Book Image

Binary Analysis Cookbook

By : Michael Born
Book Image

Binary Analysis Cookbook

By: Michael Born

Overview of this book

Binary analysis is the process of examining a binary program to determine information security actions. It is a complex, constantly evolving, and challenging topic that crosses over into several domains of information technology and security. This binary analysis book is designed to help you get started with the basics, before gradually advancing to challenging topics. Using a recipe-based approach, this book guides you through building a lab of virtual machines and installing tools to analyze binaries effectively. You'll begin by learning about the IA32 and ELF32 as well as IA64 and ELF64 specifications. The book will then guide you in developing a methodology and exploring a variety of tools for Linux binary analysis. As you advance, you'll learn how to analyze malicious 32-bit and 64-bit binaries and identify vulnerabilities. You'll even examine obfuscation and anti-analysis techniques, analyze polymorphed malicious binaries, and get a high-level overview of dynamic taint analysis and binary instrumentation concepts. By the end of the book, you'll have gained comprehensive insights into binary analysis concepts and have developed the foundational skills to confidently delve into the realm of binary analysis.

Related Content you might be interested in

Current Title:

Small book image
Binary Analysis Cookbook
Michael Born
Sep, 2019 | 396 pages
Small book image
Offensive Shellcode from Scratch.
Rishalin Pillay
Apr, 2022 | 208 pages
Small book image
Penetration Testing with Shellcode
Hamza Megahed
Feb, 2018 | 346 pages
Small book image
Mastering Assembly Programming
Alexey Lyashko
Sep, 2017 | 290 pages
Table of Contents (12 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
Free Chapter
1
Setting Up the Lab
Setting Up the Lab
Installing VirtualBox on Windows
Installing VirtualBox on Mac
Installing VirtualBox on Ubuntu
Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine
Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine
Installing the dependencies and the tools
Installing the code examples
Installing the EDB Debugger
Taking a snapshot of the virtual machines
2
32-bit Assembly on Linux and the ELF Specification
32-bit Assembly on Linux and the ELF Specification
Technical requirements
Differences between Intel and AT&T syntax
Introduction to the IA-32 registers
Introducing common IA-32 instructions
Making IA-32 system calls on Linux
Introducing the ELF 32-bit specification
3
64-bit Assembly on Linux and the ELF Specification
64-bit Assembly on Linux and the ELF Specification
Technical requirements
Introducing the IA64 registers
Introducing common IA64 instructions
Making IA64 system calls on Linux
Introducing the ELF 64-bit specification
4
Creating a Binary Analysis Methodology
Creating a Binary Analysis Methodology
Technical requirements
Performing binary discovery
Information gathering
Static analysis
Dynamic analysis
Iterating each step
Automating methodology tasks
Adapting the methodology steps
5
Linux Tools for Binary Analysis
Linux Tools for Binary Analysis
Technical requirements
Using file
Using strings
Using readelf
Using nm
Using objcopy
Using objdump
Using ltrace and strace
Using data duplicator (dd)
Using the GNU Debugger (GDB)
Using Evan's Debugger (EDB)
6
Analyzing a Simple Bind Shell
Analyzing a Simple Bind Shell
Technical requirements
Performing discovery
Gathering information
Performing static analysis
Using ltrace and strace
Using GDB for dynamic analysis
Finishing dynamic analysis
7
Analyzing a Simple Reverse Shell
Analyzing a Simple Reverse Shell
Technical requirements
Automating the initial phases
Static analysis with objdump
Editing the binary
Using GDB TUI mode
Continuing with dynamic analysis
Analyzing the execve system call
8
Identifying Vulnerabilities
Identifying Vulnerabilities
Technical requirements
Automating the initial phases
Extended static analysis
Identifying hard coded credentials with ltrace
Identifying hard coded credentials with a debugger
Validating a stack-based buffer overflow
9
Understanding Anti-Analysis Techniques
Understanding Anti-Analysis Techniques
Technical requirements
Understanding signature detection
Changing a binary's signature
Confusing static analysis tools
Encoding and decoding
10
A Simple Reverse Shell With Polymorphism
A Simple Reverse Shell With Polymorphism
Technical requirements
Automating the initial phases
Performing static analysis
Using EDB for dynamic analysis
Analyzing deobfuscation loops
Wrapping up dynamic analysis
11
Another Book You May Enjoy
Another Book You May Enjoy
Leave a review - let other readers know what you think

Encoding and decoding

Another technique that we can use to try and evade signature detection is to use encoding to mask the bytes in a binary. This technique, however, does require a decoding stub in order to unmask the bytes so that the binary executes as originally intended.

From an analysis perspective, we need to understand what encoding and decoding looks like, especially from a static or dynamic analysis perspective. When it comes to signature detection, as we'll see, encoding and decoding may work in certain situations. It's becoming less and less frequent that it does, but every now and then, I'll find an encoding scheme that works, albeit increasingly rarely. Still, this is a good skill to have during analysis.

In this recipe, we'll look at an encoded version of our reverse shell and identify the decoder stub during our analysis. We won't cover...

Previous Section
End of Chapter 9
Next Chapter