Learning Linux Binary Analysis
4/5
()
About this ebook
About This Book
- Grasp the intricacies of the ELF binary format of UNIX and Linux
- Design tools for reverse engineering and binary forensic analysis
- Insights into UNIX and Linux memory infections, ELF viruses, and binary protection schemes
Who This Book Is For
If you are a software engineer or reverse engineer and want to learn more about Linux binary analysis, this book will provide you with all you need to implement solutions for binary analysis in areas of security, forensics, and antivirus. This book is great for both security enthusiasts and system level engineers. Some experience with the C programming language and the Linux command line is assumed.
What You Will Learn
- Explore the internal workings of the ELF binary format
- Discover techniques for UNIX Virus infection and analysis
- Work with binary hardening and software anti-tamper methods
- Patch executables and process memory
- Bypass anti-debugging measures used in malware
- Perform advanced forensic analysis of binaries
- Design ELF-related tools in the C language
- Learn to operate on memory with ptrace
In Detail
Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more.
This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them.
The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis.
This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Style and approach
The material in this book provides detailed insight into the arcane arts of hacking, coding, reverse engineering Linux executables, and dissecting process memory. In the computer security industry these skills are priceless, and scarce. The tutorials are filled with knowledge gained through first hand experience, and are complemented with frequent examples including source code.
Related to Learning Linux Binary Analysis
Related ebooks
Learning Linux Shell Scripting Rating: 4 out of 5 stars4/5ARM 64-Bit Assembly Language Rating: 4 out of 5 stars4/5Mastering Metasploit Rating: 0 out of 5 stars0 ratingsPractical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing for Highly-Secured Environments - Second Edition Rating: 0 out of 5 stars0 ratingsModern Assembly Language Programming with the ARM Processor Rating: 0 out of 5 stars0 ratingsLearning Penetration Testing with Python Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide Rating: 5 out of 5 stars5/5Learning Python for Forensics Rating: 0 out of 5 stars0 ratingsMastering the Nmap Scripting Engine Rating: 0 out of 5 stars0 ratingsHands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5Mastering Embedded Linux Programming Rating: 5 out of 5 stars5/5Web Penetration Testing with Kali Linux - Second Edition Rating: 0 out of 5 stars0 ratingsDefinitive Guide to Arm Cortex-M23 and Cortex-M33 Processors Rating: 5 out of 5 stars5/5Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides Rating: 4 out of 5 stars4/5Kali Linux Wireless Penetration Testing Essentials Rating: 5 out of 5 stars5/5Kali Linux – Assuring Security by Penetration Testing Rating: 3 out of 5 stars3/5Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers Rating: 4 out of 5 stars4/5Windows Malware Analysis Essentials Rating: 5 out of 5 stars5/5Linux Shell Scripting Cookbook, Second Edition Rating: 0 out of 5 stars0 ratingsKali Linux Cookbook Rating: 4 out of 5 stars4/5Mastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsNmap Essentials Rating: 4 out of 5 stars4/5A Guide to Kernel Exploitation: Attacking the Core Rating: 5 out of 5 stars5/5Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks Rating: 0 out of 5 stars0 ratingsPython Penetration Testing Essentials Rating: 5 out of 5 stars5/5Reverse Engineering Code with IDA Pro Rating: 5 out of 5 stars5/5Buffer Overflow Attacks: Detect, Exploit, Prevent Rating: 4 out of 5 stars4/5
Programming For You
Game Development with Unreal Engine 5: Learn the Basics of Game Development in Unreal Engine 5 (English Edition) Rating: 0 out of 5 stars0 ratingsJava for Beginners: A Crash Course to Learn Java Programming in 1 Week Rating: 5 out of 5 stars5/5Python Programming : How to Code Python Fast In Just 24 Hours With 7 Simple Steps Rating: 4 out of 5 stars4/5Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5Python: For Beginners A Crash Course Guide To Learn Python in 1 Week Rating: 4 out of 5 stars4/5HTML & CSS: Learn the Fundaments in 7 Days Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5C# Programming from Zero to Proficiency (Beginner): C# from Zero to Proficiency, #2 Rating: 0 out of 5 stars0 ratingsSQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Learn JavaScript in 24 Hours Rating: 3 out of 5 stars3/5PYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Python Machine Learning By Example Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5Python Data Structures and Algorithms Rating: 5 out of 5 stars5/5Problem Solving in C and Python: Programming Exercises and Solutions, Part 1 Rating: 5 out of 5 stars5/5Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications Rating: 0 out of 5 stars0 ratingsLearn SQL in 24 Hours Rating: 5 out of 5 stars5/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Raspberry Pi Cookbook for Python Programmers Rating: 0 out of 5 stars0 ratings
Reviews for Learning Linux Binary Analysis
1 rating0 reviews
Book preview
Learning Linux Binary Analysis - O'Neill Ryan elfmaster
Table of Contents
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. The Linux Environment and Its Tools
Linux tools
GDB
Objdump from GNU binutils
Objcopy from GNU binutils
strace
ltrace
Basic ltrace command
ftrace
readelf
ERESI – The ELF reverse engineering system interface
Useful devices and files
/proc/
/proc/kcore
/boot/System.map
/proc/kallsyms
/proc/iomem
ECFS
Linker-related environment points
The LD_PRELOAD environment variable
The LD_SHOW_AUXV environment variable
Linker scripts
Summary
2. The ELF Binary Format
ELF file types
ELF program headers
PT_LOAD
PT_DYNAMIC – Phdr for the dynamic segment
PT_NOTE
PT_INTERP
PT_PHDR
ELF section headers
The .text section
The .rodata section
The .plt section
The .data section
The .bss section
The .got.plt section
The .dynsym section
The .dynstr section
The .rel.* section
The .hash section
The .symtab section
The .strtab section
The .shstrtab section
The .ctors and .dtors sections
ELF symbols
st_name
st_value
st_size
st_other
st_shndx
st_info
Symbol types
Symbol bindings
ELF relocations
Relocatable code injection-based binary patching
ELF dynamic linking
The auxiliary vector
Learning about the PLT/GOT
The dynamic segment revisited
DT_NEEDED
DT_SYMTAB
DT_HASH
DT_STRTAB
DT_PLTGOT
Coding an ELF Parser
Summary
3. Linux Process Tracing
The importance of ptrace
ptrace requests
ptrace request types
The process register state and flags
A simple ptrace-based debugger
Using the tracer program
A simple ptrace debugger with process attach capabilities
Advanced function-tracing software
ptrace and forensic analysis
What to look for in the memory
Process image reconstruction – from the memory to the executable
Challenges for process-executable reconstruction
Challenges for executable reconstruction
PLT/GOT integrity
Adding a section header table
The algorithm for the process
Process reconstruction with Quenya on a 32-bit test environment
Code injection with ptrace
Simple examples aren't always so trivial
Demonstrating the code_inject tool
A ptrace anti-debugging trick
Is your program being traced?
Summary
4. ELF Virus Technology – Linux/Unix Viruses
ELF virus technology
ELF virus engineering challenges
Parasite code must be self-contained
Solution
Complications with string storage
Solution
Finding legitimate space to store parasite code
Solution
Passing the execution control flow to the parasite
Solution
ELF virus parasite infection methods
The Silvio padding infection method
Algorithm for the Silvio .text infection method
An example of text segment padding infection
Adjusting the ELF headers
Inserting the parasite code
Example of using the functions above
The LPV virus
Use cases for the Silvio padding infection
The reverse text infection
Algorithm for reverse text infection
Data segment infections
Algorithm for data segment infection
The PT_NOTE to PT_LOAD conversion infection method
Algorithm for PT_NOTE to PT_LOAD conversion infections
Infecting control flow
Direct PLT infection
Function trampolines
Overwriting the .ctors/.dtors function pointers
GOT – global offset table poisoning or PLT/GOT redirection
Infecting data structures
Function pointer overwrites
Process memory viruses and rootkits – remote code injection techniques
Shared library injection – .so injection/ET_DYN injection
.so injection with LD_PRELOAD
Illustration 4.7 – using LD_PRELOAD to inject wicked.so.1
.so injection with open()/mmap() shellcode
.so injection with dlopen() shellcode
Illustration 4.8 – C code invoking __libc_dlopen_mode()
.so injection with VDSO manipulation
Text segment code injections
Executable injections
Relocatable code injection – the ET_REL injection
ELF anti-debugging and packing techniques
The PTRACE_TRACEME technique
Illustration 4.9 – an anti-debug with PTRACE_TRACEME example
The SIGTRAP handler technique
The /proc/self/status technique
The code obfuscation technique
The string table transformation technique
ELF virus detection and disinfection
Summary
5. Linux Binary Protection
ELF binary packers – dumb protectors
Stub mechanics and the userland exec
An example of a protector
Other jobs performed by protector stubs
Existing ELF binary protectors
DacryFile by the Grugq – 2001
Burneye by Scut – 2002
Shiva by Neil Mehta and Shawn Clowes – 2003
Maya's Veil by Ryan O'Neill – 2014
Maya's protection layers
Layer 1
Layer 2
Layer 3
Maya's nanomites
Maya's anti-exploitation
Source code of vuln.c
Example of exploiting vuln.c
Downloading Maya-protected binaries
Anti-debugging for binary protection
Resistance to emulation
Detecting emulation through syscall testing
Detecting emulated CPU inconsistencies
Checking timing delays between certain instructions
Obfuscation methods
Protecting control flow integrity
Attacks based on ptrace
Security vulnerability-based attacks
Other resources
Summary
6. ELF Binary Forensics in Linux
The science of detecting entry point modification
Detecting other forms of control flow hijacking
Patching the .ctors/.init_array section
Detecting PLT/GOT hooks
Truncated output from readelf -S command
Detecting function trampolines
Identifying parasite code characteristics
Checking the dynamic segment for DLL injection traces
Identifying reverse text padding infections
Identifying text segment padding infections
Identifying protected binaries
Analyzing a protected binary
IDA Pro
Summary
7. Process Memory Forensics
What does a process look like?
Executable memory mappings
The program heap
Shared library mappings
The stack, vdso, and vsyscall
Process memory infection
Process infection tools
Process infection techniques
Injection methods
Techniques for hijacking execution
Detecting the ET_DYN injection
Azazel userland rootkit detection
Mapping out the process address space
Finding LD_PRELOAD on the stack
Detecting PLT/GOT hooks
Identifying incorrect GOT addresses
ET_DYN injection internals
Example – finding the symbol for __libc_dlopen_mode
Code example – the __libc_dlopen_mode shellcode
Code example – libc symbol resolution
Code example – the x86_32 shellcode to mmap() an ET_DYN object
Manipulating VDSO to perform dirty work
Shared object loading – legitimate or not?
Legitimate shared object loading
Illegitimate shared object loading
Heuristics for .so injection detection
Tools for detecting PLT/GOT hooks
Linux ELF core files
Analysis of the core file – the Azazel rootkit
Starting up an Azazel infected process and getting a core dump
Core file program headers
The PT_NOTE segment
PT_LOAD segments and the downfalls of core files for forensics purposes
Using a core file with GDB for forensics
Summary
8. ECFS – Extended Core File Snapshot Technology
History
The ECFS philosophy
Getting started with ECFS
Plugging ECFS into the core handler
ECFS snapshots without killing the process
libecfs – a library for parsing ECFS files
readecfs
Examining an infected process using ECFS
Infecting the host process
Capturing and analyzing an ECFS snapshot
The symbol table analysis
The section header analysis
Extracting parasite code with readecfs
Analyzing the Azazel userland rootkit
The symbol table of the host2 process reconstructed
The section header table of the host2 process reconstructed
Validating the PLT/GOT with ECFS
The readecfs output for PLT/GOT validation
The ECFS reference guide
ECFS symbol table reconstruction
ECFS section headers
Using an ECFS file as a regular core file
The libecfs API and how to use it
Process necromancy with ECFS
Learning more about ECFS
Summary
9. Linux /proc/kcore Analysis
Linux kernel forensics and rootkits
stock vmlinux has no symbols
Building a proper vmlinux with kdress
/proc/kcore and GDB exploration
An example of navigating sys_call_table
Direct sys_call_table modifications
Detecting sys_call_table modifications
An example of validating the integrity of a syscall
Kernel function trampolines
Example of function trampolines
An example code for hijacking sys_write on a 32-bit kernel
Detecting function trampolines
An example with the ret instruction
An example with indirect jmp
An example with relative jmp
Interrupt handler patching – int 0x80, syscall
Detecting interrupt handler patching
Kprobe rootkits
Detecting kprobe rootkits
Debug register rootkits – DRR
Detecting DRR
VFS layer rootkits
Detecting VFS layer rootkits
An example of validating a VFS function pointer
Other kernel infection techniques
vmlinux and .altinstructions patching
.altinstructions and .altinstr_replace
From arch/x86/include/asm/alternative.h
Using textify to verify kernel code integrity
An example of using textify to check sys_call_table
Using taskverse to see hidden processes
Taskverse techniques
Infected LKMs – kernel drivers
Method 1 for infecting LKM files – symbol hijacking
Method 2 for infecting LKM files (function hijacking)
Detecting infected LKMs
Notes on /dev/kmem and /dev/mem
/dev/mem
FreeBSD /dev/kmem
K-ecfs – kernel ECFS
A sneak peek of the kernel-ecfs file
Kernel hacking goodies
General reverse engineering and debugging
Advanced kernel hacking/debugging interfaces
Papers mentioned in this chapter
Summary
Index
Learning Linux Binary Analysis
Learning Linux Binary Analysis
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: February 2016
Production reference: 1250216
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78216-710-5
www.packtpub.com
Cover image by Lorne Schell (<orange.toaster@gmail.com>)
Credits
Author
Ryan elfmaster
O'Neill
Reviewers
Lubomir Rintel
Kumar Sumeet
Heron Yang
Content Development Editor
Sanjeet Rao
Technical Editor
Mohita Vyas
Copy Editor
Vikrant Phadke
Project Coordinator
Judie Jose
Proofreader
Safis Editing
Indexer
Tejal Daruwale Soni
Graphics
Jason Monteiro
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Ryan elfmaster
O'Neill is a computer security researcher and software engineer with a background in reverse engineering, software exploitation, security defense, and forensics technologies. He grew up in the computer hacker subculture, the world of EFnet, BBS systems, and remote buffer overflows on systems with an executable stack. He was introduced to system security, exploitation, and virus writing at a young age. His great passion for computer hacking has evolved into a love for software development and professional security research. Ryan has spoken at various computer security conferences, including DEFCON and RuxCon, and also conducts a 2-day ELF binary hacking workshop.
He has an extremely fulfilling career and has worked at great companies such as Pikewerks, Leviathan Security Group, and more recently Backtrace as a software engineer.
Ryan has not published any other books, but he is well known for some of his papers published in online journals such as Phrack and VXHeaven. Many of his other publications can be found on his website at http://www.bitlackeys.org.
Acknowledgments
First and foremost, I would like to present a very genuine thank you to my mother, Michelle, to whom I have dedicated this book. It all started with her buying me my first computer, followed by a plethora of books, ranging from Unix programming to kernel internals and network security. At one point in my life, I thought I was done with computers forever, but about 5 years later, when I wanted to reignite my passion, I realized that I had thrown my books away! I then found that my mother had secretly saved them for me, waiting for the day I would return to them. Thank you mom, you are wonderful, and I love you.
I would also be very remiss not to acknowledge the most important woman in my life today, who is my twin flame and mother of two of my children. There is no doubt that I would not be where I am in my life and career without you. They say that behind every great man is an even greater woman. This old adage is very true. Thank you Marilyn for bringing immense joy and adventure into my life. I love you.
My father, Brian O'Neill, is a huge inspiration in my life and has taught me so many things about being a man, a father, and a friend. I love you Dad and I will always cherish our philosophical and spiritual connection.
Michael and Jade, thank you both for being such unique and wonderful souls. I love you both.
Lastly, I thank all three of my children: Mick, Jayden, and Jolene. One day, perhaps, you will read this book and know that your old man knows a thing or two about computers, but also that I will always put you guys first in my life. You are all three amazing beings and have imbued my life with such deep meaning and love.
Silvio Cesare is a legendary name in the computer security industry due to his highly innovative and groundbreaking research into many areas, beginning with ELF viruses, and breakthroughs in kernel vulnerability analysis. Thank you Silvio for your mentoring and friendship. I have learned more from you than from any other person in our industry.
Baron Oldenburg was an instrumental part of this book. On several occasions, I nearly gave up due to the time and energy drained, but Baron offered to help with the initial editing and putting the text into the proper format. This took a huge burden off the development process and made this book possible. Thank you Baron! You are a true friend.
Lorne Schell is a true Renaissance man—software engineer, musician, and artist. He was the brilliant hand behind the artwork on the cover of this book. How amazingly well does a Vitruvian Elf fit the description of this book artistically? Thank you Lorne. I am very grateful for your talent and the time you spent on this.
Chad Thunberg, my boss at Leviathan Security Group, was instrumental in making sure that I got the resources and the encouragement necessary to complete this book. Thank you.
All the guys at #bitlackeys on EFnet have my gratitude for their friendship and support.
About the Reviewers
Lubomir Rintel is a systems programmer based in Brno, Czech Republic. He's a full-time software developer currently working on Linux networking tools. Other than this, he has a history of contributions to many projects, including the Linux kernel and Fedora distribution. After years of being active in the free software community, he can appreciate a good book that covers the subject in a context wider than a manual would. He believes that this is such a book and hopes you enjoy it as much as he did. Also, he likes anteaters.
As of November 2015, Kumar Sumeet has over 4 years of research experience in IT security, during which he has produced a frontier of hacking and spy tools. He holds an MSc in information security from Royal Holloway, University of London. His recent focus area is machine learning techniques for detecting cyber anomalies and to counter threats.
Sumeet currently works as a security consultant for Riversafe, which is a London-based network security and IT data management consultancy firm. Riversafe specializes in some cutting-edge security technologies is also a Splunk Professional Services partner of the year 2015 in the EMEA region. They have completed many large-scale projects and engagements in multiple sectors, including telecommunications, banking and financial markets, energy, and airport authorities.
Sumeet is also a technical reviewer of the book Penetration Testing Using Raspberry Pi, Packt Publishing.
For more information or details about his projects and researches, you can visit his website at https://krsumeet.com or scan this QR code:
Sumeet can also be contacted via e-mail at <contact@krsumeet.com>.
Heron Yang has always been working on creating something people really want. This firm belief of his was first established in high school. Then he continued his journey at National Chiao Tung University and Carnegie Mellon University, where he focused on Computer Science studies. As he cares about building connections between people and fulfilling user needs, he devoted himself to developing prototypes of start-up ideas, new applications or websites, study notes, books, and blogs in the past few years.
Thanks Packt for offering me this opportunity to get involved in the book publishing process, and thanks Judie Jose for helping a lot throughout the period. Moreover, thanks to all the challenges I've gone through to become a better person. This book goes into the details of binary reversing and will be great material for those who care about underlying mechanisms. Feel free to contact me for a discussion or just say Hi
at <heron.yang.tw@gmail.com> or http://heron.me.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Preface
Software engineering is the act of creating an invention that exists, lives, and breathes on a microprocessor. We call it a program. Reverse engineering is the act of discovering how exactly that program lives and breathes, and furthermore it is how we can understand, dissect, or modify the behavior of that program using a combination of disassemblers and reversing tools and relying on our hacker instincts to master the target program which we are reverse engineering. We must understand the intricacies of binary formats, memory layout, and the instruction set of the given processor. We therefore become masters of the very life given to a program on a microprocessor. A reverse engineer is skilled in the art of binary mastery. This book is going to give you the proper lessons, insight, and tasks required to become a Linux binary hacker. When someone can call themselves a reverse engineer, they elevate themselves beyond the level of just engineering. A true hacker can not only write code but also dissect code, disassembling the binaries and memory segments in pursuit of modifying the inner workings of a software program; now that is power…
On both a professional and a hobbyist level, I use my reverse engineering skills in the computer security field, whether it is vulnerability analysis, malware analysis, antivirus software, rootkit detection, or virus design. Much of this book will be focused towards computer security. We will analyze memory dumps, reconstruct process images, and explore some of the more esoteric regions of binary analysis, including Linux virus infection and binary forensics. We will dissect malware-infected executables and infect running processes. This book is aimed at explaining the necessary components for reverse engineering in Linux, so we will be going deep into learning ELF (executable and linking format), which is the binary format used in Linux for executables, shared libraries, core dumps, and object files. One of the most significant aspects of this book is the deep insight it gives into the structural complexities of the ELF binary format. The ELF sections, segments, and dynamic linking concepts are vital and exciting chunks of knowledge. We will explore the depths of hacking ELF binaries and see how these skills can be applied to a broad spectrum of work.
The goal of this book is to teach you to be one of the few people with a strong foundation in Linux binary hacking, which will be revealed as a vast topic that opens the door to innovative research and puts you on the cutting edge of low-level hacking in the Linux operating system. You will walk away with valuable knowledge of Linux binary (and memory) patching, virus engineering/analysis, kernel forensics, and the ELF binary format as a whole. You will also gain more insights into program execution and dynamic linking and achieve a higher understanding of binary protection and debugging internals.
I am a computer security researcher, software engineer, and hacker. This book is merely an organized observation and documentation of the research I have done and the foundational knowledge that has manifested as a result.
This knowledge covers a wide span of information that can't be found in any one place on the Internet. This book tries to bring many interrelated topics together into one piece so that it may serve as an introductory manual and reference to the subject of Linux binary and memory hacking. It is by no means a complete reference but does contain a lot of core information to get started with.
What this book covers
Chapter 1, The Linux Environment and Its Tools, gives a brief description of the Linux environment and its tools, which we will be using throughout the book.
Chapter 2, The ELF Binary Format, helps you learn about every major component of the ELF binary format that is used across Linux and most Unix-flavored operating systems.
Chapter 3, Linux Process Tracing, teaches you to use the ptrace system call to read and write to process memory and inject code.
Chapter 4, ELF Virus Technology – Linux/Unix Viruses, is where you discover the past, present, and future of Linux viruses, how they are engineered, and all of the amazing research that surrounds them.
Chapter 5, Linux Binary Protection, explains the basic internals of ELF binary protection.
Chapter 6, ELF Binary Forensics in Linux, is where you learn to dissect ELF objects in search of viruses, backdoors, and suspicious code injection.
Chapter 7, Process Memory Forensics, shows you how to dissect a process address space in search of malware, backdoors, and suspicious code injection that live in the memory.
Chapter 8, ECFS – Extended Core File Snapshot Technology, is an introduction to ECFS, a new open source product for deep process memory forensics.
Chapter 9, Linux /proc/kcore Analysis, shows how to detect Linux kernel malware through memory analysis with /proc/kcore.
What you need for this book
The prerequisites for this book are as follows: we will assume that you have a working knowledge of the Linux command line, comprehensive C programming skills, and a very basic grasp on the x86 assembly language (this is helpful but not necessary). There is a saying, If you can read assembly language then everything is open source.
Who this book is for
If you are a software engineer or reverse engineer and want to learn more about Linux binary analysis, this book will provide you with all that you need to implement solutions for binary analysis in areas of security, forensics, and antiviruses. This book is great for both security enthusiasts and system-level engineers. Some experience with the C programming language and the Linux command line is assumed.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: There are seven section headers, starting at the offset 0x1118.
A block of code is set as follows:
uint64_t injection_code(void * vaddr)
{
volatile void *mem;
mem = evil_mmap(vaddr,
8192,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0);
__asm__ __volatile__(int3
);
}
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
0xb755a990] changed to [0x8048376] [+] Patched GOT with PLT stubs
Successfully rebuilt ELF object from memory
Output executable location: dumpme.out
[Quenya v0.1@ELFWorkshop]
quit
Any command-line input or output is written as follows:
hacker@ELFWorkshop:~/ workshop/labs/exercise_9$ ./dumpme.out
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <feedback@packtpub.com>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise