Book Image

Learning Linux Binary Analysis

By : Ryan "elfmaster" O'Neill
Book Image

Learning Linux Binary Analysis

By: Ryan "elfmaster" O'Neill

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.

Related Content you might be interested in

Current Title:

Small book image
Learning Linux Binary Analysis
Ryan "elfmaster" O'Neill
Feb, 2016 | 282 pages
No titles found
Table of Contents (17 chapters)
Learning Linux Binary Analysis
Learning Linux Binary Analysis
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Linux Environment and Its Tools
The Linux Environment and Its Tools
Linux tools
Useful devices and files
Linker-related environment points
Summary
2
The ELF Binary Format
The ELF Binary Format
ELF file types
ELF program headers
ELF section headers
ELF symbols
ELF relocations
ELF dynamic linking
Coding an ELF Parser
Summary
3
Linux Process Tracing
Linux Process Tracing
The importance of ptrace
ptrace requests
The process register state and flags
A simple ptrace-based debugger
A simple ptrace debugger with process attach capabilities
Advanced function-tracing software
ptrace and forensic analysis
Process image reconstruction – from the memory to the executable
Code injection with ptrace
Simple examples aren't always so trivial
Demonstrating the code_inject tool
A ptrace anti-debugging trick
Summary
4
ELF Virus Technology – Linux/Unix Viruses
ELF Virus Technology – Linux/Unix Viruses
ELF virus technology
ELF virus engineering challenges
ELF virus parasite infection methods
The PT_NOTE to PT_LOAD conversion infection method
Infecting control flow
Process memory viruses and rootkits – remote code injection techniques
ELF anti-debugging and packing techniques
ELF virus detection and disinfection
Summary
5
Linux Binary Protection
Linux Binary Protection
ELF binary packers – dumb protectors
Stub mechanics and the userland exec
Other jobs performed by protector stubs
Existing ELF binary protectors
Downloading Maya-protected binaries
Anti-debugging for binary protection
Resistance to emulation
Obfuscation methods
Protecting control flow integrity
Other resources
Summary
6
ELF Binary Forensics in Linux
ELF Binary Forensics in Linux
The science of detecting entry point modification
Detecting other forms of control flow hijacking
Identifying parasite code characteristics
Checking the dynamic segment for DLL injection traces
Identifying reverse text padding infections
Identifying text segment padding infections
Identifying protected binaries
IDA Pro
Summary
7
Process Memory Forensics
Process Memory Forensics
What does a process look like?
Process memory infection
Detecting the ET_DYN injection
Linux ELF core files
Summary
8
ECFS – Extended Core File Snapshot Technology
ECFS – Extended Core File Snapshot Technology
History
The ECFS philosophy
Getting started with ECFS
libecfs – a library for parsing ECFS files
readecfs
Examining an infected process using ECFS
The ECFS reference guide
Process necromancy with ECFS
Learning more about ECFS
Summary
9
Linux /proc/kcore Analysis
Linux /proc/kcore Analysis
Linux kernel forensics and rootkits
stock vmlinux has no symbols
/proc/kcore and GDB exploration
Direct sys_call_table modifications
Kprobe rootkits
Debug register rootkits – DRR
VFS layer rootkits
Other kernel infection techniques
vmlinux and .altinstructions patching
Using taskverse to see hidden processes
Infected LKMs – kernel drivers
Notes on /dev/kmem and /dev/mem
/dev/mem
K-ecfs – kernel ECFS
Kernel hacking goodies
Summary
Index
Index

Acknowledgments

First and foremost, I would like to present a very genuine thank you to my mother, Michelle, to whom I have dedicated this book. It all started with her buying me my first computer, followed by a plethora of books, ranging from Unix programming to kernel internals and network security. At one point in my life, I thought I was done with computers forever, but about 5 years later, when I wanted to reignite my passion, I realized that I had thrown my books away! I then found that my mother had secretly saved them for me, waiting for the day I would return to them. Thank you mom, you are wonderful, and I love you.

I would also be very remiss not to acknowledge the most important woman in my life today, who is my twin flame and mother of two of my children. There is no doubt that I would not be where I am in my life and career without you. They say that behind every great man is an even greater woman. This old adage is very true. Thank you Marilyn for bringing immense joy and adventure into my life. I love you.

My father, Brian O'Neill, is a huge inspiration in my life and has taught me so many things about being a man, a father, and a friend. I love you Dad and I will always cherish our philosophical and spiritual connection.

Michael and Jade, thank you both for being such unique and wonderful souls. I love you both.

Lastly, I thank all three of my children: Mick, Jayden, and Jolene. One day, perhaps, you will read this book and know that your old man knows a thing or two about computers, but also that I will always put you guys first in my life. You are all three amazing beings and have imbued my life with such deep meaning and love.

Silvio Cesare is a legendary name in the computer security industry due to his highly innovative and groundbreaking research into many areas, beginning with ELF viruses, and breakthroughs in kernel vulnerability analysis. Thank you Silvio for your mentoring and friendship. I have learned more from you than from any other person in our industry.

Baron Oldenburg was an instrumental part of this book. On several occasions, I nearly gave up due to the time and energy drained, but Baron offered to help with the initial editing and putting the text into the proper format. This took a huge burden off the development process and made this book possible. Thank you Baron! You are a true friend.

Lorne Schell is a true Renaissance man—software engineer, musician, and artist. He was the brilliant hand behind the artwork on the cover of this book. How amazingly well does a Vitruvian Elf fit the description of this book artistically? Thank you Lorne. I am very grateful for your talent and the time you spent on this.

Chad Thunberg, my boss at Leviathan Security Group, was instrumental in making sure that I got the resources and the encouragement necessary to complete this book. Thank you.

All the guys at #bitlackeys on EFnet have my gratitude for their friendship and support.

Previous Section
Next Chapter