Armouring the ELF: Binary encryption on the UNIX platform
Phrack Magazine Issue 58 article 5
https://phrack.org/issues/58/5
| Notes |
|---|
| ELF |
| binary encryption |
| grugq |
| scut |
| UNIX, Microsoft, MS-DOS |
| reverse engineering |
| PE |
| packer |
| obfuscation |
| stripping debugging symbols |
| UPX |
| debugger |
| SoftICE |
| ptrace |
| adb |
| gdb |
| procfs |
| process |
| copy protection, DRM |
| shareware |
| digital forensics |
| binary protection is important for defenders, too |
| process image |
| rm |
| strip |
| x2 ssh exploit |
| C |
| source code |
| TCT |
| compiler |
| objdump, readelf, ltrace, strace |
| libbfd |
| IDA Pro |
| ET_EXEC |
| ET_DYN |
| shared library |
| linkers and loaders |
| EI_NIDENT |
| Elf32_Ehdr |
| Elf32_Shdr |
| ELF sections |
| ELF header |
| ELF segments |
| Elf32_Phdr |
| FreeBSD – dynamic pinker requires the program header table to be located within the first page (4096) of the binary |
| DGUX, IRIX, Linux, NetBSD, Solaris, UnixWare |
| PT_LOAD |
| relocation |
| entry point |
| stack |
| stack layout |
| PT_INTERP |
| IA32 |
| Linux kernel |
| runtime linker (rtld) |
| symbols |
| 0x40000000 |
| register |
| eip |
| ABI |
| i386 |
| Elf32_auxv_t – auxiliary vectors |
| argc, argv, envp |
| C |
| main function |
| elf.h |
| AT_IGNORE |
| AT_NULL |
| a_type |
| virus |
| .text |
| XOR encryption |
| self-modifying code |
| polymorphic engines |
| anti-disassembly, anti-debugging |
| stream cipher |
| block cipher |
| virtual CPU |
| proprietary binary format |
| Silvio Cesare |
| Brundle Fly |
| VIT virus |
| PAGE_SIZE |
| dacryfile |
| parasite |
| .data |
| gcc |
| .dynamic section |
| .bss |
| Elf32_Dyn |
| libc |
| RC4 |
| brute force |
| burneye |
| John Reiser |
| hello world |
| printf |
| decompiler |
| Pice debugger |
| TESO |
| References |
|---|
| Tool Interface Standard, Executeable and Linking Format, Version 1.2 |
| Silvio Cesare, Unix viruses |
| Silvio Cesare, Unix ELF parasites and virus |
| klog, Phrack #56 article 9, Backdooring binary objects |
| Silvio Cesare, The ‘VIT’ virus |
| Konrad Rieck, Konrad Kretschmer ‘Brundle-Fly’, a good-natured Linux ELF virus |
| The grugq, dacryfile binary encryptor |
| John R. Levine, Linkers & Loaders |
| Linux ptrace man page (see if you can catch the three errors) |
| PrivateICE Linux system level symbolic source debugger |
| Konstantin Boldyshev, Startup state of Linux/i386 ELF binary |
| UPX, the Ultimate Packer for eXecutables |
| GNU binutils |
| Forensic analysis of a burneye protected binary https://web.archive.org/web/20011116055516/http://staff.washington.edu/dittrich/misc/ssh-analysis.txt |
| https://web.archive.org/web/20030419202924/http://www.incidents.org/papers/ssh_exploit.pdf |
| The grugq, Subversive Dynamic Linking |