eBook - ePub
Learning Linux Binary Analysis
Ryan `elfmaster` O'Neill
This is a test
Buch teilen
- 282 Seiten
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
Learning Linux Binary Analysis
Ryan `elfmaster` O'Neill
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
Uncover the secrets of Linux binary analysis with this handy guide
About This Book
- Grasp the intricacies of the ELF binary format of UNIX and Linux
- Design tools for reverse engineering and binary forensic analysis
- Insights into UNIX and Linux memory infections, ELF viruses, and binary protection schemes
Who This Book Is For
If you are a software engineer or reverse engineer and want to learn more about Linux binary analysis, this book will provide you with all you need to implement solutions for binary analysis in areas of security, forensics, and antivirus. This book is great for both security enthusiasts and system level engineers. Some experience with the C programming language and the Linux command line is assumed.
What You Will Learn
- Explore the internal workings of the ELF binary format
- Discover techniques for UNIX Virus infection and analysis
- Work with binary hardening and software anti-tamper methods
- Patch executables and process memory
- Bypass anti-debugging measures used in malware
- Perform advanced forensic analysis of binaries
- Design ELF-related tools in the C language
- Learn to operate on memory with ptrace
In Detail
Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more.
This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them.
The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis.
This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Style and approach
The material in this book provides detailed insight into the arcane arts of hacking, coding, reverse engineering Linux executables, and dissecting process memory. In the computer security industry these skills are priceless, and scarce. The tutorials are filled with knowledge gained through first hand experience, and are complemented with frequent examples including source code.
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Learning Linux Binary Analysis als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Learning Linux Binary Analysis von Ryan `elfmaster` O'Neill im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Computer Science & Open Source Programming. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
Learning Linux Binary Analysis
Table of Contents
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. The Linux Environment and Its Tools
Linux tools
GDB
Objdump from GNU binutils
Objcopy from GNU binutils
strace
ltrace
Basic ltrace command
ftrace
readelf
ERESI – The ELF reverse engineering system interface
Useful devices and files
/proc/<pid>/maps
/proc/kcore
/boot/System.map
/proc/kallsyms
/proc/iomem
ECFS
Linker-related environment points
The LD_PRELOAD environment variable
The LD_SHOW_AUXV environment variable
Linker scripts
Summary
2. The ELF Binary Format
ELF file types
ELF program headers
PT_LOAD
PT_DYNAMIC – Phdr for the dynamic segment
PT_NOTE
PT_INTERP
PT_PHDR
ELF section headers
The .text section
The .rodata section
The .plt section
The .data section
The .bss section
The .got.plt section
The .dynsym section
The .dynstr section
The .rel.* section
The .hash section
The .symtab section
The .strtab section
The .shstrtab section
The .ctors and .dtors sections
ELF symbols
st_name
st_value
st_size
st_other
st_shndx
st_info
Symbol types
Symbol bindings
ELF relocations
Relocatable code injection-based binary patching
ELF dynamic linking
The auxiliary vector
Learning about the PLT/GOT
The dynamic segment revisited
DT_NEEDED
DT_SYMTAB
DT_HASH
DT_STRTAB
DT_PLTGOT
Coding an ELF Parser
Summary
3. Linux Process Tracing
The importance of ptrace
ptrace requests
ptrace request types
The process register state and flags
A simple ptrace-based debugger
Using the tracer program
A simple ptrace debugger with process attach capabilities
Advanced function-tracing software
ptrace and forensic analysis
What to look for in the memory
Process image reconstruction – from the memory to the executable
Challenges for process-executable reconstruction
Challenges for executable reconstruction
PLT/GOT integrity
Adding a section header table
The algorithm for the process
Process reconstruction with Quenya on a 32-bit test environment
Code injection with ptrace
Simple examples aren't always so trivial
Demonstrating the code_inject tool
A ptrace anti-debugging trick
Is your program being traced?
Summary
4. ELF Virus Technology – Linux/Unix Viruses
ELF virus technology
ELF virus engineering challenges
Parasite code must be self-contained
Solution
Complications with string storage
Solution
Finding legitimate space to store parasite code
Solution
Passing the execution control flow to the parasite
Solution
ELF virus parasite infection methods
The Silvio padding infection method
Algorithm for the Silvio .text infection method
An example of text segment padding infection
Adjusting the ELF headers
Inserting the parasite code
Example of using the functions above
The LPV virus
Use cases for the Silvio padding infection
The reverse text infection
Algorithm for reverse text infection
Data segment infections
Algorithm for data segment infection
The PT_NOTE to PT_LOAD conversion infection method
Algorithm for PT_NOTE to PT_LOAD conversion infections
Infecting control flow
Direct PLT infection
Function trampolines
Overwriting the .ctors/.dtors function pointers
GOT – global offset table poisoning or PLT/GOT redirection
Infecting data structures
Function pointer overwrites
Process memory viruses and rootkits – remote code injection techniques
Shared library injection – .so injection/ET_DYN injection
.so injection with LD_PRELOAD
Illustration 4.7 – using LD_PRELOAD to inject wicked.so.1
.so injection with open()/mmap() shellcode
.so injection with dlopen() shellcode
Illustration 4.8 – C code invoking __libc_dlopen_mode()
.so injection with VDSO manipulation
Text segment code injections
Executable injections
Relocatable code injection – the ET_REL injection
ELF anti-debugging and packing techniques
The PTRACE_TRACEME technique
Illustration 4.9 – an anti-debug with PTRACE_TRACEME example
The SIGTRAP handler technique
The /proc/self/status technique
The code obfuscation technique
The string table transformation technique
ELF virus detection and disinfection
Summary
5. Linux Binary Protection
ELF binary packers – dumb protectors
Stub mechanics and the userland exec
An example of a protector
Other jobs performed by protector stubs
Existing ELF binary protectors
DacryFile by the Grugq – 2001
Burneye by Scut – 2002
Shiva by Neil Mehta and Shawn Clowes – 2003
Maya's Veil by Ryan O'Neill – 2014
Maya's protection layers
Layer 1
Layer 2
Layer 3
Maya's nanomites
Maya's anti-exploitation
Source code of vuln.c
Example of exploiting vuln.c
Downloading Maya-protected binaries
Anti-debugging for binary protection
Resistance to emulation
Detecting emulation through syscall testing
Detecting emulated CPU inconsistencies
Checking timing delays between certain instructions
Obfuscation methods
Protecting control flow integrity
Attacks based on ptrace
Security vulnerability-based attacks
Other resources
Summary
6. ELF Binary Forensics in Linux
The science of detecting entry point modification
Detecting other forms of control flow hijacking
Patching the .ctors/.init_array section
Detecting PLT/GOT hooks
Truncated output from readelf -S command
Detecting function trampolines
Identifying parasite code characteristics
Checking the dynamic segment for DLL injection traces
Identifying reverse text padding infections
Identifying text segment padding infections
Identifying protected binaries
Analyzing a protected binary
IDA Pro
Summary
7. Process Memory Forensics
What does a process look like?
Executable memory mappings
The program heap
Shared library mappings
The stack, vdso, and vsyscall
Process memory infection
Process infection tools
Process infection techniques
Injection methods
Techniques for hijacking execution
Detecting the ET_DYN injection
Azazel userland rootkit detection
Mapping out the process address space
Finding LD_PRELOAD on the stack
Detecting PLT/GOT hooks
Identifying incorrect GOT addresses
ET_DYN injection internals
Example – finding the symbol for __libc_dlopen_mode
Code example – the __libc_dlopen_mode shellcode
Code example – libc symbol resolution
Code example – the x86_32 shellcode to mmap() an ET_DYN object
Manipulating VDSO to perform dirty work
Shared object loading – legitimate or not?
Legitimate shared object loading
Illegitimate shared object loading
Heuristics for .so injection detection
Tools for detecting PLT/GOT hooks
Linux ELF core files
Analysis of the core file – the Azazel rootkit
Starting up an Azazel infected process and gett...