Learning Linux Binary Analysis

First published: February 2016Production reference: 1250216Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirmingham B3 2PB, UK.ISBN 978-1-78216-710-5www.packtpub.comTable of contentsLearning Linux Binary AnalysisCreditsabout the authorAcknowledgmentsabout the reviewerswww.PacktPub.comSupport files, eBooks, discount offers, and moreWhy subscribe?Free access for packt account holdersPrefaceWhat this book coversWhat you need for this bookWho this book is forConventionsReader feedbackCustomer supportDownloading the example codeErratapiracyQuestions1. The linux environment and its toolsLinux toolsGDBObidump from gnu binutilsObicopy from GNU binutilsstraceItraceBasic ltrace commandracereadelfeRESI- The elF reverse engineering system interfaceUseful devices and files/proc//maps/proc/kcore/DooUSystem ma/proc/kallsyms/proc/iomemECFSLinker-related environment pointsThe ld preload environment variableThe ld show auxv environment variableLinker scriptsSummary2. The elF Binary Form3ELF file typesElF program headersPT LOADPT DYNAMIC- Phdr for the dynamic segmentPT NOTEPT INTERPPT PHDRELF Section headersThe text sectionThe rodata sectionThe pIt sectionThe data sectionThe bss sectionThe gotpIt sectionThe. dynsym sectionThe. dynstr sectionThe rel. sectionThe hash sectionThe symtab sectionThe strtab sectionThe shstrtab sectionThe ctors and dtors sectionsELF sYmbolsstnamest valuest sizest otherSnaxst infoSymbol typesSymbol bindingsElF relocationsRelocatable code iniection- based binary patchingelF dynamic linkingThe auxiliary vectorearning about the PLT/gotThe dynamic segment revisitedDT NEEDEDDT SYMTABDT HASHDT STRTABDT PLTGOTCoding an ELF ParserSummary3. Linux Process TracingThe importance of ptraceptrace requestsptrace request types4The process register state and flagsA simple ptrace-based debuggerUsing the tracer programA simple ptrace debugger with process attach capabilitiesAdvanced function-tracing softwareptrace and forensic analysisWhat to look for in the memoryProcess image reconstruction- from the memory to the executableChallenges for process-executable reconstructionChallenges for executable reconstructionPLT/GOT integrityAdding a section header tableThe algorithm for the processProcess reconstruction with Quenya on a 32-bit test environmentCode injection with ptraceSimple examples arent always so trivialDemonstrating the code inject toolA ptrace anti-debugging trickIs your program being traced?Summary4.ELFⅤ irus Technology- Linux/UnixⅤ IrusesELF virus technologelf virus engineering challengesParasite code must be self-containedSolutionComplications with string storageSolutionFinding legitimate space to store parasite codeSolutionassing the execution control flow to the parasiteSolutionELF virus parasite infection methodsThe Silvio padding infection methodAlgorithm for the silvio text infection methodAn example of text segment padding infectionAdiusting the elf headersInserting the parasite codeExample of using the functions aboveThe lpv virusUse cases for the Silvio padding infectionThe reverse text infectionAlgorithm for reverse text infectionData segment infectionsAlgorithm for data segment infectionThe pt note to pt load conversion infection methodAlgorithm for PT NotE to PT LOAD conversion infectionsInfecting control flowDirect plt infectionFunction trampolinesOverwriting the ctors/ dtors function pointersGOT-global offset table poisoning or PLt/GOT redirectionInfecting data structuresFunction pointer overwritesProcess memory viruses and rootkits -remote code injection techniquesShared library iniection-So injection/ET DYN injectionso injection with LD PRELOADIllustration 4.7-using LD PrelOad to inject wicked. so.1. sO iniection with open(/mmap shellcodeso injection with dlopeno shellcodeIllustration 4.8-C code invoking libc dlopen modeoso iniection with VDSO manipulationText segment code injectionsExecutable iniectionsRelocatable code iniection -the ET REL iniectionELF anti-debugging and packing techniquesThe PTRaCE TRaCeme techniqueIllustration 4.9-an anti-debug with PTRACE TRACEME exampleThe SIG tRAP handler techniqueThe /proc/self/status techniqueThe code obfuscation techniqueThe string table transformation techniqueElf virus detection and disinfectionSummary5. Linux binary protectionelf binary packers- dumb protectorsStub mechanics and the userland execAn example oi a protectors pertormed by protector styExisting elF binary protectorsDacry File by the Grugq- 2001Burneye by Scut-2002Shiva by Neil Mehta and shawn Clowes-2003Mava's veil by ryan ONeill-2014Maya's protection layersLay迁r士Layer 2Layer 3Maya's nanomitesMaya's anti-exploitationSource code of vuln. cExample of exploiting vuln.cDownloading Maya-protected binariesAnti-debugging for binary protectionResistance to emulationDetecting emulation through syscall testingDetecting emulated CPU inconsistencies6Checking timing delays between certain instructionsObfuscation methodsProtecting control flow integrityAttacks based on ptraceSecurity vulnerability-based attacksOther resourcesSummary6. ELF Binary Forensics in LinuxThe science of detecting entry point modificationDetecting other forms of control flow hijackingPatching the ctors /. init array sectionDetecting PLT/GOT hooksTruncated output from readelf-s commandDetecting function trampolinesdentifying parasite code characteristicsChecking the dynamic segment for DLL iniection tracesIdentifying reverse text padding infectionsIdentifying text segment padding infectionsIdentifying protected binariesAnalyzing a protected binaryIDA ProSummary7. Process memory forensicsWhat does a process look likeExecutable memory mappingsThe program heapShd library mappingsThe stack, vdso, and vsyscallProcess memory infectionProcess infection toolsProcess infection techniquesIniection methodsTechniques for hijacking executionDetecting the et dyn iniectionAzazel userland rootkit detectionMapping out the process address spaceFinding LD PRELOAD on the stackDetecting PLt/GOT hooksIdentifying incorrect GOT addressesET DYN injection internalsExample-finding the symbol for libc dlopen modeCode example-the libc dlopen mode shellcodeCode example-libc symbol resolutionCode example-the x86 32 shellcode to mmap an ET DYN objectManipulating Vdso to perform dirty workShared object loading -legitimate or not?Legitimate shared object loadingIllegitimate shared object loadingHeuristics for so injection detectionTools for detecting PLt/GOT hooksLinux elf core filesAnalysis of the core file- the Azazel rootkitStarting up an Azazel infected process and getting a core dumpCore file program headersThe pt Note segmentPT LOAD segments and the downfalls of core files for forensics purposesUsing a core file with GDB for forensicsSummary8. ECFS-Extended Core File Snapshot TechnologyHistoryThe eCFs philosophyGetting started with ECFSPlugging eCfs into the core handlerECFS Snapshots without killing the processlibecfs-a library for parsing ECFS filesreadersExamining an infected process using ECFSInfecting the host processCapturing and analyzing an ECFS snapshotThe symbol table analysishe section header analysisExtracting parasite code with readectfsAnalyzing the Azazel userland rootkitThe symbol table of the host2 process reconstructedThe section header table of the host 2 process reconstructedValidating the plt/got with ECFSThe readecfs output for PLT/GOT validationThe eCfS reference guideECFS sYmbol table reconstructionECFS Section headersUsing an ECFS file as a regular core fileThe libels api and how to use itProcess necromancy with eCFsLearning more about ECFSSummary9. Linux /proc/kcore AnalysisLinux kernel forensics and rootkitsstock vmlinux has no symbolsBuilding a proper vmlinux with kress/proc/kcore and gDB explorationAn example of navigating sys call tableDirect sys call table modificationsDetecting sys call table modificationsAn example of validating the integrity of a syscallKernel function trampolinesExample of function trampolines8An example code for hijacking sys write on a 32-bit kernelDetecting function trampolinesAn example with the ret instructionAn example with indirect jmpAn example wuve mpInterrupt handler patchnt 0x80, syscallDetecting interrupt handler patchingKprobe rootkitsDetecting kprobe rootkitsDebug register rootkits-DRRDetecting DRRⅤ FS laver rootkitsDetecting VFS layer rootkitsAn example of validating a VFS function pointerOther kernel infection techniquesvmlinux and. altinstructions patchingaltinstructions and. altinstr replaceFrom arch/x86/includelasm/alternative hUsing textify to verify kernel code integrityAn example of using textify to check sys call tableUsing taskverse to see hidden processesTaskverse techniquesInfected lkms- kernel driversMethod 1 for infecting LKM files-symbol hijackingMethod 2 for infecting LKM files(function hijackingDetecting infected LKMsNotes on/dev/kmem and /dev/memdev/memfreebsd /dev/kmemK-ecfs- kernel ecFsA sneak peek of the kernel-ecfs fileKernel hacking goodiesGeneral reverse engineering and debuggingAdvanced kernel hacking/debugging interfacesPapers mentioned in this chapterSummaryndex9Learning Linux Binary analysis10