learninglinuxbinaryanalysis-oneill2016

2024-09-26

Learning Linux Binary Analysis: Uncover the secrets of Linux binary analysis with this handy guide.

by Ryan “elfmaster” O’Neill https://bitlackeys.org/

Packt Publishing 2016

Page Remark
1 binutils
2 GNU debugger (gdb)
objdump
objcopy
3 strace
ltrace
PTRACE_SYSCALL
4 ftrace
readelf
5 The ELF Reverse Engineering System Interface (ERESI) https://github.com/thorkill/eresi
Phrack Magazine
“Cerberus ELF Interface” Phrack 61-8 https://phrack.org/issues/61/8
“Embedded ELF debugging” Phrack 63-9 https://phrack.org/issues/63/9
/proc/<pid>/maps
shared libraries (shared objects)
stack
heap
VDSO
6 /proc/System.map
/proc/kallsyms
symbols
LKM
CONFIG_KALLSYMS_ALL
/proc/iomem
Extended Core File Snapshot (ECFS)
dynamic loader
linker
relocations
program interpreter
7 LD_PRELOAD
LD_SHOW_AUXV
auxiliary vector
8 linker scripts
9 ELF file format ELF header
10 ELF file types
ET_NONE
ET_REL
Position-Independent Code (PIC)
ET_EXEC
ET_DYN
shared libraries
SIGSEGV
segmentation violation
11 ELF program headers
ElfN_Ehdr
e_phoff
12 PT_LOAD
13 PT_DYNAMIC
Global Offset Table (GOT)
14 dynamic linking
15 PT_INTERP
/lib/linux-ld.so.2
PT_PHDR
16 ELF section headers
17 stripping section headers
18 .text
.rodata
.plt - procedure linkage table (PLT)
.data
SHT_PROGBITS
19 .bss
.got.plt
.dynsym
.rel.*
.hash/.gnu.hash
20 symtab
.strtab
SHT_STRTAB
.ctors/.dtors
constructors/destructors
__constructor__
24 ELF symbols
25 st_name
st_value
st_size
26 st_other
st_shndx
st_info
Symbol types: STT_NOTYPE, STT_FUNC, STT,OBJECT
ELFXX_ST_BIND macros (XX is 32 or 64)
27 static keyword
31 ELF relocations
/bin/ld
32 object files .o
implicit addend
explicit addend
35 Relocatable code injection
36 Quenya https://bitlackeys.org/projects/quenya_32bit.tgz
39 ELF dynamic linking
lazy linking
40 auxiliary vector
41 create_elf_tables() - binfmt_elf.c
libc.so
ldd
42 lazy linking explained
45 .dynamic section in depth
46 DT_NEEDED DT_SYMTAB DT_HASH DT_STRTAB DT_PLTGOT
47 link_map structure
48 ELF parsing
53 ptrace
54 ptrace request types*
56 user_regs_struct structure
“ELF runtime infection” - elfmaster
57 thread-local storage (TLS)
ptrace-based debugger*
63 ptrace attach-based debugger
72 Linux VMA monitor
73 what to look for in memory*
74 Process Image Reconstruction
Extended Core File Snapshot (ECFS)
79 code injection with ptrace
80 “ELF runtime infection via GOT poisoning” https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
87 payload - no libc, position-independent code
88 elfdemon https://bitlackeys.org/projects/elfdemon.tgz
89 ptrace anti-debugging: PT_TRACEME
91 Elk Cloner virus
Linux/UNIX viruses
Silvio Cesare
92 Retaliation ELF virus
93 self-contained code
parasite code
Saruman virus https://bitlackeys.org/projects/saruman_v1.tgz
94 position-independent code for viruses
95 stack strings
Skeksi virus
gcc -N
96 finding space to store the parasite
97 Silvio padding infection method
Brundle Fly virus
“UNIX ELF parasites and viruses” - Silvio Cesare https://packetstorm.news/files/id/12327/
VX Heaven
Silvio .text infection logic
101 LPV virus
Reverse text infection
Maya’s Veil https://bitlackeys.org/ – unreleased
103 reverse text infection logic
104 data segment infections
105 PT_NOTE to PT_LOAD conversion infection
106 PT_NOTE to PT_LOAD conversion algorithm
107 infecting control flow
108 direct PLT infection
109 function trampolines
overwriting .ctors/.dtors
.init_array, .fini_array
“Once upon a free” - Phrack 57-9 https://phrack.org/issues/57/9
110 GOT table poisoning
infecting data structures
function pointer overwrites
111 process memory viruses and rootkits
shared library injection
.so injection
ET_DYN injection
.so injection with LD_PRELOAD
113 .so injection with open(), mmap() shellcode
.so injection with dlopen() shellcode
114 dlopen() and PIE
.so injection with VDSO manipulation
Virtual Dynamic Shared Object (VDSO)
PaX
115 text segment code injection
executable injections
elfdemon
ET_REL injection
116 ELF anti-debugging and packing
PTRACE_TRACEME technique
SIGTRAP handler technique
117 /proc/self/status technique
118 code obfuscation technique
string table transformation technique
119 elfscure.c
Arcana
VMA Voodoo
AVU (antivirus UNIX)
121 ELF binary protection
dumb protectors
UPX
122 stubs
userland exec
124 “The Design and Implementation of Userland Exec” - grugq - https://grugq.github.io/docs/ul_exec.txt
125 elfpack
127 DacryFile
128 burneye
fingerprint layer
password layer
self-destruct feature
Phrack 58-5 - scut and grugqArmouring the ELF: Binary encryption on the UNIX platform https://phrack.org/issues/58/5
Shiva
129 clone()
fast_cflow
130 Maya’s Veil protection layers
custom malloc()
objobf - scut’s object obfuscator tool https://packetstormsecurity.com/files/download/31524/objobf-0.5.0.tar.bz2
131 prctl()
Maya’s nanomites
132 anti-exploitation
return-oriented programming (ROP)
135 Crackmes
Pin
DynamoRIO
136 resistance to emulation
QEMU
BOCHS
detecting emulation via syscall testing
detecting emulated CPU inconsistencies
137 checking timing delays between instructions
138 attacks on ptrace
139 security vulnerability-based attacks
“Binary Protection Schemes” - Andrew Griffith https://bitlackeys.org/papers/BinaryProtectionSchemes59.pdf
“Protecting Binaries” - Andrew Griffith https://recon.cx/2005/recon2005/papers/Andrew_Griffiths/protecting_binaries.pdf
141 ELF binary forensics in Linux
142 entry point modification
146 .ctors/.init_array – if .ctors section contains function pointers residing outside of .text
147 detecting PLT/GOT hooks
Phrack 56-7 – Silvio Cesare – SHARED LIBRARY CALL REDIRECTION VIA ELF PLT INFECTION https://phrack.org/issues/56/7
hot patching
148 searching for pointers outside of PROGBITS in .got.plt
150 GOT should only contain address pointing to the PLT
disinfecting GOT hooks
detecting function trampolines
“vxheaven.org/lib/usc08.html” - Silvio Cesare
151 identifying parasite code
Linux padding virus - lpv.c
int 0x80
152 int3 instruction
153 call/pop technique
checking dynamic section for DLL injection
154 NEEDED tag
156 identifying reverse text padding infections
157 0x400000 - Linux x86_65 default virtual address
158 identifying text segment padding infections
page size extension (PSE)
160 entry point doesnt point to address residing in .text
163 identifying protected binaries
no PT_DYNAMIC on disk, but /proc/<pid>/maps shows it is dynamically loaded
164 Analyzing protected binaries
169 process memory forensics
170 parsing /proc/<pid>/maps
171 heap
executable memory mappings
shared library mappings
173 process memory infection
Azazel
Jynx
Saruman
sshd_fuckerPhrack 59: runtime process infection
process injection techniques
ET_DYN (shared object) injection
mmap()
__libc_dlopen_mode()
process cloaking
174 ET_REL (relocatable object) injection
PIC code (shellcode) injection
techniques for hijacking execution
175 detecting ET_DYN injection
pmap
parse /proc/<pid>/maps
176 LD_PRELOAD on the stack
178 detecting PLT/GOT hooks
179 identifying incorrect GOT addresses
180 __libc_dlopen_mode() shellcode
184 manipulating VDSO
185 determining if a shared object is legitimate
186 .so injection heuristics
188 tools to detect PLT/GOT hooks
Linux VMA Voodoo
ECFS
Volatility plt_hook
ELF core files
189 ev-readelf
192 downsides of core files for forensics
core files and gdb
195 ECFS
libecfs
196 Lotan
core handler - /proc/sys/kernel/core_pattern
197 ECFS snapshots on live processes
198 readecfs
221 ECFS files as regular core files
222 libecfs API
225 /proc/kcore analysis
sys_call_table
vmlinux - Linux kernel image
kprobe
226 kernel detective
taskverse
kdress
227 /proc/kallsyms
229 adore rootkit
phalanx rootkit
/dev/kmem
/dev/mem
direct sys_call_table modification
detecting sys_call_table modifications
Page Table Entry (PTE)
230 kernel function trampolines
232 detecting function trampolines
233 interrupt handler patching - int 0x80
kmalloc() phony sys_call_table
234 detecting interrupt handler patching
kprobe rootkits
Phrack 67-6 – Kernel instrumentation using kprobes https://phrack.org/issues/67/6
Detecting kprobe rootkits
jprobes
/sys/kernel/debug/kprobes/list
/sys/kernel/debug/kprobes/enabled
235 debug register rootkits - DRR
Phrack 65-8 – halfdead – Mistifying the debugger https://phrack.org/issues/65/8
detecting DRR
VFS layer rootkits
236 detecting VFS layer rootkits
validating VFS function pointers
Phrack 61-7 – Hijacking Linux Page Fault Handler https://phrack.org/issues/61/7
hijacking the Linux page fault handler
vmlinux and .altinstructions patching
237 .altinstructions and .altinstr_replace
https://lwn.net/Articles/51148/
238 textify Linux Voodoo
.parainstructions
239 taskverse
filldir64()
sys_getdents64()
infected LKMs
240 Phrack 68-11 – Infecting loadable kernel modules – https://phrack.org/issues/68/11
LKM symbol hijacking
LKM function hijacking
241 detecting infected LKMs
“Runtime kernel kmem patching” - Silvio Cesare https://spthvx.github.io/ezines/mtx1/articles/kmem.htm
/dev/mem
phalanx2
242 FreeBSD /dev/kmem
“Writing BSD Rootkits”
K-ECFS - Kernel Extended Core File Snapshot
243 ftrace
/boot/System.map

Links to this note

Recent Posts