- ข้อความ
- ประวัติศาสตร์
UNIX VIRUSES - Silvio Cesare CONTEN
UNIX VIRUSES
- Silvio Cesare
CONTENTS
--------
IMPROVING THIS MANUAL
THE UNIX-VIRUS MAILING LIST
INTRODUCTION
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
MEMORY LAYOUT OF AN ELF EXECUTABLE
ELF INFECTION
THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION)
INFECTING INFECTIONS
THE DATA SEGMENT VIRUS (DATA INFECTION)
VIRUS DETECTION
THE TEXT SEGMENT VIRUS (TEXT INFECTION)
INFECTION USING OBJECT CODE PARASITES
OBJECT CODE LINKING
THE IMPLEMENTED INFECTOR
NON (NOT AS) TRIVIAL PARASITE CODE
BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
THE LINUX PARASITE VIRUS
DEVELOPMENT OF THE LINUX VIRUS
IMPROVING THE LINUX VIRUS
VIRUS DETECTION
EVADING VIRUS DETECTION IN ELF INFECTION
CONCLUSION
SOURCE (UUENCODED)
IMPROVING THIS MANUAL
For any comments or suggestions (even just to say hi) please contact the author
Silvio Cesare, . This paper already has future plans to
include more parasite techniques and shared object infection. More to come.
THE UNIX-VIRUS MAILING LIST
This is the charter for the unix-virus mailing list. Unix-virus was created to
discuss viruses in the unix environment from the point of view of the virus
creator, and the security developer writing anti-virus software. Anything
related to viruses in the unix environment is open for discussion. Low level
programming is commonly seen on the list, including source code. The emphasis
is on expanding the knowledge of virus technology and not on the distribution
of viruses, so binaries are discouraged but not totally excluded. The list is
archived at http://virus.beergrave.net and it is recommended that the new
subscriber read the existing material before posting.
To subscribe to the list send a message to majordomo@virus.beergrave.net with
'subscribe unix-virus' in the body of the message.
INTRODUCTION
This paper documents the algorithms and implementation of UNIX parasite and
virus code using ELF objects. Brief introductions on UNIX virus detection and
evading such detection are given. An implementation of various ELF parasite
infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture
is also supplied.
Elementary programming and UNIX knowledge is assumed, and an understanding of
Linux x86 architecture is assumed for the Linux implementation. ELF
understanding is not required but will help.
This paper does not document any significant virus programming techniques
except those that are only applicable to the UNIX environment. Nor does it
try to replicate the ELF specifications. The interested reader is advised
to read the ELF documentation if this paper is unclear in ELF specifics.
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
An interesting, yet simple idea for a virus takes note, that when you append
one executable to another, the original executable executes, but the latter
executable is still intact and retrievable and even executable if copied to
a new file and executed.
# cat host >> parasite
# mv parasite host
# ./host
PARASITE Executed
Now.. if the parasite keeps track of its own length, it can copy the original
host to a new file, then execute it like normal, making a working parasite and
virus. The algorithm is as follows:
* execute parasite work code
* lseek to the end of the parasite
* read the remaining portion of the file
* write to a new file
* execute the new file
The downfall with this approach is that the remaining executable no longer
remains strip safe. This will be explained further on when a greater
understanding of the ELF format is obtained, but to summarize, the ELF headers
no longer hold into account every portion of the file, and strip removes
unaccounted portions. This is the premise of virus detection with this type of
virus.
This same method can be used to infect LKM's following similar procedures.
MEMORY LAYOUT OF AN ELF EXECUTABLE
A process image consists of a 'text segment' and a 'data segment'. The text
segment is given the memory protection r-x (from this its obvious that self
modifying code cannot be used in the text segment). The data segment is
given the protection rw-.
The segment as seen from the process image is typically not all in use as
memory used by the process rarely lies on a page border (or we can say, not
congruent to modulo the page size). Padding completes the segment, and in
practice looks like this.
key:
[...] A complete page
M Memory used in this segment
P Padding
Page Nr
#1 [PPPPMMMMMMMMMMMM]
#2 [MMMMMMMMMMMMMMMM] |- A segment
#3 [MMMMMMMMMMMMPPPP] /
Segments are not bound to use multiple pages, so a single page segment is quite
possible.
Page Nr
#1 [PPPPMMMMMMMMPPPP]
- Silvio Cesare
CONTENTS
--------
IMPROVING THIS MANUAL
THE UNIX-VIRUS MAILING LIST
INTRODUCTION
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
MEMORY LAYOUT OF AN ELF EXECUTABLE
ELF INFECTION
THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION)
INFECTING INFECTIONS
THE DATA SEGMENT VIRUS (DATA INFECTION)
VIRUS DETECTION
THE TEXT SEGMENT VIRUS (TEXT INFECTION)
INFECTION USING OBJECT CODE PARASITES
OBJECT CODE LINKING
THE IMPLEMENTED INFECTOR
NON (NOT AS) TRIVIAL PARASITE CODE
BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
THE LINUX PARASITE VIRUS
DEVELOPMENT OF THE LINUX VIRUS
IMPROVING THE LINUX VIRUS
VIRUS DETECTION
EVADING VIRUS DETECTION IN ELF INFECTION
CONCLUSION
SOURCE (UUENCODED)
IMPROVING THIS MANUAL
For any comments or suggestions (even just to say hi) please contact the author
Silvio Cesare, . This paper already has future plans to
include more parasite techniques and shared object infection. More to come.
THE UNIX-VIRUS MAILING LIST
This is the charter for the unix-virus mailing list. Unix-virus was created to
discuss viruses in the unix environment from the point of view of the virus
creator, and the security developer writing anti-virus software. Anything
related to viruses in the unix environment is open for discussion. Low level
programming is commonly seen on the list, including source code. The emphasis
is on expanding the knowledge of virus technology and not on the distribution
of viruses, so binaries are discouraged but not totally excluded. The list is
archived at http://virus.beergrave.net and it is recommended that the new
subscriber read the existing material before posting.
To subscribe to the list send a message to majordomo@virus.beergrave.net with
'subscribe unix-virus' in the body of the message.
INTRODUCTION
This paper documents the algorithms and implementation of UNIX parasite and
virus code using ELF objects. Brief introductions on UNIX virus detection and
evading such detection are given. An implementation of various ELF parasite
infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture
is also supplied.
Elementary programming and UNIX knowledge is assumed, and an understanding of
Linux x86 architecture is assumed for the Linux implementation. ELF
understanding is not required but will help.
This paper does not document any significant virus programming techniques
except those that are only applicable to the UNIX environment. Nor does it
try to replicate the ELF specifications. The interested reader is advised
to read the ELF documentation if this paper is unclear in ELF specifics.
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
An interesting, yet simple idea for a virus takes note, that when you append
one executable to another, the original executable executes, but the latter
executable is still intact and retrievable and even executable if copied to
a new file and executed.
# cat host >> parasite
# mv parasite host
# ./host
PARASITE Executed
Now.. if the parasite keeps track of its own length, it can copy the original
host to a new file, then execute it like normal, making a working parasite and
virus. The algorithm is as follows:
* execute parasite work code
* lseek to the end of the parasite
* read the remaining portion of the file
* write to a new file
* execute the new file
The downfall with this approach is that the remaining executable no longer
remains strip safe. This will be explained further on when a greater
understanding of the ELF format is obtained, but to summarize, the ELF headers
no longer hold into account every portion of the file, and strip removes
unaccounted portions. This is the premise of virus detection with this type of
virus.
This same method can be used to infect LKM's following similar procedures.
MEMORY LAYOUT OF AN ELF EXECUTABLE
A process image consists of a 'text segment' and a 'data segment'. The text
segment is given the memory protection r-x (from this its obvious that self
modifying code cannot be used in the text segment). The data segment is
given the protection rw-.
The segment as seen from the process image is typically not all in use as
memory used by the process rarely lies on a page border (or we can say, not
congruent to modulo the page size). Padding completes the segment, and in
practice looks like this.
key:
[...] A complete page
M Memory used in this segment
P Padding
Page Nr
#1 [PPPPMMMMMMMMMMMM]
#2 [MMMMMMMMMMMMMMMM] |- A segment
#3 [MMMMMMMMMMMMPPPP] /
Segments are not bound to use multiple pages, so a single page segment is quite
possible.
Page Nr
#1 [PPPPMMMMMMMMPPPP]
0/5000
UNIX VIRUSES - Silvio Cesare CONTENTS--------IMPROVING THIS MANUALTHE UNIX-VIRUS MAILING LISTINTRODUCTIONTHE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)MEMORY LAYOUT OF AN ELF EXECUTABLEELF INFECTIONTHE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION)INFECTING INFECTIONSTHE DATA SEGMENT VIRUS (DATA INFECTION)VIRUS DETECTIONTHE TEXT SEGMENT VIRUS (TEXT INFECTION)INFECTION USING OBJECT CODE PARASITESOBJECT CODE LINKINGTHE IMPLEMENTED INFECTORNON (NOT AS) TRIVIAL PARASITE CODEBEYOND ELF PARASITES AND ENTER VIRUS IN UNIXTHE LINUX PARASITE VIRUSDEVELOPMENT OF THE LINUX VIRUSIMPROVING THE LINUX VIRUSVIRUS DETECTIONEVADING VIRUS DETECTION IN ELF INFECTIONCONCLUSIONSOURCE (UUENCODED)IMPROVING THIS MANUALFor any comments or suggestions (even just to say hi) please contact the authorSilvio Cesare, . This paper already has future plans toinclude more parasite techniques and shared object infection. More to come.THE UNIX-VIRUS MAILING LISTThis is the charter for the unix-virus mailing list. Unix-virus was created todiscuss viruses in the unix environment from the point of view of the viruscreator, and the security developer writing anti-virus software. Anythingrelated to viruses in the unix environment is open for discussion. Low levelprogramming is commonly seen on the list, including source code. The emphasisis on expanding the knowledge of virus technology and not on the distributionof viruses, so binaries are discouraged but not totally excluded. The list isarchived at http://virus.beergrave.net and it is recommended that the newsubscriber read the existing material before posting.To subscribe to the list send a message to majordomo@virus.beergrave.net with'subscribe unix-virus' in the body of the message.INTRODUCTIONThis paper documents the algorithms and implementation of UNIX parasite andvirus code using ELF objects. Brief introductions on UNIX virus detection andevading such detection are given. An implementation of various ELF parasiteinfectors for UNIX is provided, and an ELF virus for Linux on x86 architectureis also supplied.Elementary programming and UNIX knowledge is assumed, and an understanding ofLinux x86 architecture is assumed for the Linux implementation. ELFunderstanding is not required but will help.This paper does not document any significant virus programming techniquesexcept those that are only applicable to the UNIX environment. Nor does ittry to replicate the ELF specifications. The interested reader is advisedto read the ELF documentation if this paper is unclear in ELF specifics.THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)An interesting, yet simple idea for a virus takes note, that when you appendone executable to another, the original executable executes, but the latterexecutable is still intact and retrievable and even executable if copied toa new file and executed.# cat host >> parasite# mv parasite host# ./hostPARASITE ExecutedNow.. if the parasite keeps track of its own length, it can copy the originalhost to a new file, then execute it like normal, making a working parasite andvirus. The algorithm is as follows: * execute parasite work code * lseek to the end of the parasite * read the remaining portion of the file * write to a new file * execute the new fileThe downfall with this approach is that the remaining executable no longerremains strip safe. This will be explained further on when a greaterunderstanding of the ELF format is obtained, but to summarize, the ELF headersno longer hold into account every portion of the file, and strip removesunaccounted portions. This is the premise of virus detection with this type ofvirus.This same method can be used to infect LKM's following similar procedures.MEMORY LAYOUT OF AN ELF EXECUTABLEA process image consists of a 'text segment' and a 'data segment'. The textsegment is given the memory protection r-x (from this its obvious that selfmodifying code cannot be used in the text segment). The data segment isgiven the protection rw-.The segment as seen from the process image is typically not all in use asmemory used by the process rarely lies on a page border (or we can say, notcongruent to modulo the page size). Padding completes the segment, and inpractice looks like this.key: [...] A complete page M Memory used in this segment P PaddingPage Nr#1 [PPPPMMMMMMMMMMMM] #2 [MMMMMMMMMMMMMMMM] |- A segment#3 [MMMMMMMMMMMMPPPP] /Segments are not bound to use multiple pages, so a single page segment is quitepossible.Page Nr#1 [PPPPMMMMMMMMPPPP] <- A segmentTypically, the data segment directly proceeds the text segment which alwaysstarts on a page, but the data segment may not. The memory layout for aprocess image is thus.key: [...] A complete page T Text D Data P PaddingPage Nr#1 [TTTTTTTTTTTTTTTT] <- Part of the text segment#2 [TTTTTTTTTTTTTTTT] <- Part of the text segment#3 [TTTTTTTTTTTTPPPP] <- Part of the text segment#4 [PPPPDDDDDDDDDDDD] <- Part of the data segment#5 [DDDDDDDDDDDDDDDD] <- Part of the data segment#6 [DDDDDDDDDDDDPPPP] <- Part of the data segmentpages 1, 2, 3 constitute the text segmentpages 4, 5, 6 constitute the data segmentFrom here on, the segment diagrams may use single pages for simplicity. egPage Nr#1 [TTTTTTTTTTTTPPPP] <- The text segment#2 [PPPPDDDDDDDDPPPP] <- The data segmentFor completeness, on x86, the stack segment is located after the data segmentgiving the data segment enough room for growth. Thus the stack is located atthe top of memory (remembering that it grows down).In an ELF file, loadable segments are present physically in the file, whichcompletely describe the text and data segments for process image loading. Asimplified ELF format for an executable object relevant in this instance is. ELF Header . . Segment 1 <- Text Segment 2 <- Data . .Each segment has a virtual address associated with its starting location.Absolute code that references within each segment is permissible and veryprobable.ELF INFECTIONTo insert parasite code means that the process image must load it so that theoriginal code and data is still intact. This means, that inserting aparasite requires the memory used in the segments to be increased.The text segment compromises not only code, but also the ELF headers includingsuch things as dynamic linking information. It may be possible to keep thetext segment as is, and create another segment consisting of the parasite code,however introducing an extra segment is certainly questionable and easy todetect.Page padding at segment borders however provides a practical location forparasite code given that its size is able. This space will not interfere withthe original segments, requiring no relocation. Following the guideline justgiven of preferencing the text segment, we can see that the padding at theend of the text segment is a viable solution.Extending the text segment backwards is a viable solution and is documentedand implemented further in this article.Extending the text segment forward or extending the data segment backward willprobably overlap the segments. Relocating a segment in memory will causeproblems with any code that absolutely references memory.It is possible to extend the data segment, however this isn't preferred,as its not UNIX portable that properly implement execute memory protection.An ELF parasite however is implemented using this technique and is explainedlater in this article.THE EXECUTABLE AND LINKAGE FORMATA more complete ELF executable layout is (ignoring section content - see below). ELF Header Program header table Segment 1 Segment 2 Section header table optional In practice, this is what is normally seen. ELF Header Program header table Segment 1 Segment 2 Section header table Section 1 . . Section nTypically, the extra sections (those not associated with a segment) are suchthings as debugging information, symbol tables etc.From the ELF specifications:"An ELF header resides at the beginning and holds a ''road map'' describing thefile's organization. Sections hold the bulk of object file information for the linking view: instructions, data, symbol table, relocation information, and soon.......A program header table, if present, tells the system how to create a processimage. Files used to build a process image (execute a program) must have aprogram header table; relocatable files do not need one. A section headertable contains information describing the file's sections. Every section hasan entry in the table; each entry gives information such as the section name,the section size, etc. Files used during linking must have a section headertable; other object files may or may not have one.......Executable and shared object files statically represent programs. To executesuch programs, the system uses the files to create dynamic programrepresentations, or process images. A process image has segments that holdits text, data, stack, and so on. The major sections in this part discuss thefollowing.Program header. This section complements Part 1, describing object filestructures that relate directly to program execution. The primary datastructure, a program header table, locates segment images within the file andcontains other information necessary to create the memory image for theprogram."An ELF object may also specify an entry point of the program, that is, thevirtual memory location that assumes control of the program. Thus toactivate parasite code, the program flow must include the new parasite. Thiscan be done by patching the entry point in the ELF object to point (jump)directly to the parasite. It is then the parasite's responsibility that thehost code be executed - typically, by transferring control back to the hostonce the
การแปล กรุณารอสักครู่..
UNIX viruses - Silvio Cesare
CONTENTS
-------- improving THIS MANUAL UNIX-VIRUS mailing THE LIST INTRODUCTION THE NON ELF Infector FILE VIRUS (FILE INFECTION) MEMORY LAYOUT OF AN ELF executable ELF INFECTION VIRUS THE TEXT SEGMENT padding (padding INFECTION) infections infecting THE DATA. SEGMENT VIRUS (DATA INFECTION) VIRUS DETECTION THE TEXT SEGMENT VIRUS (TEXT INFECTION) INFECTION USING OBJECT CODE Parasites OBJECT CODE Linking THE implemented Infector NON (NOT AS) TRIVIAL Parasite CODE BEYOND ELF Parasites AND ENTER VIRUS IN UNIX THE LINUX Parasite VIRUS DEVELOPMENT OF THE. LINUX VIRUS improving LINUX VIRUS THE VIRUS DETECTION evading VIRUS INFECTION DETECTION IN ELF conclusion SOURCE (UUENCODED) improving THIS MANUAL For any comments or suggestions (even just to Say Hi) please Contact the author Silvio Cesare,.
. This has already Paper Future plans to
include more and Techniques Shared Object parasite infection. More to Come. THE VIRUS UNIX-mailing LIST This is the Charter for the Unix-Virus mailing list. Unix-Virus was Created to Discuss viruses in the Unix Environment from the Point of View of the Virus Creator, and the Anti-Virus Security Software Developer Writing. Anything related to viruses in the Unix Environment is open for discussion. Low level programming is commonly seen on the list, including Source code. The emphasis is on expanding the Knowledge of Virus Technology and not on the Distribution of viruses, so Binaries are discouraged but not totally excluded. The list is archived at Http://virus.beergrave.net and it is Recommended that the New Subscriber read the Material existing before Posting. To Subscribe to the list Send a message to Majordomo@virus.beergrave.net with 'UNIX-Subscribe. Virus' in the Body of the message. INTRODUCTION This Paper documents the algorithms and implementation of UNIX parasite and Virus code using ELF Objects. Introductions brief on UNIX Virus detection and evading detection are Given such. An implementation of parasite Various ELF infectors is provided for UNIX, and Linux on x86 Architecture for an ELF Virus is also supplied. Elementary programming and UNIX Knowledge is assumed, and an understanding of Linux x86 Architecture is assumed for the Linux implementation. ELF understanding is not required but Will Help. This Paper does not Document any significant programming Virus Techniques except those that are only applicable to the UNIX Environment. Nor does it TRY to replicate the ELF Specifications. The interested Reader is advised to read the ELF Documentation if this Paper is unclear in ELF specifics. THE NON ELF Infector FILE VIRUS (FILE INFECTION) An Interesting, yet Simple Idea for a Virus Takes note, that when You append one executable to another,. Original executes the executable, but the latter is still intact and retrievable and executable executable even if copied to a New file and executed. # CAT Host >> parasite parasite MV Host # # ./host Parasite Executed Now .. if the parasite keeps Track. Length of its own, it Can Copy the Original Host to a New file, then Execute it like Normal, working Making a parasite and Virus. The algorithm is as follows: * Execute parasite Work code * lseek to the End of the parasite * read the remaining portion of the file * write to a New file * Execute the New file The downfall with this approach is that the remaining executable no Longer. remains strip safe. Will this be expLAineD further on when a Greater understanding of the ELF Format is obtained, but to summarize, the ELF Headers no Longer Hold Into Account every portion of the file, and strip removes Unaccounted Portions. This is the premise of Virus detection with this Type of Virus. This method Same Can be used to infect LKM's following similar procedures. MEMORY LAYOUT OF AN ELF executable A Process Image consists of a 'text segment' and a 'Data segment'. The text segment is Given the memory RX Protection (Obvious from this that its self modifying code Can not be used in the text segment). Data is the segment Given the Protection Rw-. The segment as seen from the Process Image is typically not all in use as memory used by the Border Process rarely Lies on a page (or we Can Say, not congruent modulo the page to Size). . Padding completes the segment, and in Practice looks like this. Key: [...] A Complete page M Memory used in this segment P Padding Page Nr # 1 [PPPPMMMMMMMMMMMM] # 2 [mmmmmmmmmmmmmmmm] | - A segment # 3 [. MMMMMMMMMMMMPPPP] / Segments are not bound to use multiple pages, so a single page segment is quite possible. Page Nr # 1 [PPPPMMMMMMMMPPPP] <- A segment Typically, the Data segment directly proceeds the text segment which always starts on a page, but. the data segment may not. The memory layout for a Process Image is thus. Key: [...] A Complete page T Text D Data P Padding Page Nr # 1 [TTTTTTTTTTTTTTTT] <- Part of the text segment # 2 [TTTTTTTTTTTTTTTT] <- Part of the. text segment # 3 [TTTTTTTTTTTTPPPP] <- Part of the text segment # 4 [PPPPDDDDDDDDDDDD] <- Part of the Data segment # 5 [DDDDDDDDDDDDDDDD] <- Part of the Data segment # 6 [DDDDDDDDDDDDPPPP] <- Part of the Data segment. pages 1, 2, 3 constitute the text segment pages 4, 5, 6 constitute the segment Data From here on, the segment diagrams May use single pages for simplicity. eg Page Nr # 1 [TTTTTTTTTTTTPPPP] <- The text segment # 2 [PPPPDDDDDDDDPPPP] <- The Data segment For completeness, on x86, the stack segment is located after the Data segment Data segment giving the Enough Room for growth. Thus the stack is located at the top of memory (Remembering that it grows down). In an ELF file, loadable segments are physically present in the file, which completely describe the text and Process Image Data segments for loading. A simplified ELF Format for an executable Object relevant in this instance is. ELF Header . . Segment 1 <- Text Segment 2 <- Data . . Each segment has a Virtual address associated with its Starting Location. Absolute code that references Within each segment is. permissible and very probable. ELF INFECTION To INSERT parasite code means that the Process Image Load it must so that the Original Data and code is still intact. This means, that inserting a parasite requires the memory used in the segments to be Increased. The text segment compromises not only code, but also including the ELF Headers Things such as Dynamic Linking information. It May be possible to Keep the text segment as is, and create another segment consisting of the parasite code, however introducing an extra segment is certainly questionable and Easy to detect. Page padding at segment Borders however provides a practical Location for parasite code Given that. its size is able. Will not this Space Interferes with the Original segments, requiring no Relocation. Following the Guideline just Given of Preferencing the text segment, we Can See that the padding at the End of the text segment is a viable Solution. Extending the text segment backwards is a viable Solution and is documented and implemented further in this Article. Extending the. Forward text segment or the Data segment extending backward Will probably Overlap the segments. Relocating a segment in memory Will Cause Problems with absolutely any code that references memory. It is possible to Extend the Data segment, however this is not Preferred, as its not that UNIX Portable memory properly IMPLEMENT Execute Protection. An ELF however parasite is implemented. using this Technique and is expLAineD later in this Article. THE executable AND LINKAGE FORMAT A more Complete ELF executable layout is (ignoring section content - See Below). ELF Header Program Header Table Segment 1 Segment 2 Section Header Table optional In Practice, this is. what is normally seen. ELF Header Program Header Table 1 Segment 2 Segment Table Header Section Section 1 . . Section n Typically, the extra Sections (those not associated with a segment) are such Things as debugging information, etc. Symbol tables From the ELF. Specifications: "An ELF Header resides at the Beginning and holds a` `Road Map '' describing the file's Organization. Sections Hold the Bulk of Object file information for the Linking View: instructions, Data, Symbol Table, Relocation information, and so on. . ... ... A Program Table Header, if present, tells the System How to create a Process Image. Files used to Build a Process Image (Execute a Program) must have a Program Header Table; relocatable files do not need one. A section Header Table contains information describing the file's Sections. Every section has an Entry in the Table; each Entry section gives information such as the name, the section Size, etc. Files used during Linking must have a section Header Table; Other Object Files May or May not have one. ... ... Executable and Shared Object Files statically represent programs. Execute to such programs, the System uses the Dynamic Program Files to create representations, images or Process. A Process Image has segments that Hold its text, Data, stack, and so on. The Major Sections in this Part Discuss the following. Program Header. This section complements Part 1, describing file Object Structures that Relate directly to Program Execution. The primary Data structure, a Program Header Table, locates segment images Within the file and contains Other information necessary to create the memory Image for the Program. " An ELF Object May also Specify an Entry Point of the Program, that is, the Virtual memory. Location that Assumes Control of the Program. Thus to activate parasite code, the Program flow must include the New parasite. This Can be done by patching the Entry Point in the ELF Object to Point (Jump) directly to the parasite. It is then the. parasite's Responsibility that the code be executed Host - typically, by transferring the Host Control Back to the once.
CONTENTS
-------- improving THIS MANUAL UNIX-VIRUS mailing THE LIST INTRODUCTION THE NON ELF Infector FILE VIRUS (FILE INFECTION) MEMORY LAYOUT OF AN ELF executable ELF INFECTION VIRUS THE TEXT SEGMENT padding (padding INFECTION) infections infecting THE DATA. SEGMENT VIRUS (DATA INFECTION) VIRUS DETECTION THE TEXT SEGMENT VIRUS (TEXT INFECTION) INFECTION USING OBJECT CODE Parasites OBJECT CODE Linking THE implemented Infector NON (NOT AS) TRIVIAL Parasite CODE BEYOND ELF Parasites AND ENTER VIRUS IN UNIX THE LINUX Parasite VIRUS DEVELOPMENT OF THE. LINUX VIRUS improving LINUX VIRUS THE VIRUS DETECTION evading VIRUS INFECTION DETECTION IN ELF conclusion SOURCE (UUENCODED) improving THIS MANUAL For any comments or suggestions (even just to Say Hi) please Contact the author Silvio Cesare,.
. This has already Paper Future plans to
include more and Techniques Shared Object parasite infection. More to Come. THE VIRUS UNIX-mailing LIST This is the Charter for the Unix-Virus mailing list. Unix-Virus was Created to Discuss viruses in the Unix Environment from the Point of View of the Virus Creator, and the Anti-Virus Security Software Developer Writing. Anything related to viruses in the Unix Environment is open for discussion. Low level programming is commonly seen on the list, including Source code. The emphasis is on expanding the Knowledge of Virus Technology and not on the Distribution of viruses, so Binaries are discouraged but not totally excluded. The list is archived at Http://virus.beergrave.net and it is Recommended that the New Subscriber read the Material existing before Posting. To Subscribe to the list Send a message to Majordomo@virus.beergrave.net with 'UNIX-Subscribe. Virus' in the Body of the message. INTRODUCTION This Paper documents the algorithms and implementation of UNIX parasite and Virus code using ELF Objects. Introductions brief on UNIX Virus detection and evading detection are Given such. An implementation of parasite Various ELF infectors is provided for UNIX, and Linux on x86 Architecture for an ELF Virus is also supplied. Elementary programming and UNIX Knowledge is assumed, and an understanding of Linux x86 Architecture is assumed for the Linux implementation. ELF understanding is not required but Will Help. This Paper does not Document any significant programming Virus Techniques except those that are only applicable to the UNIX Environment. Nor does it TRY to replicate the ELF Specifications. The interested Reader is advised to read the ELF Documentation if this Paper is unclear in ELF specifics. THE NON ELF Infector FILE VIRUS (FILE INFECTION) An Interesting, yet Simple Idea for a Virus Takes note, that when You append one executable to another,. Original executes the executable, but the latter is still intact and retrievable and executable executable even if copied to a New file and executed. # CAT Host >> parasite parasite MV Host # # ./host Parasite Executed Now .. if the parasite keeps Track. Length of its own, it Can Copy the Original Host to a New file, then Execute it like Normal, working Making a parasite and Virus. The algorithm is as follows: * Execute parasite Work code * lseek to the End of the parasite * read the remaining portion of the file * write to a New file * Execute the New file The downfall with this approach is that the remaining executable no Longer. remains strip safe. Will this be expLAineD further on when a Greater understanding of the ELF Format is obtained, but to summarize, the ELF Headers no Longer Hold Into Account every portion of the file, and strip removes Unaccounted Portions. This is the premise of Virus detection with this Type of Virus. This method Same Can be used to infect LKM's following similar procedures. MEMORY LAYOUT OF AN ELF executable A Process Image consists of a 'text segment' and a 'Data segment'. The text segment is Given the memory RX Protection (Obvious from this that its self modifying code Can not be used in the text segment). Data is the segment Given the Protection Rw-. The segment as seen from the Process Image is typically not all in use as memory used by the Border Process rarely Lies on a page (or we Can Say, not congruent modulo the page to Size). . Padding completes the segment, and in Practice looks like this. Key: [...] A Complete page M Memory used in this segment P Padding Page Nr # 1 [PPPPMMMMMMMMMMMM] # 2 [mmmmmmmmmmmmmmmm] | - A segment # 3 [. MMMMMMMMMMMMPPPP] / Segments are not bound to use multiple pages, so a single page segment is quite possible. Page Nr # 1 [PPPPMMMMMMMMPPPP] <- A segment Typically, the Data segment directly proceeds the text segment which always starts on a page, but. the data segment may not. The memory layout for a Process Image is thus. Key: [...] A Complete page T Text D Data P Padding Page Nr # 1 [TTTTTTTTTTTTTTTT] <- Part of the text segment # 2 [TTTTTTTTTTTTTTTT] <- Part of the. text segment # 3 [TTTTTTTTTTTTPPPP] <- Part of the text segment # 4 [PPPPDDDDDDDDDDDD] <- Part of the Data segment # 5 [DDDDDDDDDDDDDDDD] <- Part of the Data segment # 6 [DDDDDDDDDDDDPPPP] <- Part of the Data segment. pages 1, 2, 3 constitute the text segment pages 4, 5, 6 constitute the segment Data From here on, the segment diagrams May use single pages for simplicity. eg Page Nr # 1 [TTTTTTTTTTTTPPPP] <- The text segment # 2 [PPPPDDDDDDDDPPPP] <- The Data segment For completeness, on x86, the stack segment is located after the Data segment Data segment giving the Enough Room for growth. Thus the stack is located at the top of memory (Remembering that it grows down). In an ELF file, loadable segments are physically present in the file, which completely describe the text and Process Image Data segments for loading. A simplified ELF Format for an executable Object relevant in this instance is. ELF Header . . Segment 1 <- Text Segment 2 <- Data . . Each segment has a Virtual address associated with its Starting Location. Absolute code that references Within each segment is. permissible and very probable. ELF INFECTION To INSERT parasite code means that the Process Image Load it must so that the Original Data and code is still intact. This means, that inserting a parasite requires the memory used in the segments to be Increased. The text segment compromises not only code, but also including the ELF Headers Things such as Dynamic Linking information. It May be possible to Keep the text segment as is, and create another segment consisting of the parasite code, however introducing an extra segment is certainly questionable and Easy to detect. Page padding at segment Borders however provides a practical Location for parasite code Given that. its size is able. Will not this Space Interferes with the Original segments, requiring no Relocation. Following the Guideline just Given of Preferencing the text segment, we Can See that the padding at the End of the text segment is a viable Solution. Extending the text segment backwards is a viable Solution and is documented and implemented further in this Article. Extending the. Forward text segment or the Data segment extending backward Will probably Overlap the segments. Relocating a segment in memory Will Cause Problems with absolutely any code that references memory. It is possible to Extend the Data segment, however this is not Preferred, as its not that UNIX Portable memory properly IMPLEMENT Execute Protection. An ELF however parasite is implemented. using this Technique and is expLAineD later in this Article. THE executable AND LINKAGE FORMAT A more Complete ELF executable layout is (ignoring section content - See Below). ELF Header Program Header Table Segment 1 Segment 2 Section Header Table optional In Practice, this is. what is normally seen. ELF Header Program Header Table 1 Segment 2 Segment Table Header Section Section 1 . . Section n Typically, the extra Sections (those not associated with a segment) are such Things as debugging information, etc. Symbol tables From the ELF. Specifications: "An ELF Header resides at the Beginning and holds a` `Road Map '' describing the file's Organization. Sections Hold the Bulk of Object file information for the Linking View: instructions, Data, Symbol Table, Relocation information, and so on. . ... ... A Program Table Header, if present, tells the System How to create a Process Image. Files used to Build a Process Image (Execute a Program) must have a Program Header Table; relocatable files do not need one. A section Header Table contains information describing the file's Sections. Every section has an Entry in the Table; each Entry section gives information such as the name, the section Size, etc. Files used during Linking must have a section Header Table; Other Object Files May or May not have one. ... ... Executable and Shared Object Files statically represent programs. Execute to such programs, the System uses the Dynamic Program Files to create representations, images or Process. A Process Image has segments that Hold its text, Data, stack, and so on. The Major Sections in this Part Discuss the following. Program Header. This section complements Part 1, describing file Object Structures that Relate directly to Program Execution. The primary Data structure, a Program Header Table, locates segment images Within the file and contains Other information necessary to create the memory Image for the Program. " An ELF Object May also Specify an Entry Point of the Program, that is, the Virtual memory. Location that Assumes Control of the Program. Thus to activate parasite code, the Program flow must include the New parasite. This Can be done by patching the Entry Point in the ELF Object to Point (Jump) directly to the parasite. It is then the. parasite's Responsibility that the code be executed Host - typically, by transferring the Host Control Back to the once.
การแปล กรุณารอสักครู่..
UNIX VIRUSES
- Silvio Cesare < silvio@big.net.au >
IMPROVING CONTENTS -------- THIS MANUAL
THE UNIX-VIRUS MAILING LIST
, INTRODUCTION THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
MEMORY LAYOUT OF AN ELF EXECUTABLE
ELF INFECTION THE TEXT SEGMENT PADDING VIRUS. (PADDING INFECTION)
INFECTING INFECTIONS THE DATA SEGMENT VIRUS (DATA INFECTION VIRUS DETECTION)
.THE TEXT SEGMENT VIRUS (TEXT INFECTION)
INFECTION USING OBJECT CODE PARASITES
OBJECT CODE LINKING
THE IMPLEMENTED INFECTOR
NON. (NOT AS) TRIVIAL PARASITE CODE
BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
THE LINUX PARASITE VIRUS
DEVELOPMENT OF THE. LINUX VIRUS
IMPROVING THE LINUX VIRUS
VIRUS DETECTION EVADING VIRUS DETECTION IN ELF INFECTION
SOURCE CONCLUSION (UUENCODED)
IMPROVING. THIS MANUAL
.For any comments or suggestions (even just to say hi) please contact the author
Silvio Cesare, < silvio@big.net.au >. This. Paper already has future plans to
include more parasite techniques and shared object infection. More to come.
THE UNIX-VIRUS. MAILING LIST
This is the Charter for the unix-virus mailing list. Unix-virus was created to
.Discuss viruses in the UNIX environment from the point of view of the virus
creator and the, security developer writing. Anti-virus software. Anything
related to viruses in the UNIX environment is open for discussion. Low level
programming is. Commonly seen on, the list including source code. The emphasis
is on expanding the knowledge of virus technology and not. On the distribution
of, virusesSo binaries are discouraged but not totally excluded. The list is
archived at http: / / virus.beergrave.net and it is recommended. That the new
subscriber read the existing material before posting.
To subscribe to the list send a message to majordomo@virus.beergrave.net. With
'subscribe unix-virus' in the body of the message INTRODUCTION.
.This paper documents the algorithms and implementation of UNIX parasite and
virus code using ELF objects. Brief introductions. On UNIX virus detection and
evading such detection are given. An implementation of various ELF parasite
infectors for UNIX. Is provided and an, ELF virus for Linux on x86 architecture
is also supplied.
Elementary programming and UNIX knowledge. Is, assumedAnd an understanding of
Linux x86 architecture is assumed for the Linux implementation. ELF
understanding is not required. But will help.
This paper does not document any significant virus programming techniques
except those that are only applicable. To the UNIX environment. Nor does it
try to replicate the ELF specifications. The interested reader is advised
.To read the ELF documentation if this paper is unclear in ELF specifics.
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
An. Interesting yet simple, idea for a virus, takes note that when you append
one executable, to another the original executable. Executes but the, latter
executable is still intact and retrievable and even executable if copied to
a new file and executed.
.# cat host > > parasite
# MV parasite host
#. / host
PARASITE Executed
Now... If the parasite keeps track of its, own length. It can copy the original
host to a, new file then execute it like normal making a, working parasite and
virus. The algorithm. Is as follows:
* execute parasite work code
* lseek to the end of the parasite
* read the remaining portion of the file
. * write to a new file
.* execute the new file
The downfall with this approach is that the remaining executable no longer
remains strip safe in can EOS This will be explained further on when a greater sb understanding of the ELF format is obtained the but to summarize the the ELF EOS Headers
no longer hold into account every portion of the file and strip, removes
unaccounted portions.This is the premise of virus detection with this type virus of
.
This same method can be used to infect LKM s following. ' Similar procedures.
MEMORY LAYOUT OF AN ELF EXECUTABLE
A process image consists of a 'text segment' and a 'data segment,'. The text sb segment is given the memory protection R-X (from this its obvious that self sb modifying code cannot be used in the EOS Text segment) in canThe data segment is sb given the protection RW will not lowrise The segment as seen from the process image is typically not all in use as sb memory EOS Used by the process rarely lies on a page border (or we can say, not
congruent to modulo the page size) in can Padding completes EOS The, segment and in
practice looks like this key.
[...] A complete page
M Memory used in this segment
P Padding
Page. Nr
.
- Silvio Cesare < silvio@big.net.au >
IMPROVING CONTENTS -------- THIS MANUAL
THE UNIX-VIRUS MAILING LIST
, INTRODUCTION THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
MEMORY LAYOUT OF AN ELF EXECUTABLE
ELF INFECTION THE TEXT SEGMENT PADDING VIRUS. (PADDING INFECTION)
INFECTING INFECTIONS THE DATA SEGMENT VIRUS (DATA INFECTION VIRUS DETECTION)
.THE TEXT SEGMENT VIRUS (TEXT INFECTION)
INFECTION USING OBJECT CODE PARASITES
OBJECT CODE LINKING
THE IMPLEMENTED INFECTOR
NON. (NOT AS) TRIVIAL PARASITE CODE
BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX
THE LINUX PARASITE VIRUS
DEVELOPMENT OF THE. LINUX VIRUS
IMPROVING THE LINUX VIRUS
VIRUS DETECTION EVADING VIRUS DETECTION IN ELF INFECTION
SOURCE CONCLUSION (UUENCODED)
IMPROVING. THIS MANUAL
.For any comments or suggestions (even just to say hi) please contact the author
Silvio Cesare, < silvio@big.net.au >. This. Paper already has future plans to
include more parasite techniques and shared object infection. More to come.
THE UNIX-VIRUS. MAILING LIST
This is the Charter for the unix-virus mailing list. Unix-virus was created to
.Discuss viruses in the UNIX environment from the point of view of the virus
creator and the, security developer writing. Anti-virus software. Anything
related to viruses in the UNIX environment is open for discussion. Low level
programming is. Commonly seen on, the list including source code. The emphasis
is on expanding the knowledge of virus technology and not. On the distribution
of, virusesSo binaries are discouraged but not totally excluded. The list is
archived at http: / / virus.beergrave.net and it is recommended. That the new
subscriber read the existing material before posting.
To subscribe to the list send a message to majordomo@virus.beergrave.net. With
'subscribe unix-virus' in the body of the message INTRODUCTION.
.This paper documents the algorithms and implementation of UNIX parasite and
virus code using ELF objects. Brief introductions. On UNIX virus detection and
evading such detection are given. An implementation of various ELF parasite
infectors for UNIX. Is provided and an, ELF virus for Linux on x86 architecture
is also supplied.
Elementary programming and UNIX knowledge. Is, assumedAnd an understanding of
Linux x86 architecture is assumed for the Linux implementation. ELF
understanding is not required. But will help.
This paper does not document any significant virus programming techniques
except those that are only applicable. To the UNIX environment. Nor does it
try to replicate the ELF specifications. The interested reader is advised
.To read the ELF documentation if this paper is unclear in ELF specifics.
THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION)
An. Interesting yet simple, idea for a virus, takes note that when you append
one executable, to another the original executable. Executes but the, latter
executable is still intact and retrievable and even executable if copied to
a new file and executed.
.# cat host > > parasite
# MV parasite host
#. / host
PARASITE Executed
Now... If the parasite keeps track of its, own length. It can copy the original
host to a, new file then execute it like normal making a, working parasite and
virus. The algorithm. Is as follows:
* execute parasite work code
* lseek to the end of the parasite
* read the remaining portion of the file
. * write to a new file
.* execute the new file
The downfall with this approach is that the remaining executable no longer
remains strip safe in can EOS This will be explained further on when a greater sb understanding of the ELF format is obtained the but to summarize the the ELF EOS Headers
no longer hold into account every portion of the file and strip, removes
unaccounted portions.This is the premise of virus detection with this type virus of
.
This same method can be used to infect LKM s following. ' Similar procedures.
MEMORY LAYOUT OF AN ELF EXECUTABLE
A process image consists of a 'text segment' and a 'data segment,'. The text sb segment is given the memory protection R-X (from this its obvious that self sb modifying code cannot be used in the EOS Text segment) in canThe data segment is sb given the protection RW will not lowrise The segment as seen from the process image is typically not all in use as sb memory EOS Used by the process rarely lies on a page border (or we can say, not
congruent to modulo the page size) in can Padding completes EOS The, segment and in
practice looks like this key.
[...] A complete page
M Memory used in this segment
P Padding
Page. Nr
.
การแปล กรุณารอสักครู่..
ภาษาอื่น ๆ
การสนับสนุนเครื่องมือแปลภาษา: กรีก, กันนาดา, กาลิเชียน, คลิงออน, คอร์สิกา, คาซัค, คาตาลัน, คินยารวันดา, คีร์กิซ, คุชราต, จอร์เจีย, จีน, จีนดั้งเดิม, ชวา, ชิเชวา, ซามัว, ซีบัวโน, ซุนดา, ซูลู, ญี่ปุ่น, ดัตช์, ตรวจหาภาษา, ตุรกี, ทมิฬ, ทาจิก, ทาทาร์, นอร์เวย์, บอสเนีย, บัลแกเรีย, บาสก์, ปัญจาป, ฝรั่งเศส, พาชตู, ฟริเชียน, ฟินแลนด์, ฟิลิปปินส์, ภาษาอินโดนีเซี, มองโกเลีย, มัลทีส, มาซีโดเนีย, มาราฐี, มาลากาซี, มาลายาลัม, มาเลย์, ม้ง, ยิดดิช, ยูเครน, รัสเซีย, ละติน, ลักเซมเบิร์ก, ลัตเวีย, ลาว, ลิทัวเนีย, สวาฮิลี, สวีเดน, สิงหล, สินธี, สเปน, สโลวัก, สโลวีเนีย, อังกฤษ, อัมฮาริก, อาร์เซอร์ไบจัน, อาร์เมเนีย, อาหรับ, อิกโบ, อิตาลี, อุยกูร์, อุสเบกิสถาน, อูรดู, ฮังการี, ฮัวซา, ฮาวาย, ฮินดี, ฮีบรู, เกลิกสกอต, เกาหลี, เขมร, เคิร์ด, เช็ก, เซอร์เบียน, เซโซโท, เดนมาร์ก, เตลูกู, เติร์กเมน, เนปาล, เบงกอล, เบลารุส, เปอร์เซีย, เมารี, เมียนมา (พม่า), เยอรมัน, เวลส์, เวียดนาม, เอสเปอแรนโต, เอสโทเนีย, เฮติครีโอล, แอฟริกา, แอลเบเนีย, โคซา, โครเอเชีย, โชนา, โซมาลี, โปรตุเกส, โปแลนด์, โยรูบา, โรมาเนีย, โอเดีย (โอริยา), ไทย, ไอซ์แลนด์, ไอร์แลนด์, การแปลภาษา.
- and other sea grapes have lower concentr
- ฉันไม่เล่น
- สุขสันต์วันคริสต์มาสและสวัสดีปีใหม่
- สัญญาเช่าบ้าน สัญญานี้ทำที่.............
- เพราะถ้าเราแต่งงานกัน
- Poor communication
- ขอให้มีความสุขมากๆร่างกายแข็งแรงมีแฟนหล่
- เรียงความเรื่องอาชีพของฉัน ::เซฟ:: อาชีพ
- look away
- ใบส่งมอบงานติดตั้งระบบไฟฟ้า
- ครบ1เดือนแล้วน่ะที่เราคบกัน
- several days.
- ขอให้มีความสุขมากๆร่างกายแข็งแรงมีแฟนหล่
- ผู้ทดสอบ
- เรียงความเรื่องอาชีพของฉัน ::เซฟ:: อาชีพ
- This use of language is to vent or arous
- New arrival a couple of cat women purse
- 뭐 하냐
- several days.
- ค่าเล่าเรียนหรือค่าใช้จ่าย
- กลับจากโรงเรียน
- รักยิ้ม
- วันที่5ธันวามคมของทุกปี เป็นวันเฉลิมพระช
- PROFESSOR
