What is it?

This is a training file virus for Linux.

License

GNU General Public License v.2.

Purpose

To get acquainted with the work of binary files, loading and linking processes.

What it does?

Infects the first ELF file located in the same directory.

How can I use it?

Simple and fast way

$ cp -r ./src/. ./
$ make
$ ./virus

Hard way

• Install Emacs - orgmode (part of Emacs) need for generate code files from literate source file
• Press Alt+x and type org-babel-tangle elisp-function (you can just press C-c C-v t instead) to generate source code files. Will be generated:
  • source code of virus
  • several victim’s source code.

  If you skip this step, you can get generated files from src folder. Copy this files to root folder of project.

• make
• run virus: ./virus - Don’t worry it’s work only in current directory
• Go to section How it works and how I see it
• Learn russian (becouse it`s a hacker’s language like assembler and leetspeak)
• Open literate source and read it
• Contribute (Pull Requests are welcome)

How it works and how I see it

Select any target binary file. You need to make sure that the infection actually took place. If this is the case, the file’s entry point will be changed. This is the entry point of the target hello before the file was infected:

$ readelf -h hello | grep Адрес

Адрес точки входа:               0x400550

Run target file to be sure that it works:

$ ./hello

Hello world!
Current local time and date: Tue Mar  2 02:35:00 2021

Run virus, ypu will see the log of infection: which files thw virus tried to infect and which file was finaly infected.

$ ./virus

asm file: infection try
hello file: infection try
hello is successfully infected

So looks the entry point of hello after infection:

$ readelf -h hello | grep Адрес

Адрес точки входа:               0x802b28

Run infected file to be sure, that it wasn’t broken by infection:

$ ./hello

asm file: infection try
hello file: infection try
.#ex2.txt file: infection try
final_version.org file: infection try
hello_stripped file: infection try
hello_stripped is successfully infected
Hello world!
Current local time and date: Tue Mar  2 02:30:18 2021

You see infection log, which file was infcted by hello and printing prinf’s strings of target’s code.

Infection was successfull.

Remember, that virus infects the nearest file to him. That’s why may be your target will not be infected after virus run. Just keep running virus again and finaly your target will be infected.

Libs and Details

The Project use utilitys ELFkickers, which source code was taken from here http://www.muppetlabs.com/~breadbox/software/elfkickers.html and may be used and modified according to GNU GPL v.2

Makefile’s targets:

• all - runs all targets listed below with the exception of clean
• virus - compiles virus, if its sourse file code exists
• sstrip - compiles utilitys ELFkickers
• victims - compiles all target file for infection twice to make sstrip of each duplicates
• stripped_victims delets the Section Table Headers from each duplicate. So we habe to types of target files: with and without secrion headers
• clean - deletes all binaty files

Files:

• folders with utilitys ELFkickers, which has utility sstrip
• file index.org, which is full documentation and explanation of virus code and infection process. Also it expanes basic theory about ELF format, loading and linking process.
• makefile, which compiles all binary files: virus, its tarhets and utilitys ELFkickers