eBook - ePub
Learning Linux Binary Analysis
Ryan `elfmaster` O'Neill
This is a test
Share book
- 282 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Learning Linux Binary Analysis
Ryan `elfmaster` O'Neill
Book details
Book preview
Table of contents
Citations
About This Book
Uncover the secrets of Linux binary analysis with this handy guide
About This Book
- Grasp the intricacies of the ELF binary format of UNIX and Linux
- Design tools for reverse engineering and binary forensic analysis
- Insights into UNIX and Linux memory infections, ELF viruses, and binary protection schemes
Who This Book Is For
If you are a software engineer or reverse engineer and want to learn more about Linux binary analysis, this book will provide you with all you need to implement solutions for binary analysis in areas of security, forensics, and antivirus. This book is great for both security enthusiasts and system level engineers. Some experience with the C programming language and the Linux command line is assumed.
What You Will Learn
- Explore the internal workings of the ELF binary format
- Discover techniques for UNIX Virus infection and analysis
- Work with binary hardening and software anti-tamper methods
- Patch executables and process memory
- Bypass anti-debugging measures used in malware
- Perform advanced forensic analysis of binaries
- Design ELF-related tools in the C language
- Learn to operate on memory with ptrace
In Detail
Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more.
This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them.
The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis.
This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Style and approach
The material in this book provides detailed insight into the arcane arts of hacking, coding, reverse engineering Linux executables, and dissecting process memory. In the computer security industry these skills are priceless, and scarce. The tutorials are filled with knowledge gained through first hand experience, and are complemented with frequent examples including source code.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learning Linux Binary Analysis an online PDF/ePUB?
Yes, you can access Learning Linux Binary Analysis by Ryan `elfmaster` O'Neill in PDF and/or ePUB format, as well as other popular books in Computer Science & Open Source Programming. We have over one million books available in our catalogue for you to explore.
Information
Learning Linux Binary Analysis
Table of Contents
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. The Linux Environment and Its Tools
Linux tools
GDB
Objdump from GNU binutils
Objcopy from GNU binutils
strace
ltrace
Basic ltrace command
ftrace
readelf
ERESI – The ELF reverse engineering system interface
Useful devices and files
/proc/<pid>/maps
/proc/kcore
/boot/System.map
/proc/kallsyms
/proc/iomem
ECFS
Linker-related environment points
The LD_PRELOAD environment variable
The LD_SHOW_AUXV environment variable
Linker scripts
Summary
2. The ELF Binary Format
ELF file types
ELF program headers
PT_LOAD
PT_DYNAMIC – Phdr for the dynamic segment
PT_NOTE
PT_INTERP
PT_PHDR
ELF section headers
The .text section
The .rodata section
The .plt section
The .data section
The .bss section
The .got.plt section
The .dynsym section
The .dynstr section
The .rel.* section
The .hash section
The .symtab section
The .strtab section
The .shstrtab section
The .ctors and .dtors sections
ELF symbols
st_name
st_value
st_size
st_other
st_shndx
st_info
Symbol types
Symbol bindings
ELF relocations
Relocatable code injection-based binary patching
ELF dynamic linking
The auxiliary vector
Learning about the PLT/GOT
The dynamic segment revisited
DT_NEEDED
DT_SYMTAB
DT_HASH
DT_STRTAB
DT_PLTGOT
Coding an ELF Parser
Summary
3. Linux Process Tracing
The importance of ptrace
ptrace requests
ptrace request types
The process register state and flags
A simple ptrace-based debugger
Using the tracer program
A simple ptrace debugger with process attach capabilities
Advanced function-tracing software
ptrace and forensic analysis
What to look for in the memory
Process image reconstruction – from the memory to the executable
Challenges for process-executable reconstruction
Challenges for executable reconstruction
PLT/GOT integrity
Adding a section header table
The algorithm for the process
Process reconstruction with Quenya on a 32-bit test environment
Code injection with ptrace
Simple examples aren't always so trivial
Demonstrating the code_inject tool
A ptrace anti-debugging trick
Is your program being traced?
Summary
4. ELF Virus Technology – Linux/Unix Viruses
ELF virus technology
ELF virus engineering challenges
Parasite code must be self-contained
Solution
Complications with string storage
Solution
Finding legitimate space to store parasite code
Solution
Passing the execution control flow to the parasite
Solution
ELF virus parasite infection methods
The Silvio padding infection method
Algorithm for the Silvio .text infection method
An example of text segment padding infection
Adjusting the ELF headers
Inserting the parasite code
Example of using the functions above
The LPV virus
Use cases for the Silvio padding infection
The reverse text infection
Algorithm for reverse text infection
Data segment infections
Algorithm for data segment infection
The PT_NOTE to PT_LOAD conversion infection method
Algorithm for PT_NOTE to PT_LOAD conversion infections
Infecting control flow
Direct PLT infection
Function trampolines
Overwriting the .ctors/.dtors function pointers
GOT – global offset table poisoning or PLT/GOT redirection
Infecting data structures
Function pointer overwrites
Process memory viruses and rootkits – remote code injection techniques
Shared library injection – .so injection/ET_DYN injection
.so injection with LD_PRELOAD
Illustration 4.7 – using LD_PRELOAD to inject wicked.so.1
.so injection with open()/mmap() shellcode
.so injection with dlopen() shellcode
Illustration 4.8 – C code invoking __libc_dlopen_mode()
.so injection with VDSO manipulation
Text segment code injections
Executable injections
Relocatable code injection – the ET_REL injection
ELF anti-debugging and packing techniques
The PTRACE_TRACEME technique
Illustration 4.9 – an anti-debug with PTRACE_TRACEME example
The SIGTRAP handler technique
The /proc/self/status technique
The code obfuscation technique
The string table transformation technique
ELF virus detection and disinfection
Summary
5. Linux Binary Protection
ELF binary packers – dumb protectors
Stub mechanics and the userland exec
An example of a protector
Other jobs performed by protector stubs
Existing ELF binary protectors
DacryFile by the Grugq – 2001
Burneye by Scut – 2002
Shiva by Neil Mehta and Shawn Clowes – 2003
Maya's Veil by Ryan O'Neill – 2014
Maya's protection layers
Layer 1
Layer 2
Layer 3
Maya's nanomites
Maya's anti-exploitation
Source code of vuln.c
Example of exploiting vuln.c
Downloading Maya-protected binaries
Anti-debugging for binary protection
Resistance to emulation
Detecting emulation through syscall testing
Detecting emulated CPU inconsistencies
Checking timing delays between certain instructions
Obfuscation methods
Protecting control flow integrity
Attacks based on ptrace
Security vulnerability-based attacks
Other resources
Summary
6. ELF Binary Forensics in Linux
The science of detecting entry point modification
Detecting other forms of control flow hijacking
Patching the .ctors/.init_array section
Detecting PLT/GOT hooks
Truncated output from readelf -S command
Detecting function trampolines
Identifying parasite code characteristics
Checking the dynamic segment for DLL injection traces
Identifying reverse text padding infections
Identifying text segment padding infections
Identifying protected binaries
Analyzing a protected binary
IDA Pro
Summary
7. Process Memory Forensics
What does a process look like?
Executable memory mappings
The program heap
Shared library mappings
The stack, vdso, and vsyscall
Process memory infection
Process infection tools
Process infection techniques
Injection methods
Techniques for hijacking execution
Detecting the ET_DYN injection
Azazel userland rootkit detection
Mapping out the process address space
Finding LD_PRELOAD on the stack
Detecting PLT/GOT hooks
Identifying incorrect GOT addresses
ET_DYN injection internals
Example – finding the symbol for __libc_dlopen_mode
Code example – the __libc_dlopen_mode shellcode
Code example – libc symbol resolution
Code example – the x86_32 shellcode to mmap() an ET_DYN object
Manipulating VDSO to perform dirty work
Shared object loading – legitimate or not?
Legitimate shared object loading
Illegitimate shared object loading
Heuristics for .so injection detection
Tools for detecting PLT/GOT hooks
Linux ELF core files
Analysis of the core file – the Azazel rootkit
Starting up an Azazel infected process and gett...