Learning Linux Binary Analysis: Uncover the secrets of Linux binary analysis with this handy guide.
by Ryan “elfmaster” O’Neill https://bitlackeys.org/
Packt Publishing 2016
| Page | Remark |
|---|---|
| 1 | binutils |
| 2 | GNU debugger (gdb) |
| objdump | |
| objcopy | |
| 3 | strace |
| ltrace | |
| PTRACE_SYSCALL | |
| 4 | ftrace |
| readelf | |
| 5 | The ELF Reverse Engineering System Interface (ERESI) https://github.com/thorkill/eresi |
| Phrack Magazine | |
| “Cerberus ELF Interface” Phrack 61-8 | |
| “Embedded ELF debugging” Phrack 63-9 | |
| /proc/<pid>/maps | |
| shared libraries (shared objects) | |
| stack | |
| heap | |
| VDSO | |
| 6 | /proc/System.map |
| /proc/kallsyms | |
| symbols | |
| LKM | |
| CONFIG_KALLSYMS_ALL | |
| /proc/iomem | |
| Extended Core File Snapshot (ECFS) | |
| dynamic loader | |
| linker | |
| relocations | |
| program interpreter | |
| 7 | LD_PRELOAD |
| LD_SHOW_AUXV | |
| auxiliary vector | |
| 8 | linker scripts |
| 9 | ELF file format ELF header |
| 10 | ELF file types |
| ET_NONE | |
| ET_REL | |
| Position-Independent Code (PIC) | |
| ET_EXEC | |
| ET_DYN | |
| shared libraries | |
| SIGSEGV | |
| segmentation violation | |
| 11 | ELF program headers |
| ElfN_Ehdr | |
| e_phoff | |
| 12 | PT_LOAD |
| 13 | PT_DYNAMIC |
| Global Offset Table (GOT) | |
| 14 | dynamic linking |
| 15 | PT_IONTERP |
| /lib/linux-ld.so.2 | |
| PT_PHDR | |
| 16 | ELF section headers |
| 17 | stripping section headers |
| 18 | .text |
| .rodata | |
| .plt - procedure linkage table (PLT) | |
| .data | |
| SHT_PROGBITS | |
| 19 | .bss |
| .got.plt | |
| .dynsym | |
| .rel.* | |
| .hash/.gnu.hash | |
| 20 | symtab |
| .strtab | |
| SHT_STRTAB | |
| .ctors/.dtors | |
| constructors/destructors | |
| __constructor__ | |
| 24 | ELF symbols |
| 25 | st_name |
| st_value | |
| st_size | |
| 26 | st_other |
| st_shndx | |
| st_info | |
| Symbol types: STT_NOTYPE, STT_FUNC, STT,OBJECT | |
| ELFXX_ST_BIND macros (XX is 32 or 64) | |
| 27 | static keyword |
| 31 | ELF relocations |
| /bin/ld | |
| 32 | object files .o |
| implicit addend | |
| explicit addend | |
| 35 | Relocatable code injection |
| 36 | Quenya https://bitlackeys.org/projects/quenya_32bit.tgz |
| 39 | ELF dynamic linking |
| lazy linking | |
| 40 | auxiliary vector |
| 41 | create_elf_tables() - binfmt_elf.c |
| libc.so | |
| ldd | |
| 42 | lazy linking explained |
| 45 | .dynamic section in depth |
| 46 | DT_NEEDED DT_SYMTAB DT_HASH DT_STRTAB DT_PLTGOT |
| 47 | link_map structure |
| 48 | ELF parsing |
| 53 | ptrace |
| 54 | ptrace request types* |
| 56 | user_regs_struct structure |
| “ELF runtime infection” - elfmaster | |
| 57 | thread-local storage (TLS) |
| ptrace-based debugger* | |
| 63 | ptrace attach-based debugger |
| 72 | Linux VMA monitor |
| 73 | what to look for in memory* |
| 74 | Process Image Reconstruction |
| Extended Core File Snapshot (ECFS) | |
| 79 | code injection with ptrace |
| 80 | “ELF runtime infection via GOT poisoning” https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html |
| 87 | payload - no libc, position-independent code |
| 88 | elfdemon https://bitlackeys.org/projects/elfdemon.tgz |
| 89 | ptrace anti-debugging: PT_TRACEME |
| 91 | Elk Cloner virus |
| Linux/UNIX viruses | |
| Silvio Cesare | |
| 92 | Retaliation ELF virus |
| 93 | self-contained code |
| parasite code | |
| Saruman virus https://bitlackeys.org/projects/saruman_v1.tgz | |
| 94 | position-independent code for viruses |
| 95 | stack strings |
| Skeksi virus | |
| gcc -N | |
| 96 | finding space to store the parasite |
| 97 | Silvio padding infection method |
| Brundle Fly virus | |
| “UNIX ELF parasites and viruses” - Silvio Cesare | |
| VX Heaven | |
| Silvio .text infection logic | |
| 101 | LPV virus |
| Reverse text infection | |
| Maya’s Veil https://bitlackeys.org/ – unreleased | |
| 103 | reverse text infection logic |
| 104 | data segment infections |
| 105 | PT_NOTE to PT_LOAD conversion infection |
| 106 | PT_NOTE to PT_LOAD conversion algorithm |
| 107 | infecting control flow |
| 108 | direct PLT infection |
| 109 | function trampolines |
| overwriting .ctors/.dtors | |
| .init_array, .fini_array | |
| “Once upon a free” - Phrack 57-9 | |
| 110 | GOT table poisoning |
| infecting data structures | |
| function pointer overwrites | |
| 111 | process memory viruses and rootkits |
| shared library injection | |
| .so injection | |
| ET_DYN injection | |
| .so injection with LD_PRELOAD | |
| 113 | .so injection with open(), mmap() shellcode |
| .so injection with dlopen() shellcode | |
| 114 | dlopen() and PIE |
| .so injection with VDSO manipulation | |
| Virtual Dynamic Shared Object (VDSO) | |
| PaX | |
| 115 | text segment code injection |
| executable injections | |
| elfdemon | |
| ET_REL injection | |
| 116 | ELF anti-debugging and packing |
| PTRACE_TRACEME technique | |
| SIGTRAP handler technique | |
| 117 | /proc/self/status technique |
| 118 | code obfuscation technique |
| string table transformation technique | |
| 119 | elfscure.c |
| Arcana | |
| VMA Voodoo | |
| AVU (antivirus UNIX) | |
| 121 | ELF binary protection |
| dumb protectors | |
| UPX | |
| 122 | stubs |
| userland exec | |
| 124 | “The Design and Implementation of Userland Exec” - grugq |
| 125 | elfpack |
| 127 | DacryFile |
| 128 | burneye |
| fingerprint layer | |
| password layer | |
| self-destruct feature | |
| Phrack 58-5 - scut and grugq | |
| Shiva | |
| 129 | clone() |
| fast_cflow | |
| 130 | Maya’s Veil protection layers |
| custom malloc() | |
| objobf - scut’s object obfuscator tool https://packetstormsecurity.com/files/download/31524/objobf-0.5.0.tar.bz2 | |
| 131 | prctl() |
| Maya’s nanomites | |
| 132 | anti-exploitation |
| return-oriented programming (ROP) | |
| 135 | Crackmes |
| Pin | |
| DynamoRIO | |
| 136 | resistance to emulation |
| QEMU | |
| BOCHS | |
| detecting emulation via syscall testing | |
| detecting emulated CPU inconsistencies | |
| 137 | checking timing delays between instructions |
| 138 | attacks on ptrace |
| 139 | security vulnerability-based attacks |
| “Binary Protection Schemes” - Andrew Griffith https://bitlackeys.org/papers/BinaryProtectionSchemes59.pdf | |
| “Protecting Binaries” - Andrew Griffith https://recon.cx/2005/recon2005/papers/Andrew_Griffiths/protecting_binaries.pdf | |
| 141 | ELF binary forensics in Linux |
| 142 | entry point modification |
| 146 | .ctors/.init_array – if .ctors section contains function pointers residing outside of .text |
| 147 | detecting PLT/GOT hooks |
| Phrack 56-7 - Silvio Cesare | |
| hot patching | |
| 148 | searching for pointers outside of PROGBITS in .got.plt |
| 150 | GOT should only contain address pointing to the PLT |
| disinfecting GOT hooks | |
| detecting function trampolines | |
| “vxheaven.org/lib/usc08.html” - Silvio Cesare | |
| 151 | identifying parasite code |
| Linux padding virus - lpv.c | |
| int 0x80 | |
| 152 | int3 instruction |
| 153 | call/pop technique |
| checking dynamic section for DLL injection | |
| 154 | NEEDED tag |
| 156 | identifying reverse text padding infections |
| 157 | 0x400000 - Linux x86_65 default virtual address |
| 158 | identifying text segment padding infections |
| page size extension (PSE) | |
| 160 | entry point doesnt point to address residing in .text |
| 163 | identifying protected binaries |
| no PT_DYNAMIC on disk, but /proc/<pid>/maps shows it is dynamically loaded | |
| 164 | Analyzing protected binaries |
| 169 | process memory forensics |
| 170 | parsing /proc/<pid>/maps |
| 171 | heap |
| executable memory mappings | |
| shared library mappings | |
| 173 | process memory infection |
| Azazel | |
| Jynx | |
| Saruman | |
| sshd_fucker – Phrack 59: runtime process infection | |
| process injection techniques | |
| ET_DYN (shared object) injection | |
| mmap() | |
| __libc_dlopen_mode() | |
| process cloaking | |
| 174 | ET_REL (relocatable object) injection |
| PIC code (shellcode) injection | |
| techniques for hijacking execution | |
| 175 | detecting ET_DYN injection |
| pmap | |
| parse /proc/<pid>/maps | |
| 176 | LD_PRELOAD on the stack |
| 178 | detecting PLT/GOT hooks |
| 179 | identifying incorrect GOT addresses |
| 180 | __libc_dlopen_mode() shellcode |
| 184 | manipulating VDSO |
| 185 | determining if a shared object is legitimate |
| 186 | .so injection heuristics |
| 188 | tools to detect PLT/GOT hooks |
| Linux VMA Voodoo | |
| ECFS | |
| Volatility plt_hook | |
| ELF core files | |
| 189 | ev-readelf |
| 192 | downsides of core files for forensics |
| core files and gdb | |
| 195 | ECFS |
| libecfs | |
| 196 | Lotan |
| core handler - /proc/sys/kernel/core_pattern | |
| 197 | ECFS snapshots on live processes |
| 198 | readecfs |
| 221 | ECFS files as regular core files |
| 222 | libecfs API |
| 225 | /proc/kcore analysis |
| sys_call_table | |
| vmlinux - Linux kernel image | |
| kprobe | |
| 226 | kernel detective |
| taskverse | |
| kdress | |
| 227 | /proc/kallsyms |
| 229 | adore rootkit |
| phalanx rootkit | |
| /dev/kmem | |
| /dev/mem | |
| direct sys_call_table modification | |
| detecting sys_call_table modifications | |
| Page Table Entry (PTE) | |
| 230 | kernel function trampolines |
| 232 | detecting function trampolines |
| 233 | interrupt handler patching - int 0x80 |
| kmalloc() phony sys_call_table | |
| 234 | detecting interrupt handler patching |
| kprobe rootkits | |
| Phrack 67-6 | |
| Detecting kprobe rootkits | |
| jprobes | |
| /sys/kernel/debug/kprobes/list | |
| /sys/kernel/debug/kprobes/enabled | |
| 235 | debug register rootkits - DRR |
| Phrack 65-8 - halfdead | |
| detecting DRR | |
| VFS layer rootkits | |
| 236 | detecting VFS layer rootkits |
| validating VFS function pointers | |
| Phrack 61-7 | |
| hijacking the Linux page fault handler | |
| vmlinux and .altinstructions patching | |
| 237 | .altinstructions and .altinstr_replace |
| https://lwn.net/Articles/51148/ | |
| 238 | textify Linux Voodoo |
| .parainstructions | |
| 239 | taskverse |
| filldir64() | |
| sys_getdents64() | |
| infected LKMs | |
| 240 | Phrack 68-11 |
| LKM symbol hijacking | |
| LKM function hijacking | |
| 241 | detecting infected LKMs |
| “Runtime kernel kmem patching” - Silvio Cesare | |
| /dev/mem | |
| phalanx2 | |
| 242 | FreeBSD /dev/kmem |
| “Writing BSD Rootkits” | |
| K-ECFS - Kernel Extended Core File Snapshot | |
| 243 | ftrace |
| /boot/System.map |