book

Practical Binary Analysis

by Dennis Andriesse

December 2018

Beginner to intermediate

456 pages

12h 45m

English

No Starch Press

Read now

Unlock full access

What Is Binary Analysis, and Why Do You Need It?What Makes Binary Analysis Challenging?Who Should Read This Book?What’s in This Book?How to Use This Book
1.1 The C Compilation Process1.2 Symbols and Stripped Binaries1.3 Disassembling a Binary1.4 Loading and Executing a Binary1.5 SummaryExercises
2.1 The Executable Header2.2 Section Headers2.3 Sections2.4 Program Headers2.5 SummaryExercises
3.1 The MS-DOS Header and MS-DOS Stub3.2 The PE Signature, File Header, and Optional Header3.3 The Section Header Table3.4 Sections3.5 SummaryExercises
4.1 What Is libbfd?4.2 A Simple Binary-Loading Interface4.3 Implementing the Binary Loader4.4 Testing the Binary Loader4.5 SummaryExercises
5.1 Resolving Identity Crises Using file5.2 Using ldd to Explore Dependencies5.3 Viewing File Contents with xxd5.4 Parsing the Extracted ELF with readelf5.5 Parsing Symbols with nm5.6 Looking for Hints with strings5.7 Tracing System Calls and Library Calls with strace and ltrace5.8 Examining Instruction-Level Behavior Using objdump5.9 Dumping a Dynamic String Buffer Using gdb5.10 SummaryExercise
6.1 Static Disassembly6.2 Dynamic Disassembly6.3 Structuring Disassembled Code and Data6.4 Fundamental Analysis Methods6.5 Effects of Compiler Settings on Disassembly6.6 SummaryExercises
7.1 Bare-Metal Binary Modification Using Hex Editing7.2 Modifying Shared Library Behavior Using LD_PRELOAD7.3 Injecting a Code Section7.4 Calling Injected Code7.5 SummaryExercises
8.1 Why Write a Custom Disassembly Pass?8.2 Introduction to Capstone8.3 Implementing a ROP Gadget Scanner8.4 SummaryExercises
9.1 What Is Binary Instrumentation?9.2 Static Binary Instrumentation9.3 Dynamic Binary Instrumentation9.4 Profiling with Pin9.5 Automatic Binary Unpacking with Pin9.6 SummaryExercises
10.1 What Is DTA?10.2 DTA in Three Steps: Taint Sources, Taint Sinks, and Taint Propagation10.3 Using DTA to Detect the Heartbleed Bug10.4 DTA Design Factors: Taint Granularity, Taint Colors, and Taint Policies10.5 SummaryExercise
11.1 Introducing libdft11.2 Using DTA to Detect Remote Control-Hijacking11.3 Circumventing DTA with Implicit Flows11.4 A DTA-Based Data Exfiltration Detector11.5 SummaryExercise
12.1 An Overview of Symbolic Execution12.2 Constraint Solving with Z312.3 SummaryExercises
13.1 Introduction to Triton13.2 Maintaining Symbolic State with Abstract Syntax Trees13.3 Backward Slicing with Triton13.4 Using Triton to Increase Code Coverage13.5 Automatically Exploiting a Vulnerability13.6 SummaryExercise
A.1 Layout of an Assembly ProgramA.2 Structure of an x86 InstructionA.3 Common x86 InstructionsA.4 Common Code Constructs in Assembly
B.1 Required HeadersB.2 Data Structures Used in elfinjectB.3 Initializing libelfB.4 Getting the Executable HeaderB.5 Finding the PT_NOTE SegmentB.6 Injecting the Code BytesB.7 Aligning the Load Address for the Injected SectionB.8 Overwriting the .note.ABI-tag Section HeaderB.9 Setting the Name of the Injected SectionB.10 Overwriting the PT_NOTE Program HeaderB.11 Modifying the Entry Point
C.1 DisassemblersC.2 DebuggersC.3 Disassembly FrameworksC.4 Binary Analysis Frameworks
D.1 Standards and ReferencesD.2 Papers and ArticlesD.3 Books

Overview

As malware increasingly obfuscates itself and applies anti-analysis techniques to thwart our analysis, we need more sophisticated methods that allow us to raise that dark curtain designed to keep us out—binary analysis can help. The goal of all binary analysis is to determine (and possibly modify) the true properties of binary programs to understand what they really do, rather than what we think they should do. While reverse engineering and disassembly are critical first steps in many forms of binary analysis, there is much more to be learned.

This hands-on guide teaches you how to tackle the fascinating but challenging topics of binary analysis and instrumentation and helps you become proficient in an area typically only mastered by a small group of expert hackers. It will take you from basic concepts to state-of-the-art methods as you dig into topics like code injection, disassembly, dynamic taint analysis, and binary instrumentation. Written for security engineers, hackers, and those with a basic working knowledge of C/C++ and x86-64, Practical Binary Analysis will teach you in-depth how binary programs work and help you acquire the tools and techniques needed to gain more control and insight into binary programs.

Once you’ve completed an introduction to basic binary formats, you’ll learn how to analyze binaries using techniques like the GNU/Linux binary analysis toolchain, disassembly, and code injection. You’ll then go on to implement profiling tools with Pin and learn how to build your own dynamic taint analysis tools with libdft and symbolic execution tools using Triton. You’ll learn how to:

•Parse ELF and PE binaries and build a binary loader with libbfd
•Use data-flow analysis techniques like program tracing, slicing, and reaching definitions analysis to reason about runtime flow of your programs
•Modify ELF binaries with techniques like parasitic code injection and hex editing
•Build custom disassembly tools with Capstone
•Use binary instrumentation to circumvent anti-analysis tricks commonly used by malware
•Apply taint analysis to detect control hijacking and data leak attacks
•Use symbolic execution to build automatic exploitation tools

With exercises at the end of each chapter to help solidify your skills, you’ll go from understanding basic assembly to performing some of the most sophisticated binary analysis and instrumentation. Practical Binary Analysis gives you what you need to work effectively with binary programs and transform your knowledge from basic understanding to expert-level proficiency.