Famine: silent binary infection

Some useful stuff

Elf binaries 101

My awesome woody_woodpacker

PT_NOTE to PT_LOAD

Nice example

Another PT_NOTE explanation

In spanish

/bin/echo before famine

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x0000000000000268 0x0000000000000268  R      0x8
  INTERP         0x00000000000002a8 0x00000000000002a8 0x00000000000002a8
                 0x000000000000001c 0x000000000000001c  R      0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000001240 0x0000000000001240  R      0x1000
  LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                 0x0000000000003fb9 0x0000000000003fb9  R E    0x1000
  LOAD           0x0000000000006000 0x0000000000006000 0x0000000000006000
                 0x0000000000002220 0x0000000000002220  R      0x1000
  LOAD           0x0000000000008d90 0x0000000000009d90 0x0000000000009d90
                 0x0000000000000470 0x0000000000000608  RW     0x1000
  DYNAMIC        0x0000000000008df8 0x0000000000009df8 0x0000000000009df8
                 0x00000000000001e0 0x00000000000001e0  RW     0x8
  *** NOTE           0x00000000000002c4 0x00000000000002c4 0x00000000000002c4 ***
                 0x0000000000000044 0x0000000000000044  R      0x4
  GNU_EH_FRAME   0x0000000000007290 0x0000000000007290 0x0000000000007290
                 0x00000000000002b4 0x00000000000002b4  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10
  GNU_RELRO      0x0000000000008d90 0x0000000000009d90 0x0000000000009d90
                 0x0000000000000270 0x0000000000000270  R      0x1

echo after famine

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x0000000000000268 0x0000000000000268  R      0x8
  INTERP         0x00000000000002a8 0x00000000000002a8 0x00000000000002a8
                 0x000000000000001c 0x000000000000001c  R      0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000001240 0x0000000000001240  R      0x1000
  LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                 0x0000000000003fb9 0x0000000000003fb9  R E    0x1000
  LOAD           0x0000000000006000 0x0000000000006000 0x0000000000006000
                 0x0000000000002220 0x0000000000002220  R      0x1000
  LOAD           0x0000000000008d90 0x0000000000009d90 0x0000000000009d90
                 0x0000000000000470 0x0000000000000608  RW     0x1000
  DYNAMIC        0x0000000000008df8 0x0000000000009df8 0x0000000000009df8
                 0x00000000000001e0 0x00000000000001e0  RW     0x8

  *** LOAD           0x0000000000009b20 0x000000000c009b20 0x00000000000002c4 ***
                 0x00000000000003ce 0x00000000000003ce  RWE    0x200000
  GNU_EH_FRAME   0x0000000000007290 0x0000000000007290 0x0000000000007290
                 0x00000000000002b4 0x00000000000002b4  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10
  GNU_RELRO      0x0000000000008d90 0x0000000000009d90 0x0000000000009d90
                 0x0000000000000270 0x0000000000000270  R      0x1