Next task is to create antivirus scanner that will be able to find our just created virus. Examine following code and fill in missing lines of code as described in comments. The idea behind this scanner is to scan the directory, to check for ELF file, and to find specific virus mark. File infection state is then printed out.
/*
Antivirus scanner
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#include <dirent.h>
#include <elf.h>
#include <fcntl.h>
#include <pwd.h>
//infection indicator
#define MAGIC 6585
#define MAX_BUF 1024
static int magic = MAGIC;
//virus detection
int detect(char *filename, int hd)
{
//handle for temp file
int fd;
//file info
struct stat stat;
char *data;
char tmpfile[MAX_BUF];
char cmd[MAX_BUF]="\0";
int tmagic; // Store files magic number
int magicloc; // Location of magic number
Elf32_Ehdr ehdr;
/* check for magic(virus identificator) at the end of the file */
if(fstat(hd, &stat) < 0) return 1;
magicloc = stat.st_size - sizeof(magic);
if( lseek(hd, magicloc, SEEK_SET) != magicloc ) return 1;
//load magic character
if(read(hd, &tmagic, sizeof(magic)) != sizeof(magic)) return 1;
//if file is infected, do not infect again
if(tmagic == MAGIC) return 2;
if(lseek(hd, 0, SEEK_SET) != 0) exit(1);
return 0;
}
//search current directory for executable ELF files
void scan_dir(char *directory)
{
int hd;
int r;
DIR *dd;
struct dirent *dirp;
char vfile[256];
/* open directory */
dd = opendir(directory);
// search entire directory
if(dirp != NULL) {
while (dirp = readdir(dd))
{
r=0;
//FILL IN HERE //step for every file in the directory //dirp->d_name contains file name //open the file with 'open' function (see man open) //if open succeeds, call 'detect' function //base on the return value determine whether file is infected and display this information to the terminal
}
close(hd);
}
closedir(dd);
}
}
int main(int argc, char *argv[], char *envp[])
{
if (argc < 2) {
printf("Pouzitie %s adresar\n",argv[0]);
exit(1);
}
printf("Prehladavam adresar %s\n",argv[1]);
//scan directory
scan_dir(argv[1]);
return 0;
}
Download code of the scanner:
$ wget http://zeus.fei.tuke.sk/bps3r/skener.c
Compile the code.
Run and test the scanner.
$ ./scanner ./test
The result is a scanner that works on signature principle - virus-specific mark is being searched for in binary files.
Another type of scanner is change detecting system, changes that were detected in the content of monitored system objects. For example, checksums that are used by cryptographic tools to obtain initial values - file fingerprints - and later compared with current values. Following presents scanner that uses hash functions, in bash language:
if test -z $1
then
echo "Using $0 directory"
exit 1
fi
path="$1"
DB="crc.sum"
for file in `find $path -perm /111 -print | sed '1d'`
do
if test -f $DB
then
if grep -q $file $DB
then
sumcurr=`sha1sum $file | gawk '{print $1}'`
sumsav=`grep $file $DB | gawk '{print $1}'`
if test "$sumcurr" == "$sumsav"
then
:
else
echo "Checksum changed for file: $subor"
fi
else
sha1sum $file >> $DB
fi
else
sha1sum $file >> $DB
fi
done
exit 0
Create file 'scanner.sh' and paste previous code.
$ wget http://zeus.fei.tuke.sk/bps3r/skener.sh
Set file permissions.
$ chmod +x skener.sh
Copy original binary files.
$ cp /bin/date /bin/ls ./test
Run the scanner.
./scanner.sh ./test
Check crc.sum file.
$cat crc.sum
Run the virus.
$ cd ./test ; ./virus
Run scanner, again.
./skener.sh ./testovanie
