Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Linux Binary Analysis
  • Table Of Contents Toc
Learning Linux Binary Analysis

Learning Linux Binary Analysis

By : "elfmaster" O'Neill
4.8 (10)
Buy this Book
close
close
Learning Linux Binary Analysis

Learning Linux Binary Analysis

4.8 (10)
By: "elfmaster" O'Neill
Buy this Book

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Table of Contents (11 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. The Linux Environment and Its Tools
Icon
1. The Linux Environment and Its Tools
Icon
Linux tools
Icon
Useful devices and files
Icon
Linker-related environment points
Icon
Summary
2
2. The ELF Binary Format
Icon
2. The ELF Binary Format
Icon
ELF file types
Icon
ELF program headers
Icon
ELF section headers
Icon
ELF symbols
Icon
ELF relocations
Icon
ELF dynamic linking
Icon
Coding an ELF Parser
Icon
Summary
3
3. Linux Process Tracing
Icon
3. Linux Process Tracing
Icon
The importance of ptrace
Icon
ptrace requests
Icon
The process register state and flags
Icon
A simple ptrace-based debugger
Icon
A simple ptrace debugger with process attach capabilities
Icon
Advanced function-tracing software
Icon
ptrace and forensic analysis
Icon
Process image reconstruction – from the memory to the executable
Icon
Code injection with ptrace
Icon
Simple examples aren't always so trivial
Icon
Demonstrating the code_inject tool
Icon
A ptrace anti-debugging trick
Icon
Summary
4
4. ELF Virus Technology – Linux/Unix Viruses
Icon
4. ELF Virus Technology – Linux/Unix Viruses
Icon
ELF virus technology
Icon
ELF virus engineering challenges
Icon
ELF virus parasite infection methods
Icon
The PT_NOTE to PT_LOAD conversion infection method
Icon
Infecting control flow
Icon
Process memory viruses and rootkits – remote code injection techniques
Icon
ELF anti-debugging and packing techniques
Icon
ELF virus detection and disinfection
Icon
Summary
5
5. Linux Binary Protection
Icon
5. Linux Binary Protection
Icon
ELF binary packers – dumb protectors
Icon
Stub mechanics and the userland exec
Icon
Other jobs performed by protector stubs
Icon
Existing ELF binary protectors
Icon
Downloading Maya-protected binaries
Icon
Anti-debugging for binary protection
Icon
Resistance to emulation
Icon
Obfuscation methods
Icon
Protecting control flow integrity
Icon
Other resources
Icon
Summary
6
6. ELF Binary Forensics in Linux
Icon
6. ELF Binary Forensics in Linux
Icon
The science of detecting entry point modification
Icon
Detecting other forms of control flow hijacking
Icon
Identifying parasite code characteristics
Icon
Checking the dynamic segment for DLL injection traces
Icon
Identifying reverse text padding infections
Icon
Identifying text segment padding infections
Icon
Identifying protected binaries
Icon
IDA Pro
Icon
Summary
7
7. Process Memory Forensics
chevron up
Icon
7. Process Memory Forensics
Icon
What does a process look like?
Icon
Process memory infection
Icon
Detecting the ET_DYN injection
Icon
Linux ELF core files
Icon
Summary
8
8. ECFS – Extended Core File Snapshot Technology
Icon
8. ECFS – Extended Core File Snapshot Technology
Icon
History
Icon
The ECFS philosophy
Icon
Getting started with ECFS
Icon
libecfs – a library for parsing ECFS files
Icon
readecfs
Icon
Examining an infected process using ECFS
Icon
The ECFS reference guide
Icon
Process necromancy with ECFS
Icon
Learning more about ECFS
Icon
Summary
9
9. Linux /proc/kcore Analysis
Icon
9. Linux /proc/kcore Analysis
Icon
Linux kernel forensics and rootkits
Icon
stock vmlinux has no symbols
Icon
/proc/kcore and GDB exploration
Icon
Direct sys_call_table modifications
Icon
Kprobe rootkits
Icon
Debug register rootkits – DRR
Icon
VFS layer rootkits
Icon
Other kernel infection techniques
Icon
vmlinux and .altinstructions patching
Icon
Using taskverse to see hidden processes
Icon
Infected LKMs – kernel drivers
Icon
Notes on /dev/kmem and /dev/mem
Icon
/dev/mem
Icon
K-ecfs – kernel ECFS
Icon
Kernel hacking goodies
Icon
Summary
10
Index
Icon
Index

What does a process look like?

One important file on any Linux system is the /proc/$pid/maps file. This file shows the entire process address space of a running program, and it is something that I often parse in order to determine the location of certain files or memory mappings within a process.

On Linux kernels that have the Grsecurity patches, there is a kernel option called GRKERNSEC_PROC_MEMMAP that, if enabled, will zero out the /proc/$pid/maps file so that you cannot see the address space values. This makes parsing a process from the outside a bit more difficult, and you must rely on other techniques such as parsing the ELF headers and going from there.

Note

In the next chapter, we will be discussing the ECFS (short for Extended Core File Snapshot) format, which is a new ELF file format that expands on regular core files and contains an abundance of forensics-relevant data.

Here's an example of the process memory layout of the hello_world program:

$ cat /proc/`pidof hello_world`/maps...
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learning Linux Binary Analysis
End of Section 7
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon