Detecting other forms of control flow hijacking
There are many reasons to modify a binary, and depending on the desired functionality, the binary control flow will be patched in different ways. In the previous example of the Retaliation Virus, the entry point in the ELF file header was modified. There are many other ways to transfer execution to the inserted code, and we will discuss a few of the more common approaches.
Patching the .ctors/.init_array section
In ELF executables and shared libraries, you will notice that there is a section commonly present named .ctors
(commonly also named .init_array
). This section contains an array of addresses that are function pointers called by the initialization code from the .init
section. The function pointers refer to functions created with the constructor attribute, which are executed before main()
. This means that the .ctors
function pointer table can be patched with an address that points to the code that has been injected into the binary, which...