VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Library: UNIX and clones specific

«Viruses under LiNUX» [SRC] 70.97Kb 13813 hits
Xine [5] (1999)
The neverending question, Why aren't viruses for linux?. It seems that the viral community, accustomed to Real Mode systems (DOS), find that is hard to adapt themselves to protected mode systems. Even for Win95/98, systems with important dessign problems, there exists moreless 30 viruses where the great majority are non-resident viruses or VxD infectors (Ring-0 devices).
«Static linked ELF infecting» [SRC] 10.44Kb 13641 hits
[...] In this article, I am describing my idea for infecting statically linked ELF binaries. After reading, you can find a complete infector, Scorpion, for this technique. Bundled, you will find several example back-doors. [...]
Alexander Bartolich
«The ELF Virus Writing HOWTO» 15149 hits (2003)
This document describes how to write parasitic file viruses infecting ELF executables. Though it contains a lot of source code, no actual virus is included. Every mentioned infection method is accompanied with a practical guide to detection. Writing a program that inserts code into another program file is one thing. Writing that program so that it can be injected itself is a very different art. Although this document shows a lot of code and technique, it is far from being a "Construction Kit For Dummies". You can't build a working virus just by copying whole lines from this text. Instead I'll try to show how things work. Translation of infecting code to a assembly is left as (non-trivial) exercise to the reader. An astonishing number of people think that viruses require secret black magic. Here you will find simple code that patches other executables. It is not hard to write a virus - once you have a good understanding of assembler, compiler, linker and operating system. It's just hard to let it make any impact.
Christophe Blaess
«Viruses: a concern for all of us» 41.08Kb 10901 hits
LinuxFocus (2002)
This article reviews internal security problems that can appear on Linux systems because of aggressive software. Such software can cause damage without human intervention: Viruses, Worms, Trojan Horses, etc. We will go deep into the various vulnerabilities, insisting in the pros and cons of free software in this matter.
«Writing ELF parasitic Code in C» [SRC] 11.73Kb 18557 hits
[...] ELF parasites are usually written in pure assembler code. due to this, code can get really huge in pure ASM, while the same stuff could be done much faster with C code and inline asm(). [...]
Silvio Cesare
«ELF executable reconstruction from a core image» [SRC] 6.08Kb 14372 hits
Matrix Zine [1] (1999)
This article documents the results from experimenting with binary reconstruction of an ELF executable given a core dump or snapshot of the process image.
«Kernel function hijacking» 2.5Kb 14774 hits
This paper describes a method of hijacking internal kernel functions, that is, kernel functions that are declared inside the kernel without a function pointer or vector for changing the kernel function it points too. This can have practical uses, as given in example code which patches the process accounting code to not log specially marked processes (processes given signal 31).
«Runtime kernel kmem patching» 29.39Kb 19251 hits
Matrix Zine [1] (1998)
This paper documents runtime (on the fly) kernel patching on a running system under Linux using direct access to kernel memory. The same algorithms may equally be applicable to other systems. Examples of kernel patching for use by an attacker is provided showing patching of kernel structures to remove a lkm's visibility to lsmod and even the addition of kernel code ala loadable kernel modules (lkm) to a running system without native lkm support in the kernel. Discussion of rebuilding the appropriate sections of the system symbol map ( is provided implemented.
«Shared library call redirection using ELF PLT infection» 33.36Kb 18300 hits
Matrix Zine [1] (1999)
This paper describes a method of shared library call redirection using ELF infection that redirects the Procedure Linkage Table (PLT) of an executeable. Thus, redirection is not resident outside of the infected executeable. This has the advantage over the LD_PRELOAD redirection technique in that no environment variables are modified, thus remaining more hidden than previous techniques. An implementation is provided for x86/Linux.
«SysCall redirection without modifying the SysCall table» [SRC] 2.38Kb 12741 hits
Matrix Zine [1] (1999)
This article describes a technique of redirecting system calls without modifying the sys call table (implemented in Linux). This can be used to evade intrusion detection systems that use the sys call table to register redirected or trojaned system calls. It is however an easy modifcation to make to detect the attack implemented in this article.
«Unix ELF parasites and virus» 34.86Kb 21251 hits
This paper documents the algorithms and implementation of UNIX parasite and virus code using ELF objects. Brief introductions on UNIX virus detection and evading such detection are given. An implementation of various ELF parasite infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture is also supplied. It is superceded by the following article.
«Unix viruses» 49.59Kb 13892 hits
This paper documents the algorithms and implementation of UNIX parasite and virus code using ELF objects. Brief introductions on UNIX virus detection and evading such detection are given. An implementation of various ELF parasite infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture is also supplied.
«How to have fun with ptrace syscall» [SRC] 18.38Kb 10530 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
Hi boys in this text i want show to you how is possible to "hack" one process using some assembly strings and the Dynamic linker. If you search in internet you can find it : a dynamic linker is the part of an operating system that loads and links the shared libraries for an executable when it is run. Such linkers typically also have a shared library that is linked with the executable when it is compiled and may determine the actions of the linker. One shared library,in addition to being loaded statically or dynamically, are also often classified according to how they are shared among programs. In Linux the dynamic linker shared libraries, tipically are based on a common set of environment variables, including LD_LIBRARY_PATH and LD_PRELOAD. In this text we will use the LD_PRELOAD variable. When LD_PRELOAD is set, the dynamic linker will use the specified library before any other when it searches for shared libraries. Now imagine that our process is the next code
«NOTE Segment Infection technique» [SRC] 4.29Kb 8769 hits
DCA E-zine #1 (html) (2004)
I was sitting around and looking at my old creations etc. and then I've asked myself : Why am I always using that old fucing S.P.I ( Segment Padding Technique) technique in my viruses !? Hm.... Because its so easy to understand and to use it.It has been used since 3-4 years.Well I think this way of infection is getting old fashioned ;)On a sunny day I was looking at the output of readelf. And then I've realized that fucking NOTE segment is actually unusefull for the loader and for the user :-P And then came the idea : Why not inserting the virus code after the NOTE segment or even better : Why not inserting it IN the NOTE segment !? Well let us take a closer look at this idea...
Tom Duff
«Viral Attacks On UNIX System Security» 28.16Kb 15607 hits
Executable files in the Ninth Edition of the UNIX system contain small amounts of unused space, allowing small code sequences to be added to them without noticeably affecting their functionality. A program fragment that looks for binaries and introduces copies of itself into their slack space will transitively spread like a virus. Such a virus program could, like the Trojan Horse, harbor Greeks set to attack the system when run by sufficiently privileged users or from infected set-userid programs.The author wrote such a program (without the Greeks) and ran several informal experiments to test its characteristics. In one experiment, the code was planted on one of Center 1127's UNIX systems and spread in a few days through the Datakit network to about forty machines. The virus escaped during this test onto a machine running an experimental secure unix system, with interesting (and frustrating for the system's developers) consequences.Viruses of this sort must be tiny to fit in the small amount of space available, and consequently are very timid. There are ways to construct similar viruses that are not space-constrained and can therefore spread more, aggressively and harbor better-armed Greeks. As an example, we exhibit a frighteningly virulent portable virus that inhabits shell scripts.Viruses rely on users and system administrators being insufficiently vigilant to prevent them from infiltrating systems. I outline a number of steps that people ought to take to make infiltration less likely.Numerous recent papers have suggested modifications to the unix system kernel to interdict viral attacks. Most of these are based on the notion of 'discretionary access controls.' These proposals cannot usually be made to work, either because they make unacceptable changes in the 'look and feel' of the unix system's environment or they entail placing trust in code that is inherently untrustworthy. In reply to these proposals, I suggest a small change to the unix system permission scheme that may be able to effectively interdict viral attacks without serious effect on the unix system's functioning and habitability.
Gobleen Warrior
«UNIX SH and BASH shell viruses» [SRC] 33.91Kb 6703 hits
29a [6] (2002)
What is UNIX Shell? People, who knows it, can scip some lines below, people, who knows UNIX well, can don't read this text at all. UNIX Shell is pecular BAT language of the UNIX systems, but much more advanced, functional and effective. A lot of system utilites are written in it, and it's says a lot about UNIX Shell. There is a many varieties of the UNIX Shell, for example SH, BASH, ZSH, KSH, CSH, you even can write your own UNIX Shell interpreter. It complicates writing of the programs by reducing of their compatibility. UNIX Shell language is rather flexible and universal. Equally as in the BAT, in UNIX Shell language there are internal, built-in commands, such as, for example, "cd", and external, system, commands, such as "cp", for example. In the UNIX Shell language there are constuctions like "if ... then", "for ... in ... do", and similar to them. In this article i will talk about one from numerous versions of UNIX Shell - SH and its extended version BASH.
«Advanced EPO: Deeper, longer and harder (Part 1)» [TeX] [SRC] 15.09Kb 12365 hits
Electrical Ordered Freedom #3 (2011)
In the recent zine Decepticons, Tiberio published the nice article [1] about entry-point obscuring and listed there a number of ways in which the virus could capture the control from application. Most of them are related to API calls - replacing the API call or replace the callback in the API's parameter list (the first is known under Linux as PLT redirection [2]) other techniques explores different cavities which could be used to place there the get-me-to-the-virus instruction. There is something common for all of these methods - no one will tell you when the virus will gain the control and will it get it at all. I think we have to do something about this.
«Caveat virus» [SRC] 7.88Kb 13704 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
This tutorial explains how to use a small amounts of space within Program Header Table to inject the tiny loader which will allocate the memory for the main virus body, load and execute it. Suppose that we have, say, 64 bytes of unused space inside loadable segment?
«From position-independent to self-relocatable viral code» [SRC] 26.33Kb 17119 hits
This article discusses the different approaches to position-independent and self-relocatable code. It shows that non-PIC style of the code allows substantially relax the limitations on virus code and use an advantages of high-level programming, which formerly were practically inaccessible to the virus authors.
«Hashin' the elves» [SRC] 22.24Kb 18215 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2007)
One day I was looking through the ELF files with objdump and called my attention to .hash section, and thought: gee, can't we take some advantage of it? Nice section after all. Located in the code segment. Could it be shrinked or removed? In this article I want to share my findings.
«Infecting ELF-files using function padding for Linux» [SRC] 25.5Kb 20489 hits
Not so long ago, i have read two articles concerned with amusing method of ELF-file infection [1,2], I want to talk about. It's amazing, but the tools presented by Z0mbie and Ares both intended to injecting trojans, and I still didn't saw any viruses using this technology, though may be I looked in the wrong direction. :-) Method is unusual and has both advantages and disadvantages, but let's discuss everything step by step.
«INT 0x80? No, thank you!» [SRC] 14.86Kb 14191 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2007)
After finishing the Lacrimae virus which is able to extend any section and thus import library functions, I spent some time thinking how an ordinary virus can use the libc or any other library. There are a lot of opportunities for the viruses having such a feature. Here I wish to present a method to do it, using test virus Linux.Pilot as an example.
«Reverse of a coin: A short note on segment alignment» [SRC] 8.72Kb 14252 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2007)
One of the widely used method of ELF files infection was propposed by Silvio Cesare [1]. To inject the virus to a file the free space at the end of text segment, appeared as a result of alignment is used. Alignment is neccessary to prevent the beginning of the data segment and the end of text segment from ending up in the same page. The "hole" in the memory exist no only in the end of text segment, but also at the beginning of data segment:
«Abusing .CTORS and .DTORS for fun 'n profit» [SRC] 12.4Kb 19583 hits
This paper talks about glibc initialization framework and how abusive constructors and destructors can be. A quick analysis of how ordinary ELF executable that been compiled using gcc and linked against glibc is been loaded and executed. Also a practical example of abusive constructors, an Anti-Debugging that been implemented within a constructor that puts up a nice fight.
«Linux x64 Infection for Lamers (by a Lamer)» [SRC] 52.31Kb 8211 hits
Valhalla #4 (2013)
This article was written to help people new to x64 Linux beginning writing viruses quickly and easily. While writing "Linux64.Retaliation" I have decided to share what I have learnt as a Linux novice while working on my second Linux infecter. Please do not expect to find cutting edge information in this document. I would like to express my gratitude to Herm1t for his help and time, and pointing me in the right direction while I learnt these things. I am sure many of these basic things could also be applied to x86 (32-bit) Linux as well.As as side note, I can not find any source code or articles on any exist Linux x64 viruses/worms - so I can discuss none in this article. If you know of any, please let me know.
Kernel Panik
«Piggyback» [SRC] 7.08Kb 10070 hits
Xine [4] (1998)
This is a small tool used to append executable code to an exiting program (virus writers would call it "to infect"). The idea used by piggyback is very simple and rather portable among different Unices. Piggyback itself is a small program in C that takes the place of the "victim", which is copied after the piggyback code. At the real end is stored a long which is the lenght of the piggyback executable.
«Linux virus writing tutorial» [SRC] 15.8Kb 10338 hits
29a [4full] (1999)
In this paper, I'll discuss how to make a linux virus. Of course you won't use this to make one.
Ryan O'Neill
«Modern Day ELF Runtime infection via GOT poisoning» [SRC] 92.41Kb 29429 hits
This paper is a document that outlines a specific algorithm to hijack shared library calls within a running process. While working on my UNIX AV tool for ELF parasite disinfection and memory resident parasite analysis, I stumbled upon an algorithm for hijacking shared library calls through global offset table poisoning, and coded a hijacker that uses the algorithm to demonstrate it. Runtime infection through shared library linking is not a new concept; so why would I write a paper on it?
«An unofficial analysis of the Retaliation Virus (Authored by JPanic)» [SRC] 52.7Kb 12245 hits
I recently had the opportunity to do some analysis of a new ELF virus authored by JPanic. After spending some time looking at it, I was impressed and quite to my surprise. This is perhaps the most well thought out and dangerously effective ELF binary virus that I have seen yet. I would like to discuss some of the findings associated with analysis, and thus produce a profile on the Virus named 'Retaliation'
Peter Radatti
«Computer Viruses In Unix Networks» 36.84Kb 11728 hits
CyberSoft, Incorporated (1995)
Unix systems are as susceptible to hostile software attacks as any other system, however, the Unix community is zealous in their believe that they are immune. This belief is in the face of historical reality. The first computer viruses created were on Unix systems. The Internet Worm, Trojan Horses and Logic Bombs are all ignored milestones in this belief. Not withstanding these beliefs, there is a growing concern among computer security professionals about these problems. This concern is based on recognition of the complex nature of the problem and the increasing value of Unix based networks. Whereas, the Internet Worm disrupted the Internet in 1988 the cost was relativity low. If this attack is repeated today, the cost will be very high because of the new found importance of the Internet, electronic business networks using EDI and private networks, all of which are Unix based.
«Injected Evil (executable files infection)» [SRC] 9.21Kb 15204 hits
29a [7] (2004)
Here will be described some rare method of executable files infection. It is based on parsing trojan code into instructions, and injecting these instructions into free areas (alignment) between subroutines of the target file. This idea is not new, and probably has always been used in some viruses. Also, under executable files i'll mean executable ELF files for x86 platform, though it can be win32 PE files too.
«Virus Juice: squeezing bash to get it, another little shell script virus tutorial» [SRC] 58.29Kb 8302 hits
29a [6] (2002)
This tutorial is intended to give a general perspective on script virus in UNIX environments, as well as showing some examples of what can be done using the explained techniques.There are many tutorials following the same topic, so this text is not new in that aspect, but I considered of interest writing it so I can give a more global focus to the topic, and show my examples in detail.To finish this introduction I would like to epmhasize the work of SnakeByte and Gobleen Warrior in this field. I didn't know there were more people interested in this funny type of scripts :-)
18 authors, 32 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka