Jack Carrick's Blog

Infecting Binaries

Simple ELF64 file infector virus in C

November 14, 2025

Computer viruses are an extensive category of attacks against host machines, networks, and systems as a whole. Generally speaking, a virus is a program that, when executed, replicates itself to other programs on a system or a network. There is a broad array of types of viruses, as well as infection mechanisms. Today, I’d like to explore how to construct a very simple file infector virus that targets Linux ELF64 binaries.

Infection Mechanism

For our purposes, our virus will do the following:

  1. Scan a directory for ELF64 executables
  2. If an executable is discovered, we read the binary into memory.
  3. Next we prepend the malicious code to the target program and overwrite the existing file.

When the infected executable is run, it executes the malicious payload and then the original program, thereby replicating itself further. This is very straightforward to implement, but has some obvious downsides. First, by duplicating itself on every execution, the size of each infected executable will grow unboundedly. Second, most system packages implement strategies to protect against viruses that alter the structure and size of binaries. We can solve the first issue with a simple fix. However, solving the second problem is more complex, so for our purposes this virus will only target user binaries.

Outline of virus

The infector.c program performs the following:

  1. When an infected executable is run, we first determine whether the file is the original virus program or an infected executable. Since our goal is to pass the malicious payload onto another file, we can extract the payload from the file, rather than copying the entire program. To do this, we look to see if a second ELF header is present. All ELF binaries have header sections that begin with a magic number 0x7F 'E' 'L' 'F' in the first 4 bytes. So, in our program we look for the second instance of such a signature. Secondly, we confirm the file is infected by looking for a virus signature we define in the last 32 bytes of the infected file. If both a second ELF header and a virus signature is found, we extract the first section of the binary until the second header.

  2. Once we determine the size of the payload (i.e. the first section of infected file) we perform the infection process. If no payload or signature is present, we assume we are in the original virus binary. It is important that once the infection process is complete, the original program is also executed. All this is accomplished in the following lines:

struct stat st;
stat(argv[0], &st);
int host_size = st.st_size - payload_size - sizeof(uint32_t);

if (host_size <= 0)
{
    printf("Running from origin... starting first infection wave\n");
    infect_directory(payload, payload_size);
}
else
{
    printf("Running from infected file... spreading virus\n");
    infect_directory(payload, payload_size);
    exec_host(argv, envp, payload_size);
}

  1. The infect_directory function simply scans each item in the current directory (.). We attempt to infect each file that is not a directory and not the currently executing program. It should be noted that this functionality could be expanded to implement a system-wide directory traversal that searches for all ELF64 binaries on the file system. For our purposes we just use the current directory, however.

  2. The infect_file function checks if the file is ELF64 format. If it is, we create a temporary copy of the file and write to it:

int temp_fd = open(temp_file_path, O_RDWR | O_CREAT | O_TRUNC, 0600);
...
write(temp_fd, payload, payload_size);
write(temp_fd, host_data, st.st_size);
// append virus signature to end of file
uint32_t signature = VIRUS_SIGNATURE;
write(temp_fd, &signature, sizeof(signature));

This is the primary mechanism of infection.

  1. Once the file is infected, we need to execute the main program of the file with exec_host. We accomplish this using the memfd_create GNU/Linux utility which allows us to create a temporary / volatile file in memory that we copy the program to. Once the temporary file is created, we can call execve which will replace the current program with the newly copied host program.

View the full program here.

Notes on obfuscation and improvement

The virus we have constructed is quite elementary. It does nothing to hide itself, but works fine as a proof of concept. Obviously, an attacker would not include any of the logs and the infected file would appear to execute as expected. More sophisticated ELF exploits do much more self-obfuscation. For example, one solution is to alter the entry point of the ELF code segment to point to the address of malicious binary code, and then jumping back to the original execution point after completion. A risk of this type of attack, however, is that it can cause memory page misalignment, resulting in segmentation faults. A more sophisticated technique injects malicious code within padding that separates executable load segments. This solves the alignment issue, but requires finding padding large enough to accommodate the malicious code. In any case, the virus we have created serves as a good starting place for further iteration.