RESUME

* RESUME

ARTICLES

* RUNTIME KERNEL KMEM PATCHING This paper documents runtime (on the fly) kernel patching on a running system under Linux using direct access to kernel memory. The same algorithms may equally be applicable to other systems. Examples of kernel patching for use by an attacker is provided showing patching of kernel structures to remove a lkm's visibility to lsmod and even the addition of kernel code ala loadable kernel modules (lkm) to a running system without native lkm support in the kernel. Discussion of rebuilding the appropriate sections of the system symbol map (System.map) is provided implemented.
* UNIX ELF PARASITES AND VIRUS This paper documents the algorithms and implementation of UNIX parasite and virus code using ELF objects. Brief introductions on UNIX virus detection and evading such detection are given. An implementation of various ELF parasite infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture is also supplied. It is superceded by the following article.
* UNIX VIRUSES This paper documents the algorithms and implementation of UNIX parasite and virus code using ELF objects. Brief introductions on UNIX virus detection and evading such detection are given. An implementation of various ELF parasite infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture is also supplied.
* SHARED LIBRARY CALL REDIRECTION USING ELF PLT INFECTION This paper describes a method of shared library call redirection using ELF infection that redirects the Procedure Linkage Table (PLT) of an executeable. Thus, redirection is not resident outside of the infected executeable. This has the advantage over the LD_PRELOAD redirection technique in that no environment variables are modified, thus remaining more hidden than previous techniques. An implementation is provided for x86/Linux.
* KERNEL FUNCTION HIJACKING This paper describes a method of hijacking internal kernel functions, that is, kernel functions that are declared inside the kernel without a function pointer or vector for changing the kernel function it points too. This can have practical uses, as given in example code which patches the process accounting code to not log specially marked processes (processes given signal 31).
* SYSCALL REDIRECTION WITHOUT MODIFYING THE SYSCALL TABLE This article describes a technique of redirecting system calls without modifying the sys call table (implemented in Linux). This can be used to evade intrusion detection systems that use the sys call table to register redirected or trojaned system calls. It is however an easy modifcation to make to detect the attack implemented in this article.
* LINUX ANTI-DEBUGGER TECHNIQUES This article describes anti debugger techniques for x86/Linux (though some of these techniques are not x86 specific). That is techniques to either fool, stop, or modify the process of debugging the target program. This can be useful to the development of viruses and also to those implementing software protection.
* ELF EXECUTABLE RECONSTRUCTION FROM A CORE IMAGE This article documents the results from experimenting with binary reconstruction of an ELF executable given a core dump or snapshot of the process image.

UNIX VIRUSES

* VIT The VIT Virus is a Linux x86 parasitic virus that infects ELF executeables by using the padding of the text segment. For replication, direct infection via attemption infection of executeables in the current directory is employed. This virus is documented in the article UNIX ELF VIRUS AND PARASITES. The name of this virus by curiosity was given by the people at FProt who noticed the virus created a temp file using the letters VIT.
* FILE The FILE Virus is a simple UNIX virus that concatenates the host to the parasite portion of the virus. The virus then extracts the original host from itself and executes it as a seperate file. Direct infection is used infecting executeables in the current directory. This virus is not strip safe.
* SIILOV The SIILOV Virus is a Linux x86 parasitic virus that infects execteable by appending itself to the end of the data segment after filling in a pseudo bss section. The entry point of the host after infection doesnt change as the virus is chained by inserting jump code where the original entry point code once resided. Residency is maintained by infecting the PLT of the process and infecting programs called for by the 'execve' library call. Direct infection is also used by infecting executeables in the current directory. If the superuser is executing the virus, 'init' is infected, which when then run will infect the entire system as every process is a descendant of it (using PLT residency).

Silvio Cesare silvio@big.net.au

(Addtional Website Files)