7-7
gcc-3.2-7gdb-5.2.1-4glibc-common-2.2.93-5
glibc-devel-2.2.93-5grep-2.5.1-4make-3.79.1-14
man-1.5j-11nasm-0.98.34-1perl-5.8.0-55
rpm-4.1-1.06sed-3.02-13sh-utils-2.0.12-3
strace-4.4-8tcsh-6.12-2textutils-2.0.21-5
util-linux-2.11r-10vim-common-6.1-14 

Table of Contents
1. Variables and packages
1.1. Variables prefixed with TEVWH_
1.2. Variables prefixed with TEVWH_PATH_
1.3. The name of the X
1.4. The owner of files
1.5. The source of man-pages
1.6. Verifying installed packages
2. The magic of the Elf
2.1. How it works
2.2. Strings and dumps
2.3. The address of main
2.4. Other roads to ELF
3. Magic revealed
3.1. ndisasm
3.2. objdump -d
3.3. GDB to the rescue
3.4. In doubt use force
3.5. Write your name
4. The language of evil
4.1. Offset of e_entry
4.2. Extracting e_entry
4.3. Devil in disguise
4.4. Infection #1
5. Segments
5.1. objdump -fp
5.2. readelf -l
5.3. Observations
5.4. Segments of /bin/tcsh
5.5. Self modifying code
6. Sections
6.1. objdump -h
6.2. readelf
6.3. Observations
6.4. Sections of /bin/tcsh
7. Scanners
7.1. Finding executables
7.2. Scan entry point
7.3. Scan segments
7.4. A kingdom for a shell
7.5. Food for segment padding
7.6. Scan file size
8. Segment padding infection
8.1. Off we go
8.2. Magnifying glass
8.3. First scan
8.4. Second scan
9. Additional code segments
9.1. Scanning for NOTE
9.2. Give me NOTE
9.3. To serve & detect
10. The entry point
10.1. Disassemble it again, Sam
10.2. target_patch_entry_addr #2
10.3. Second verse, same as the first
10.4. Use the Source, Luke
10.5. target_patch_entry_addr #3
10.6. Two is company, three is an orgy
11. Doing it in C
11.1. System calls
11.2. Position independent code
11.3. target_write_infection #2
11.4. A section called .text
11.5. The stub
11.6. All together now
11.7. Off we go again
12. The stub revisited
12.1. Disassembly
12.2. Stack dump
12.3. Another look at the source
12.4. A few bytes on the stack
12.5. First implementation
12.6. First test
12.7. Second implementation
12.8. Second test
13. Suspicious code
13.1. Extracting sections

Notes

[1]

http://www.redhat.com/

[2]

http://www.redhat.com/download/howto_download.html

  Next
  Variables and packages