9. Linux /proc/kcore Analysis | Learning Linux Binary Analysis

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Learning Linux Binary Analysis

By : "elfmaster" O'Neill

4.8 (10)

Learning Linux Binary Analysis

4.8 (10)

By: "elfmaster" O'Neill

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

1. The Linux Environment and Its Tools

1. The Linux Environment and Its Tools

Linux tools

Useful devices and files

Linker-related environment points

Summary

2. The ELF Binary Format

2. The ELF Binary Format

ELF file types

ELF program headers

ELF section headers

ELF symbols

ELF relocations

ELF dynamic linking

Coding an ELF Parser

Summary

3. Linux Process Tracing

3. Linux Process Tracing

The importance of ptrace

ptrace requests

The process register state and flags

A simple ptrace-based debugger

A simple ptrace debugger with process attach capabilities

Advanced function-tracing software

ptrace and forensic analysis

Process image reconstruction – from the memory to the executable

Code injection with ptrace

Simple examples aren't always so trivial

Demonstrating the code_inject tool

A ptrace anti-debugging trick

Summary

4. ELF Virus Technology – Linux/Unix Viruses

4. ELF Virus Technology – Linux/Unix Viruses

ELF virus technology

ELF virus engineering challenges

ELF virus parasite infection methods

The PT_NOTE to PT_LOAD conversion infection method

Infecting control flow

Process memory viruses and rootkits – remote code injection techniques

ELF anti-debugging and packing techniques

ELF virus detection and disinfection

Summary

5. Linux Binary Protection

5. Linux Binary Protection

ELF binary packers – dumb protectors

Stub mechanics and the userland exec

Other jobs performed by protector stubs

Existing ELF binary protectors

Downloading Maya-protected binaries

Anti-debugging for binary protection

Resistance to emulation

Obfuscation methods

Protecting control flow integrity

Other resources

Summary

6. ELF Binary Forensics in Linux

6. ELF Binary Forensics in Linux

The science of detecting entry point modification

Detecting other forms of control flow hijacking

Identifying parasite code characteristics

Checking the dynamic segment for DLL injection traces

Identifying reverse text padding infections

Identifying text segment padding infections

Identifying protected binaries

IDA Pro

Summary

7. Process Memory Forensics

7. Process Memory Forensics

What does a process look like?

Process memory infection

Detecting the ET_DYN injection

Linux ELF core files

Summary

8. ECFS – Extended Core File Snapshot Technology

8. ECFS – Extended Core File Snapshot Technology

History

The ECFS philosophy

Getting started with ECFS

libecfs – a library for parsing ECFS files

readecfs

Examining an infected process using ECFS

The ECFS reference guide

Process necromancy with ECFS

Learning more about ECFS

Summary

9. Linux /proc/kcore Analysis

9. Linux /proc/kcore Analysis

Linux kernel forensics and rootkits

stock vmlinux has no symbols

/proc/kcore and GDB exploration

Direct sys_call_table modifications

Kprobe rootkits

Debug register rootkits – DRR

VFS layer rootkits

Other kernel infection techniques

vmlinux and .altinstructions patching

Using taskverse to see hidden processes

Infected LKMs – kernel drivers

Notes on /dev/kmem and /dev/mem

/dev/mem

K-ecfs – kernel ECFS

Kernel hacking goodies

Summary

Index

Index

Direct sys_call_table modifications

Traditional kernel rootkits, such as adore and phalanx, worked by overwriting pointers in sys_call_table so that they would point to a replacement function, which would then call the original syscall as needed. This was accomplished by either an LKM or a program that modified the kernel through /dev/kmem or /dev/mem. On today's Linux systems, for security reasons, these writable windows into memory are disabled or are no longer capable of anything but read operations depending on how the kernel is configured. There have been other ways of trying to prevent this type of infection, such as marking sys_call_table as const so that it is stored in the .rodata section of the text segment. This can be bypassed by marking the corresponding PTE (short for Page Table Entry) as writeable, or by disabling the write-protect bit in the cr0 register. Therefore, this type of infection is a very reliable way to make a rootkit even today, but it is also very easily detected...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Learning Linux Binary Analysis

Search

Your notes and bookmarks