Book Image

Learning Linux Binary Analysis

By : Ryan "elfmaster" O'Neill
Book Image

Learning Linux Binary Analysis

By: Ryan "elfmaster" O'Neill

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Table of Contents (17 chapters)
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Preface
Index

Chapter 3. Linux Process Tracing

In the last chapter, we covered the internals of the ELF format and explained its internal workings. In Linux and other Unix-flavored OSes that use ELF, the ptrace system call goes hand in glove with analyzing, debugging, reverse engineering, and modifying programs that use the ELF format. The ptrace system call is used to attach to a process and access the entire range of code, data, stack, heap, and registers.

Since an ELF program is completely mapped in a process address space, you can attach to the process and parse or modify the ELF image very similarly to how you would do this with the actual ELF file on disk. The primary difference is that we use ptrace to access the program instead of using the open/mmap/read/write calls that would be used for the ELF file.

With ptrace, we can have full control over a program's execution flow, which means that we can do some very interesting things, ranging from memory virus infection and virus analysis/detection to...