Programming Linux Anti-Reversing Techniques
by Jacob Baines
2016-12-20 LeanPub
https://leanpub.com/anti-reverse-engineering-linux
Source code examples: https://github.com/antire-book/antire_book
| Page | Remark |
|---|---|
| 1 | Virtual Machine Detection |
| 2 | Hiding Network Communication |
| Rootkits | |
| GDB | |
| 3 | Bind Shells |
| CMake | |
| Makefiles | |
| CMakeList.txt | |
| 10 | Netcat |
| 11 | Compiler Options in an Anti-Reverse Engineering Context |
| -W, -g, -std | |
| 12 | readelf |
| readelf -S | |
| 14 | .debug_* sections |
| DWARF | |
| 15 | objdump |
| –dwarf=info | |
| 16 | .debug_info section used for attribution |
| backtrace, gdb | |
| 17 | hexdump |
| 19 | print, gdb |
| 21 | removing debug information from ELF files |
| omitting the -g flag from gcc | |
| gcc | |
| 23 | XORDDOS malware |
| 24 | DW_AT_comp_dir for malware attribution |
| attribution | |
| 25 | SYMTAB .syntab |
| DYNSYM .dynsym | |
| 29 | FILE symbol – the filename of the source code |
| 30 | Kaiten malware |
| stripping binaries | |
| 32 | -fvisibility |
| radare2 | |
| 33 | Hiding FUNC symbols |
| -fvisibility=hidden | |
| static functions | |
| 34 | break main, gdb |
| 35 | ELF entry stub |
| 36 | Hopper Disassembler |
| -O optimization flag, gcc | |
| 37 | -O1, -O2, -O3, -OS optimization flags, gcc |
| cppcheck | |
| valgrind | |
| -Wall | |
| -Wextra | |
| Writing good C Code | |
| XXTEA - Corrected Block Tiny Encryption Algorithm | |
| 45 | -finline-functions, gcc |
| -O3 | |
| 48 | -funroll-loops |
| 52 | -static |
| 55 | Procedure Linkage Table (PLT) |
| ltrace | |
| 56 | LD_PRELOAD |
| 58 | dlsym |
| 59 | musl |
| musl cross compilers | |
| 60 | diet libc |
| uClibc | |
| 62 | readelf example against static-linked musl binary |
| 63 | ldd |
| 64 | strip |
| 66 | strings |
| strip -R | |
| 67 | .comment, ELF |
| 68 | ELF Section Headers |
| section headers are not required by ELF files | |
| 72 | stripBinary |
| 78 | endian |
| A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux - breadbox (Brian Raiter) | |
| e_ident - identifies endianness of an ELF | |
| 79 | ELFDATANONE |
| ELFDATA2LSB | |
| ELFDATA2MSB | |
| EI_DATA | |
| 80 | dd |
| 86 | SHT_NULL section header |
| SHT_PROGBITS | |
| SHT_STRTAB | |
| 93 | Adding fake section headers |
| 97 | .init, .fini |
| 104 | Overlapping .init with entry point |
| 107 | Hiding Entry Point |
| 118 | Mixing Dynamic Symbols |
| .dynmsym | |
| 129 | string obfuscation |
| 130 | stack strings |
| 132 | FLOSS |
| 135 | xor string obfuscation |
| 141 | xorsearch |
| xortool | |
| linker scripts | |
| 147 | RC4 |
| 154 | Function Encryption |
| 162 | cryptors |
| cryptelf | |
| midgetpack | |
| UPX | |
| 174 | Obstructing Code Flow Analysis |
| Indirect Function Calls | |
| 176 | NULL-initialized Indirect Function Calls |
| 179 | Signals |
| IPC | |
| SIGINT | |
| sigaction | |
| kill | |
| 183 | Early Return |
| 187 | .string directive |
| 189 | Jump Over Invalid Byte |
| Linux Anti-Debugging Techniques - Fooling the Debugger, Silvio Cesare | |
| 193 | Jump, Jump |
| malwinator.com | |
| 198 | Overlapping Instructions |
| Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software - Andrew Honig | |
| 203 | Evading the debugger |
| ptrace | |
| 204 | PTRACE_TRACEME |
| 205 | Parent Process ID (PPID) |
| TracerPid | |
| gcore | |
| 206 | SIGTRAP |
| 212 | PTRACE_ATTACH from forked child |
| 213 | PTRACE_SETOPTIONS |
| 214 | ptrace_scope |
| PTRACE_O_EXITKILL | |
| 215 | /proc/self/status |
| 220 | madvise |
| core files | |
| MADV_DONTDUMP | |
| 221 | /proc/<pid>/coredump_filter |
| 228 | prctl |
| 230 | PR_SET_DUMPABLE |
| 232 | constructor/destructor |
| 233 | Computing Function Checksums |
| 234 | CRC32 Algorithm |
| 242 | Malware can only be annoying to reverse, not impossible to reverse |