13. Suspicious code

 

Attorney General Edwin Meese III explained why the Supreme Court's Miranda decision (holding that subjects have a right to remain silent and have a lawyer present during questioning) is unnecessary: "You don't have many suspects who are innocent of a crime. That's contradictory. If a person is innocent of a crime, then he is not a suspect."

 U.S. News and World Report, 10/14/85

The tricks shown in Doing it in C raise a question. Can a look at the disassembly find pieces of code that distinguish viruses in general from regular code? You can call that the holy grail of scanning. This is very different from finding specific pieces of code that identify exactly one virus (a signature). Which is again very different from identifying a virus exactly …

The first problem is how to get at "the code". Everything from the start of the file to the last byte of code is mapped into the code segment. This is described in How it works and illustrated in Bashful glance. A virus could hide in a region declared as ELF header. VIT and its variations, including One step closer to the edge, put the code into section .rodata.

So keep in mind that this chapter is very hypothetical.

13.1. Extracting sections

Let's have fun by looking at the sections of an executable file. Here comes a script that extracts a single section as raw data. readelf(1) provides a related (but useless) option.

-x <number>

--hex-dump=<number>

Displays the contents of the indicated section as a hexadecimal dump.

Source: src/suspicious_code/dumpsection.pl
#!/usr/bin/perl -sw
use strict;

$::file = '/bin/sh' if (!defined($::file));
$::section = '.text' if (!defined($::section));

open(READELF, '-|', "readelf -S $::file") || die "readelf: $! ";
while(<READELF>)
{
  if (m/^  \[[ 0-9]+\] $::section /)
  {
    my @word = split;
    my $off = hex($word[4]);
    my $size = hex($word[5]);

    open(FILE, '<', $::file) || die "open: $!";
    sysseek(FILE, $off, 0) || die "seek: $!";
    my $dump;
    sysread(FILE, $dump, $size) || die "read: $!";
    close FILE;
    syswrite STDOUT, $dump;
  }
}
close READELF;

And the first test is simple. Compare the following output with gdb(1)'s dump in The entry point.

Command: src/suspicious_code/ndisasm.sh
#!/bin/sh
src/suspicious_code/dumpsection.pl -file=/bin/bash -section=.text \
| ndisasm -u - \
| sed -e '/hlt/q'

Output: out/redhat-linux-i386/suspicious_code/ndisasm
00000000  31ED              xor ebp,ebp
00000002  5E                pop esi
00000003  89E1              mov ecx,esp
00000005  83E4F0            and esp,byte -0x10
00000008  50                push eax
00000009  54                push esp
0000000A  52                push edx
0000000B  6830D00A08        push dword 0x80ad030
00000010  68608A0508        push dword 0x8058a60
00000015  51                push ecx
00000016  56                push esi
00000017  6880940508        push dword 0x8059480
0000001C  E827FCFFFF        call 0xfffffc48
00000021  F4                hlt