Learning Linux Binary Analysis电子书

Learning Linux Binary Analysis

Table of Contents

Learning Linux Binary Analysis

Credits

About the Author

Acknowledgments

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. The Linux Environment and Its Tools

Linux tools

GDB

Objdump from GNU binutils

Objcopy from GNU binutils

strace

ltrace

Basic ltrace command

ftrace

readelf

ERESI – The ELF reverse engineering system interface

Useful devices and files

/proc/<pid>/maps

/proc/kcore

/boot/System.map

/proc/kallsyms

/proc/iomem

ECFS

Linker-related environment points

The LD_PRELOAD environment variable

The LD_SHOW_AUXV environment variable

Linker scripts

Summary

2. The ELF Binary Format

ELF file types

ELF program headers

PT_LOAD

PT_DYNAMIC – Phdr for the dynamic segment

PT_NOTE

PT_INTERP

PT_PHDR

ELF section headers

The .text section

The .rodata section

The .plt section

The .data section

The .bss section

The .got.plt section

The .dynsym section

The .dynstr section

The .rel.* section

The .hash section

The .symtab section

The .strtab section

The .shstrtab section

The .ctors and .dtors sections

ELF symbols

st_name

st_value

st_size

st_other

st_shndx

st_info

Symbol types

Symbol bindings

ELF relocations

Relocatable code injection-based binary patching

ELF dynamic linking

The auxiliary vector

Learning about the PLT/GOT

The dynamic segment revisited

DT_NEEDED

DT_SYMTAB

DT_HASH

DT_STRTAB

DT_PLTGOT

Coding an ELF Parser

Summary

3. Linux Process Tracing

The importance of ptrace

ptrace requests

ptrace request types

The process register state and flags

A simple ptrace-based debugger

Using the tracer program

A simple ptrace debugger with process attach capabilities

Advanced function-tracing software

ptrace and forensic analysis

What to look for in the memory

Process image reconstruction – from the memory to the executable

Challenges for process-executable reconstruction

Challenges for executable reconstruction

PLT/GOT integrity

Adding a section header table

The algorithm for the process

Process reconstruction with Quenya on a 32-bit test environment

Code injection with ptrace

Simple examples aren't always so trivial

Demonstrating the code_inject tool

A ptrace anti-debugging trick

Is your program being traced?

Summary

4. ELF Virus Technology – Linux/Unix Viruses

ELF virus technology

ELF virus engineering challenges

Parasite code must be self-contained

Solution

Complications with string storage

Solution

Finding legitimate space to store parasite code

Solution

Passing the execution control flow to the parasite

Solution

ELF virus parasite infection methods

The Silvio padding infection method

Algorithm for the Silvio .text infection method

An example of text segment padding infection

Adjusting the ELF headers

Inserting the parasite code

Example of using the functions above

The LPV virus

Use cases for the Silvio padding infection

The reverse text infection

Algorithm for reverse text infection

Data segment infections

Algorithm for data segment infection

The PT_NOTE to PT_LOAD conversion infection method

Algorithm for PT_NOTE to PT_LOAD conversion infections

Infecting control flow

Direct PLT infection

Function trampolines

Overwriting the .ctors/.dtors function pointers

GOT – global offset table poisoning or PLT/GOT redirection

Infecting data structures

Function pointer overwrites

Process memory viruses and rootkits – remote code injection techniques

Shared library injection – .so injection/ET_DYN injection

.so injection with LD_PRELOAD

Illustration 4.7 – using LD_PRELOAD to inject wicked.so.1

.so injection with open()/mmap() shellcode

.so injection with dlopen() shellcode

Illustration 4.8 – C code invoking __libc_dlopen_mode()

.so injection with VDSO manipulation

Text segment code injections

Executable injections

Relocatable code injection – the ET_REL injection

ELF anti-debugging and packing techniques

The PTRACE_TRACEME technique

Illustration 4.9 – an anti-debug with PTRACE_TRACEME example

The SIGTRAP handler technique

The /proc/self/status technique

The code obfuscation technique

The string table transformation technique

ELF virus detection and disinfection

Summary

5. Linux Binary Protection

ELF binary packers – dumb protectors

Stub mechanics and the userland exec

An example of a protector

Other jobs performed by protector stubs

Existing ELF binary protectors

DacryFile by the Grugq – 2001

Burneye by Scut – 2002

Shiva by Neil Mehta and Shawn Clowes – 2003

Maya's Veil by Ryan O'Neill – 2014

Maya's protection layers

Layer 1

Layer 2

Layer 3

Maya's nanomites

Maya's anti-exploitation

Source code of vuln.c

Example of exploiting vuln.c

Downloading Maya-protected binaries

Anti-debugging for binary protection

Resistance to emulation

Detecting emulation through syscall testing

Detecting emulated CPU inconsistencies

Checking timing delays between certain instructions

Obfuscation methods

Protecting control flow integrity

Attacks based on ptrace

Security vulnerability-based attacks

Other resources

Summary

6. ELF Binary Forensics in Linux

The science of detecting entry point modification

Detecting other forms of control flow hijacking

Patching the .ctors/.init_array section

Detecting PLT/GOT hooks

Truncated output from readelf -S command

Detecting function trampolines

Identifying parasite code characteristics

Checking the dynamic segment for DLL injection traces

Identifying reverse text padding infections

Identifying text segment padding infections

Identifying protected binaries

Analyzing a protected binary

IDA Pro

Summary

7. Process Memory Forensics

What does a process look like?

Executable memory mappings

The program heap

Shared library mappings

The stack, vdso, and vsyscall

Process memory infection

Process infection tools

Process infection techniques

Injection methods

Techniques for hijacking execution

Detecting the ET_DYN injection

Azazel userland rootkit detection

Mapping out the process address space

Finding LD_PRELOAD on the stack

Detecting PLT/GOT hooks

Identifying incorrect GOT addresses

ET_DYN injection internals

Example – finding the symbol for __libc_dlopen_mode

Code example – the __libc_dlopen_mode shellcode

Code example – libc symbol resolution

Code example – the x86_32 shellcode to mmap() an ET_DYN object

Manipulating VDSO to perform dirty work

Shared object loading – legitimate or not?

Legitimate shared object loading

Illegitimate shared object loading

Heuristics for .so injection detection

Tools for detecting PLT/GOT hooks

Linux ELF core files

Analysis of the core file – the Azazel rootkit

Starting up an Azazel infected process and getting a core dump

Core file program headers

The PT_NOTE segment

PT_LOAD segments and the downfalls of core files for forensics purposes

Using a core file with GDB for forensics

Summary

8. ECFS – Extended Core File Snapshot Technology

History

The ECFS philosophy

Getting started with ECFS

Plugging ECFS into the core handler

ECFS snapshots without killing the process

libecfs – a library for parsing ECFS files

readecfs

Examining an infected process using ECFS

Infecting the host process

Capturing and analyzing an ECFS snapshot

The symbol table analysis

The section header analysis

Extracting parasite code with readecfs

Analyzing the Azazel userland rootkit

The symbol table of the host2 process reconstructed

The section header table of the host2 process reconstructed

Validating the PLT/GOT with ECFS

The readecfs output for PLT/GOT validation

The ECFS reference guide

ECFS symbol table reconstruction

ECFS section headers

Using an ECFS file as a regular core file

The libecfs API and how to use it

Process necromancy with ECFS

Learning more about ECFS

Summary

9. Linux /proc/kcore Analysis

Linux kernel forensics and rootkits

stock vmlinux has no symbols

Building a proper vmlinux with kdress

/proc/kcore and GDB exploration

An example of navigating sys_call_table

Direct sys_call_table modifications

Detecting sys_call_table modifications

An example of validating the integrity of a syscall

Kernel function trampolines

Example of function trampolines

An example code for hijacking sys_write on a 32-bit kernel

Detecting function trampolines

An example with the ret instruction

An example with indirect jmp

An example with relative jmp

Interrupt handler patching – int 0x80, syscall

Detecting interrupt handler patching

Kprobe rootkits

Detecting kprobe rootkits

Debug register rootkits – DRR

Detecting DRR

VFS layer rootkits

Detecting VFS layer rootkits

An example of validating a VFS function pointer

Other kernel infection techniques

vmlinux and .altinstructions patching

.altinstructions and .altinstr_replace

From arch/x86/include/asm/alternative.h

Using textify to verify kernel code integrity

An example of using textify to check sys_call_table

Using taskverse to see hidden processes

Taskverse techniques

Infected LKMs – kernel drivers

Method 1 for infecting LKM files – symbol hijacking

Method 2 for infecting LKM files (function hijacking)

Detecting infected LKMs

Notes on /dev/kmem and /dev/mem

/dev/mem

FreeBSD /dev/kmem

K-ecfs – kernel ECFS

A sneak peek of the kernel-ecfs file

Kernel hacking goodies

General reverse engineering and debugging

Advanced kernel hacking/debugging interfaces

Papers mentioned in this chapter

Summary

Index