book

Learning Linux Binary Analysis

Name: Learning Linux Binary Analysis
Author: Ryan elfmaster O'Neill
ISBN: 9781782167105

by Ryan elfmaster O'Neill

February 2016

Beginner to intermediate

282 pages

6h 52m

English

Packt Publishing

Read now

Unlock full access

Learning Linux Binary Analysis
Table of Contents
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book

Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. The Linux Environment and Its Tools
Linux toolsGDBObjdump from GNU binutilsObjcopy from GNU binutilsstraceltraceBasic ltrace commandftracereadelfERESI – The ELF reverse engineering system interface
Useful devices and files
/proc/<pid>/maps/proc/kcore/boot/System.map/proc/kallsyms/proc/iomemECFS
Linker-related environment points
The LD_PRELOAD environment variableThe LD_SHOW_AUXV environment variableLinker scripts
Summary
2. The ELF Binary Format
ELF file types
ELF program headers
PT_LOADPT_DYNAMIC – Phdr for the dynamic segmentPT_NOTEPT_INTERPPT_PHDR
ELF section headers
The .text sectionThe .rodata sectionThe .plt sectionThe .data sectionThe .bss sectionThe .got.plt sectionThe .dynsym sectionThe .dynstr sectionThe .rel.* sectionThe .hash sectionThe .symtab sectionThe .strtab sectionThe .shstrtab sectionThe .ctors and .dtors sections
ELF symbols
st_namest_valuest_sizest_otherst_shndxst_infoSymbol typesSymbol bindings
ELF relocations
Relocatable code injection-based binary patching
ELF dynamic linking
The auxiliary vectorLearning about the PLT/GOTThe dynamic segment revisitedDT_NEEDEDDT_SYMTABDT_HASHDT_STRTABDT_PLTGOT
Coding an ELF Parser
Summary
3. Linux Process Tracing
The importance of ptrace
ptrace requests
ptrace request types
The process register state and flags
A simple ptrace-based debugger
Using the tracer program
A simple ptrace debugger with process attach capabilities
Advanced function-tracing software
ptrace and forensic analysis
What to look for in the memory
Process image reconstruction – from the memory to the executable
Challenges for process-executable reconstructionChallenges for executable reconstructionPLT/GOT integrityAdding a section header tableThe algorithm for the processProcess reconstruction with Quenya on a 32-bit test environment
Code injection with ptrace
Simple examples aren't always so trivial
Demonstrating the code_inject tool
A ptrace anti-debugging trick
Is your program being traced?
Summary
4. ELF Virus Technology – Linux/Unix Viruses
ELF virus technology
ELF virus engineering challenges
Parasite code must be self-containedSolutionComplications with string storageSolutionFinding legitimate space to store parasite codeSolutionPassing the execution control flow to the parasiteSolution
ELF virus parasite infection methods
The Silvio padding infection methodAlgorithm for the Silvio .text infection methodAn example of text segment padding infectionAdjusting the ELF headersInserting the parasite codeExample of using the functions aboveThe LPV virusUse cases for the Silvio padding infectionThe reverse text infectionAlgorithm for reverse text infectionData segment infectionsAlgorithm for data segment infection
The PT_NOTE to PT_LOAD conversion infection method
Algorithm for PT_NOTE to PT_LOAD conversion infections
Infecting control flow
Direct PLT infectionFunction trampolinesOverwriting the .ctors/.dtors function pointersGOT – global offset table poisoning or PLT/GOT redirectionInfecting data structuresFunction pointer overwrites
Process memory viruses and rootkits – remote code injection techniques
Shared library injection – .so injection/ET_DYN injection.so injection with LD_PRELOADIllustration 4.7 – using LD_PRELOAD to inject wicked.so.1.so injection with open()/mmap() shellcode.so injection with dlopen() shellcodeIllustration 4.8 – C code invoking __libc_dlopen_mode().so injection with VDSO manipulationText segment code injectionsExecutable injectionsRelocatable code injection – the ET_REL injection
ELF anti-debugging and packing techniques
The PTRACE_TRACEME techniqueIllustration 4.9 – an anti-debug with PTRACE_TRACEME exampleThe SIGTRAP handler techniqueThe /proc/self/status techniqueThe code obfuscation techniqueThe string table transformation technique
ELF virus detection and disinfection
Summary
5. Linux Binary Protection
ELF binary packers – dumb protectors
Stub mechanics and the userland exec
An example of a protector
Other jobs performed by protector stubs
Existing ELF binary protectors
DacryFile by the Grugq – 2001Burneye by Scut – 2002Shiva by Neil Mehta and Shawn Clowes – 2003Maya's Veil by Ryan O'Neill – 2014Maya's protection layersLayer 1Layer 2Layer 3Maya's nanomitesMaya's anti-exploitationSource code of vuln.cExample of exploiting vuln.c
Downloading Maya-protected binaries
Anti-debugging for binary protection
Resistance to emulation
Detecting emulation through syscall testingDetecting emulated CPU inconsistenciesChecking timing delays between certain instructions
Obfuscation methods
Protecting control flow integrity
Attacks based on ptraceSecurity vulnerability-based attacks
Other resources
Summary
6. ELF Binary Forensics in Linux
The science of detecting entry point modification
Detecting other forms of control flow hijacking
Patching the .ctors/.init_array sectionDetecting PLT/GOT hooksTruncated output from readelf -S commandDetecting function trampolines
Identifying parasite code characteristics
Checking the dynamic segment for DLL injection traces
Identifying reverse text padding infections
Identifying text segment padding infections
Identifying protected binaries
Analyzing a protected binary
IDA Pro
Summary
7. Process Memory Forensics
What does a process look like?Executable memory mappingsThe program heapShared library mappingsThe stack, vdso, and vsyscall
Process memory infection
Process infection toolsProcess infection techniquesInjection methodsTechniques for hijacking execution
Detecting the ET_DYN injection
Azazel userland rootkit detectionMapping out the process address spaceFinding LD_PRELOAD on the stackDetecting PLT/GOT hooksIdentifying incorrect GOT addressesET_DYN injection internalsExample – finding the symbol for __libc_dlopen_modeCode example – the __libc_dlopen_mode shellcodeCode example – libc symbol resolutionCode example – the x86_32 shellcode to mmap() an ET_DYN objectManipulating VDSO to perform dirty workShared object loading – legitimate or not?Legitimate shared object loadingIllegitimate shared object loadingHeuristics for .so injection detectionTools for detecting PLT/GOT hooks
Linux ELF core files
Analysis of the core file – the Azazel rootkitStarting up an Azazel infected process and getting a core dumpCore file program headersThe PT_NOTE segmentPT_LOAD segments and the downfalls of core files for forensics purposesUsing a core file with GDB for forensics
Summary
8. ECFS – Extended Core File Snapshot Technology
History
The ECFS philosophy
Getting started with ECFS
Plugging ECFS into the core handlerECFS snapshots without killing the process
libecfs – a library for parsing ECFS files
readecfs
Examining an infected process using ECFS
Infecting the host processCapturing and analyzing an ECFS snapshotThe symbol table analysisThe section header analysisExtracting parasite code with readecfsAnalyzing the Azazel userland rootkitThe symbol table of the host2 process reconstructedThe section header table of the host2 process reconstructedValidating the PLT/GOT with ECFSThe readecfs output for PLT/GOT validation
The ECFS reference guide
ECFS symbol table reconstructionECFS section headersUsing an ECFS file as a regular core fileThe libecfs API and how to use it
Process necromancy with ECFS
Learning more about ECFS
Summary
9. Linux /proc/kcore Analysis
Linux kernel forensics and rootkits
stock vmlinux has no symbols
Building a proper vmlinux with kdress
/proc/kcore and GDB exploration
An example of navigating sys_call_table
Direct sys_call_table modifications
Detecting sys_call_table modificationsAn example of validating the integrity of a syscallKernel function trampolinesExample of function trampolinesAn example code for hijacking sys_write on a 32-bit kernelDetecting function trampolinesAn example with the ret instructionAn example with indirect jmpAn example with relative jmpInterrupt handler patching – int 0x80, syscallDetecting interrupt handler patching
Kprobe rootkits
Detecting kprobe rootkits
Debug register rootkits – DRR
Detecting DRR
VFS layer rootkits
Detecting VFS layer rootkitsAn example of validating a VFS function pointer
Other kernel infection techniques
vmlinux and .altinstructions patching
.altinstructions and .altinstr_replaceFrom arch/x86/include/asm/alternative.hUsing textify to verify kernel code integrityAn example of using textify to check sys_call_table
Using taskverse to see hidden processes
Taskverse techniques
Infected LKMs – kernel drivers
Method 1 for infecting LKM files – symbol hijackingMethod 2 for infecting LKM files (function hijacking)Detecting infected LKMs
Notes on /dev/kmem and /dev/mem
/dev/mem
FreeBSD /dev/kmem
K-ecfs – kernel ECFS
A sneak peek of the kernel-ecfs file
Kernel hacking goodies
General reverse engineering and debuggingAdvanced kernel hacking/debugging interfacesPapers mentioned in this chapter
Summary
Index

Content preview from Learning Linux Binary Analysis

Process memory infection

There are many rootkits, viruses, backdoors, and other tools out there that can be used to infect a system's userland memory. We will now name and describe a few of these.

Process infection tools

Azazel: This is a simple but effective LD_PRELOAD injection userland rootkit for Linux that is based on its predecessor rootkit named Jynx. LD_PRELOAD rootkits will preload a shared object into the program that you want to infect. Typically, such a rootkit will hijack functions such as open, read, write, and so on. These hijacked functions will show up as PLT hooks (modified GOT). For more information, visit https://github.com/chokepoint/azazel.
Saruman: This is a relatively new anti-forensics infection technique that allows a user ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782167105

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Linux Binary Analysis

by Ryan elfmaster O'Neill

Process memory infection

Process infection tools

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.