06.08
.text writable
1. The problem
In order to ease the infection of new hosts, a virus will usually put its data next to its code, right in the same section of the executable. This will lead to a nasty segmentation fault every time you need to update some variable in that section that will not be writable most of the time.
In GNU/Linux, ELF files have sections and segments, and when they are loaded, only segments are of any importance to this particular problem. And they are the only thing you need to care to make writable.
Try to run the following program:
section .text
msg db 'Hello, World!',0x0A
len equ $ - msg
_exit dd 0x00
_write dd 0x00
main: mov dword [_exit], 0x01
mov dword [_write], 0x04
mov edx, len
lea ecx, [msg]
mov ebx, 0x01
mov eax, [_write]
int 0x80
mov ebx, 0x00
mov eax, [_exit]
int 0x80
If you use the program readelf, you can see how the loader is instructed to map the .text section into a segment that is not writable, and that is what we need to change in order for the program to work.
2. The solution
As a way to learn about ELF files, I wrote a small program that will find the segment where the entry point of an executable lies and adds the writable flag to it. The program can be improved, but I’m busy with other things right now…
textwritable.tar.gz
3. About the code
- OS: Ubuntu 10.04 with Linux Kernel 2.6.32-22-generic x86_64
- CPU: Intel Core 2 Duo
No Comment.
Add Your Comment