Previous Chapter

Index

A

.altinstructions
- about / .altinstructions and .altinstr_replace
.altinstructions patching
- about / vmlinux and .altinstructions patching
.altinstr_replace
- about / .altinstructions and .altinstr_replace
adore
- about / Direct sys_call_table modifications
advanced function-tracing software
- using / Advanced function-tracing software
algorithm, for data segment infection
- about / Algorithm for data segment infection
algorithm, for PT_NOTE to PT_LOAD conversion infection method / Algorithm for PT_NOTE to PT_LOAD conversion infections
algorithm, for reverse text infection / Algorithm for reverse text infection
algorithm, for Silvio .text infection method
- about / Algorithm for the Silvio .text infection method
analysis, of core file
- about / Analysis of the core file – the Azazel rootkit
- Azazel infected process, starting / Core file program headers
- core dump, obtaining / Core file program headers
- core file program headers / Core file program headers
- PT_NOTE segment / The PT_NOTE segment
- PT_LOAD segments / PT_LOAD segments and the downfalls of core files for forensics purposes
- core files for forensics purposes, downfalls / PT_LOAD segments and the downfalls of core files for forensics purposes
- core file, using with GDB for forensics / Using a core file with GDB for forensics
anti-debugging, for binary protection / Anti-debugging for binary protection
anti-exploitation, Maya
- about / Maya's anti-exploitation
- source code, of vuln.c / Maya's anti-exploitation
- example, of exploiting vuln.c / Example of exploiting vuln.c
antivirus (AV) company / ELF virus engineering challenges
arch/x86/include/asm/alternative.h
- about / From arch/x86/include/asm/alternative.h
auxiliary vector / The auxiliary vector
AVU (Anti Virus Unix)
- URL / ELF virus detection and disinfection
Azazel
- about / Process infection tools
- reference link / Process infection tools
Azazel userland rootkit, analyzing
- about / Analyzing the Azazel userland rootkit
- symbol table of host2, with process reconstruction / The symbol table of the host2 process reconstructed
- section header table of host2, with process reconstruction / The section header table of the host2 process reconstructed
- PLT/GOT, validating with ECFS / Validating the PLT/GOT with ECFS
- readecfs output, for PLT/GOT validation / The readecfs output for PLT/GOT validation
Azazel userland rootkit detection / Azazel userland rootkit detection

B

basic ltrace command
- about / Basic ltrace command
binary protectors
- references / Other resources
Bitlackeys Research
- reference link / ptrace and forensic analysis
Blackhat
- URL / Shiva by Neil Mehta and Shawn Clowes – 2003
Burneye
- about / Burneye by Scut – 2002

C

.ctors, for anti-anti-debugging / Patching the .ctors/.init_array section
.ctors/.dtors function pointers
- overwriting / Overwriting the .ctors/.dtors function pointers
.ctors / .init_array section
- patching / Patching the .ctors/.init_array section
call/pop technique / Identifying parasite code characteristics
Cerberus ELF interface
- reference link / ERESI – The ELF reverse engineering system interface
code injection, with ptrace / Code injection with ptrace
code obfuscation technique
- about / The code obfuscation technique
code_inject.c source code
- about / Simple examples aren't always so trivial
code_inject tool
- demonstrating / Demonstrating the code_inject tool
complications, with string storage
- about / Complications with string storage
- solution / Solution
control flow, infecting
- about / Infecting control flow
- direct PLT infection / Direct PLT infection
- function trampolines / Function trampolines
- .ctors/.dtors function pointers, overwriting / Overwriting the .ctors/.dtors function pointers
- global offset table poisoning / GOT – global offset table poisoning or PLT/GOT redirection
- PLT/GOT redirection / GOT – global offset table poisoning or PLT/GOT redirection
- function pointer overwrites / Function pointer overwrites
control flow integrity, protecting
- about / Protecting control flow integrity
- attacks, based on ptrace / Attacks based on ptrace
- security vulnerability-based attacks / Security vulnerability-based attacks
core handler
- ECFS, plugging into / Plugging ECFS into the core handler

D

/dev/kmem
- about / Notes on /dev/kmem and /dev/mem
/dev/mem
- about / Notes on /dev/kmem and /dev/mem, /dev/mem
DacryFile
- about / DacryFile by the Grugq – 2001
- URL / DacryFile by the Grugq – 2001
data segment infections
- about / Data segment infections
- algorithm / Algorithm for data segment infection
data structures
- infecting / Infecting data structures
direct PLT infection
- about / Direct PLT infection
Direct PLT infection
- about / Direct PLT infection
disinfection program, for reverse text infection method
- reference link / Algorithm for reverse text infection
DLL injection traces
- dynamic segment, checking for / Checking the dynamic segment for DLL injection traces
DRR
- about / Debug register rootkits – DRR
- detecting / Detecting DRR
dynamic segment
- about / The dynamic segment revisited
- DT_NEEDED / DT_NEEDED
- DT_SYMTAB / DT_SYMTAB
- DT_HASH / DT_HASH
- DT_STRTAB / DT_STRTAB
- DT_PLTGOT / DT_PLTGOT
- checking, for DLL injection traces / Checking the dynamic segment for DLL injection traces
DynamoRIO / Anti-debugging for binary protection

E

ECFS
- about / ECFS, What does a process look like?, Tools for detecting PLT/GOT hooks, The ECFS philosophy, K-ecfs – kernel ECFS
- reference link / ECFS, Tools for detecting PLT/GOT hooks
- history / History
- references / Getting started with ECFS, Learning more about ECFS
- plugging, into core handler / Plugging ECFS into the core handler
- used, for examining infected process / Examining an infected process using ECFS
- reference guide / The ECFS reference guide
- symbol table reconstruction / ECFS symbol table reconstruction
- section headers / ECFS section headers
ECFS file
- using, as regular core file / Using an ECFS file as a regular core file
ECFS snapshot
- capturing / Capturing and analyzing an ECFS snapshot
- analyzing / Capturing and analyzing an ECFS snapshot
ECFS snapshots, without killing process
- about / ECFS snapshots without killing the process
ELF anti-debugging and packing techniques
- about / ELF anti-debugging and packing techniques
- PTRACE_TRACEME technique / The PTRACE_TRACEME technique
- SIGTRAP handler technique / The SIGTRAP handler technique
- /proc/self/status technique / The /proc/self/status technique
- code obfuscation technique / The code obfuscation technique
- string table transformation technique / The string table transformation technique
ELF binary packers
- about / ELF binary packers – dumb protectors
ELF binary protectors
- about / Existing ELF binary protectors
- DacryFile / DacryFile by the Grugq – 2001
- Burneye / Burneye by Scut – 2002
- Shiva / Shiva by Neil Mehta and Shawn Clowes – 2003
- Maya's Veil / Maya's Veil by Ryan O'Neill – 2014
elfdemon
- about / Executable injections
- reference link / Executable injections
elfdemon source code
- reference link / Simple examples aren't always so trivial
ELF dynamic linking
- about / ELF dynamic linking
- auxiliary vector / The auxiliary vector
ELF file types
- about / ELF file types
- ET_NONE / ELF file types
- ET_REL / ELF file types
- ET_EXEC / ELF file types
- ET_DYN / ELF file types
- ET_CORE / ELF file types
ELF Parser
- coding / Coding an ELF Parser
ELF program headers
- about / ELF program headers
- PT_LOAD / PT_LOAD
- PT_DYNAMIC / PT_DYNAMIC – Phdr for the dynamic segment
- PT_NOTE / PT_NOTE
- PT_INTERP / PT_INTERP
- PT_PHDR / PT_PHDR
ELF relocations
- about / ELF relocations
ELF runtime infection
- reference link / ptrace request types
elfscure
- reference link / The string table transformation technique
ELF section headers
- about / ELF section headers
- .text section / The .text section
- .rodata section / The .rodata section
- .plt section / The .plt section
- .data section / The .data section
- .bss section / The .bss section
- .got.plt section / The .got.plt section
- .dynsym section / The .dynsym section
- .dynstr section / The .dynstr section
- .rel.* section / The .rel.* section
- .hash section / The .hash section
- .symtab section / The .symtab section
- .strtab section / The .strtab section
- .shstrtab section / The .shstrtab section
- .ctors section / The .ctors and .dtors sections
- .dtors section / The .ctors and .dtors sections
ELF symbols
- about / ELF symbols
- st_name / st_name
- st_value / st_value
- st_size / st_size
- st_other / st_other
- st_shndx / st_shndx
- st_info / st_info
- symbol types / Symbol types
- symbol bindings / Symbol bindings
ELF virus detection
- about / ELF virus detection and disinfection
ELF virus disinfection
- about / ELF virus detection and disinfection
ELF virus engineering challenges
- about / ELF virus engineering challenges
- parasite code must be self-contained / Parasite code must be self-contained
- complications, with string storage / Complications with string storage
- legitimate space, finding to store parasite code / Finding legitimate space to store parasite code
- execution control flow, passing to parasite / Passing the execution control flow to the parasite
ELF virus parasite infection methods
- about / ELF virus parasite infection methods
- Silvio padding infection method / The Silvio padding infection method
- reverse text infection / The reverse text infection
- data segment infections / Data segment infections
ELF virus technology
- about / ELF virus technology
Embedded ELF debugging
- reference link / ERESI – The ELF reverse engineering system interface
emulated CPU inconsistencies
- detecting / Detecting emulated CPU inconsistencies
emulation
- detecting, through syscall testing / Detecting emulation through syscall testing
entry point modification
- detecting / The science of detecting entry point modification
Eresi
- URL / Relocatable code injection-based binary patching
ERESI project
- reference link / ERESI – The ELF reverse engineering system interface
ET_DYN (shared object) injection / Injection methods
ET_DYN injection
- detecting / Detecting the ET_DYN injection
ET_DYN injection internals
- about / ET_DYN injection internals
- symbol for __libc_dlopen_mode, finding / Example – finding the symbol for __libc_dlopen_mode
- __libc_dlopen_mode shellcode, example / Code example – the __libc_dlopen_mode shellcode
- libc symbol resolution, example / Code example – libc symbol resolution
- x86_32 shellcode, to mmap() an ET_DYN object / Code example – the x86_32 shellcode to mmap() an ET_DYN object
ET_REL (relocatable object) injection / Injection methods
executable injections
- about / Executable injections
executable memory mappings
- about / Executable memory mappings
executable reconstruction
- challenges / Challenges for executable reconstruction
execution control flow, passing to parasite
- about / Passing the execution control flow to the parasite
- solution / Solution
explicit addend / ELF relocations
Extended core file snapshot (ECFS)
- about / Process image reconstruction – from the memory to the executable

F

flags
- about / The process register state and flags
forms, of control flow hijacking
- detecting / Detecting other forms of control flow hijacking
- .ctors / .init_array section, patching / Patching the .ctors/.init_array section
- PLT/GOT hooks, detecting / Detecting PLT/GOT hooks
- function trampolines, detecting / Detecting function trampolines
FreeBSD /dev/kmem
- about / FreeBSD /dev/kmem
ftrace
- about / ftrace
- reference link / ftrace, Advanced function-tracing software
function hijacking
- about / Method 2 for infecting LKM files (function hijacking)
function pointer overwrites
- about / Function pointer overwrites
function trampolines
- about / Function trampolines, Techniques for hijacking execution
- detecting / Detecting function trampolines, Detecting function trampolines
- example / Example of function trampolines

G

GDB
- about / GDB
- using, with /proc/kcore / /proc/kcore and GDB exploration
Global Offset Table (GOT)
- about / The importance of ptrace
Global offset table (GOT) / PT_DYNAMIC – Phdr for the dynamic segment, The .got.plt section
global offset table poisoning / GOT – global offset table poisoning or PLT/GOT redirection
GOT (global offset table) / Detecting PLT/GOT hooks
GRKERNSEC_PROC_MEMMAP / What does a process look like?

H

hidden processes
- viewing, taskverse used / Using taskverse to see hidden processes
host process
- infecting / Infecting the host process

I

IDA Pro
- about / IDA Pro
illegitimate shared object loading
- about / Illegitimate shared object loading
implicit addends / ELF relocations
incorrect GOT addresses
- identifying / Identifying incorrect GOT addresses
indirect jmp
- example / An example with indirect jmp
infected LKMs
- about / Infected LKMs – kernel drivers
- detecting / Detecting infected LKMs
infected process
- examining, ECFS used / Examining an infected process using ECFS
integrity, of syscall
- validating / An example of validating the integrity of a syscall
interrupt handler patching
- about / Interrupt handler patching – int 0x80, syscall
- detecting / Detecting interrupt handler patching

K

k-ecfs
- about / K-ecfs – kernel ECFS
kdress
- about / stock vmlinux has no symbols
- reference link / stock vmlinux has no symbols
- vmlinux, building with / Building a proper vmlinux with kdress
kernel-ecfs file
- about / A sneak peek of the kernel-ecfs file
kernel code integrity
- verifying, textify used / Using textify to verify kernel code integrity
Kernel Detective
- URL / Linux kernel forensics and rootkits
kernel function trampolines
- reference link / Detecting function trampolines
- about / Kernel function trampolines
kernel hacking goodies
- about / Kernel hacking goodies
- general reverse engineering and debugging / General reverse engineering and debugging
- advanced kernel hacking/debugging interfaces / Papers mentioned in this chapter
kernel infection techniques
- about / Other kernel infection techniques
Kernel voodoo
- reference link / Papers mentioned in this chapter
kprobe rootkits
- about / Kprobe rootkits
- detecting / Detecting kprobe rootkits

L

LD_PRELOAD
- about / Injection methods
- finding, on stack / Finding LD_PRELOAD on the stack
LD_PRELOAD environment variable
- about / The LD_PRELOAD environment variable
LD_SHOW_AUXV environment variable
- about / The LD_SHOW_AUXV environment variable
legitimate shared object loading
- about / Legitimate shared object loading
legitimate space, finding to store parasite code
- about / Finding legitimate space to store parasite code
- solution / Solution
libecfs
- about / libecfs – a library for parsing ECFS files
libecfs API
- about / The libecfs API and how to use it
- using / The libecfs API and how to use it
- reference link / The libecfs API and how to use it
linker-related environment points
- about / Linker-related environment points
- LD_PRELOAD environment variable / The LD_PRELOAD environment variable
- LD_SHOW_AUXV environment variable / The LD_SHOW_AUXV environment variable
linker scripts
- about / Linker scripts
Linux ELF core files
- about / Linux ELF core files
Linux kernel
- forensics / Linux kernel forensics and rootkits
- rootkits / Linux kernel forensics and rootkits
Linux padding Virus
- reference link / Identifying parasite code characteristics
Linux tools
- about / Linux tools
- GDB / GDB
- objdump from GNU Binutils / Objdump from GNU binutils
- Objcopy from GNU binutils / Objcopy from GNU binutils
- strace / strace
- ltrace / ltrace
- basic ltrace command / Basic ltrace command
- ftrace / ftrace
- readelf / readelf
- ERESI / ERESI – The ELF reverse engineering system interface
Linux VMA Voodoo
- about / Tools for detecting PLT/GOT hooks
- reference link / Tools for detecting PLT/GOT hooks
LKM files
- infecting / Method 1 for infecting LKM files – symbol hijacking, Method 2 for infecting LKM files (function hijacking)
LKM infection
- reference link / Papers mentioned in this chapter
Loadable Kernel Module (LKM)
- about / Linux kernel forensics and rootkits
LPV virus
- about / The LPV virus
- download link / The LPV virus
lpv virus
- reference link / Algorithm for the Silvio .text infection method
ltrace
- about / ltrace

M

Maya
- protection layers / Maya's protection layers, Layer 2, Layer 3
- nanomites / Maya's nanomites
- anti-exploitation / Maya's anti-exploitation
Maya's Veil
- about / Maya's Veil by Ryan O'Neill – 2014
Maya-protected binaries
- downloading / Downloading Maya-protected binaries
Mayas Veil
- reference link / The reverse text infection

N

nanomites, Maya / Maya's nanomites
NOTE segment infections
- reference link / PT_NOTE

O

obfuscation methods
- about / Obfuscation methods
Objcopy from GNU binutils
- about / Objcopy from GNU binutils
objdump from GNU Binutils
- about / Objdump from GNU binutils
Object copy (Objcopy)
- about / Objcopy from GNU binutils
object dump (objdump)
- about / Objdump from GNU binutils
object obfuscator (objobf)
- about / Burneye by Scut – 2002

P

/proc/kcore
- about / /proc/kcore and GDB exploration
- GDB, using with / /proc/kcore and GDB exploration
/proc/self/status technique
- about / The /proc/self/status technique
packer
- about / ELF binary packers – dumb protectors
Page Table Entry (PTE)
- about / Direct sys_call_table modifications
parasite code
- extracting, with readecfs / Extracting parasite code with readecfs
parasite code characteristics
- identifying / Identifying parasite code characteristics
parasite code must be self-contained
- about / Parasite code must be self-contained
- solution / Solution
PaX
- URL / Algorithm for data segment infection
PaX mprotect restrictions
- reference link / Code example – the x86_32 shellcode to mmap() an ET_DYN object
phalanx
- about / Direct sys_call_table modifications
Phrack
- URL / Burneye by Scut – 2002
PIC code (shellcode) injection / Injection methods
Pin / Anti-debugging for binary protection
PLT (procedure linkage table) / Detecting PLT/GOT hooks
PLT/GOT / Learning about the PLT/GOT
PLT/GOT hooks
- detecting / Detecting PLT/GOT hooks, Detecting PLT/GOT hooks
- truncated output, from readelf -S command / Truncated output from readelf -S command
- incorrect GOT addresses, identifying / Identifying incorrect GOT addresses
PLT/GOT integrity
- about / PLT/GOT integrity
PLT/GOT redirection / GOT – global offset table poisoning or PLT/GOT redirection
position-independent code (PIC) / Solution
Position-Independent Executable (PIE) / The section header analysis
position independent code (PIC) / ELF file types, Identifying parasite code characteristics
preload
- about / Mapping out the process address space
procedure linkage table (PLT) / The .plt section
- about / What to look for in the memory
procedure prologue / Symbol bindings
process
- about / What does a process look like?
process-executable reconstruction
- challenges / Challenges for process-executable reconstruction
process address space
- mapping out / Mapping out the process address space
process cloaking
- about / Injection methods
/ Examining an infected process using ECFS
process image reconstruction
- about / Process image reconstruction – from the memory to the executable
- section header table, adding / Adding a section header table
- algorithm, for process / The algorithm for the process
- with Quenya, on 32-bit test environment / Process reconstruction with Quenya on a 32-bit test environment
process infection techniques
- about / Process infection techniques
process infection tools
- Azazel / Process infection tools
- Saruman / Process infection tools
- sshd_fucker (phrack .so injection paper) / Process infection tools
process injection methods
- ET_DYN (shared object) injection / Injection methods
- ET_REL (relocatable object) injection / Injection methods
- PIC code (shellcode) injection / Injection methods
process memory infection
- about / Process memory infection
process memory layout
- example / What does a process look like?
process necromancy, with ECFS
- about / Process necromancy with ECFS
process register state
- about / The process register state and flags
program heap
- about / The program heap
protected binaries
- identifying / Identifying protected binaries
- analyzing / Analyzing a protected binary
protection layers, Maya / Maya's protection layers, Layer 2, Layer 3
protector
- example / An example of a protector
protector stubs
- tasks / Other jobs performed by protector stubs
PSE (Page size extension) / Identifying text segment padding infections
ptrace
- about / The importance of ptrace
- forensic analysis / ptrace and forensic analysis
- code injection / Code injection with ptrace
- verification, for program tracking / Is your program being traced?
ptrace-based debugger
- about / A simple ptrace-based debugger
ptrace anti-debugging trick
- about / A ptrace anti-debugging trick
ptrace debugger
- with process attach capabilities / A simple ptrace debugger with process attach capabilities
ptrace requests
- about / ptrace requests
ptrace request types
- about / ptrace request types
- PTRACE_ATTACH / ptrace request types
- PTRACE_TRACEME / ptrace request types
- PTRACE_PEEKTEXT /PTRACE_PEEKDATA/PTRACE_PEEKUSER / ptrace request types
- PTRACE_POKTEXT /PTRACE_POKEDATA/PTRACE_POKEUSER / ptrace request types
- PTRACE_GETREGS / ptrace request types
- PTRACE_SETREGS / ptrace request types
- PTRACE_CONT / ptrace request types
- PTRACE_DETACH / ptrace request types
- PTRACE_SYSCALL / ptrace request types
- PTRACE_SINGLESTEP / ptrace request types
- PTRACE_GETSIGINFO / ptrace request types
- PTRACE_SETSIGINFO / ptrace request types
- PTRACE_SETOPTIONS / ptrace request types
PTRACE_TRACEME technique
- about / The PTRACE_TRACEME technique
PT_NOTE to PT_LOAD conversion infection method
- about / The PT_NOTE to PT_LOAD conversion infection method
- algorithm / Algorithm for PT_NOTE to PT_LOAD conversion infections

Q

Quenya
- URL / Relocatable code injection-based binary patching
- about / Parasite code must be self-contained, Relocatable code injection – the ET_REL injection

R

%rax register / Techniques for hijacking execution
read+write+execute (RWX) / Solution
readecfs
- about / readecfs
- parasite code, extracting with / Extracting parasite code with readecfs
readelf command
- about / readelf
regular core file
- ECFS file, using as / Using an ECFS file as a regular core file
relative jmp
- example / An example with relative jmp
relocatable code injection
- about / Relocatable code injection – the ET_REL injection
relocatable code injection-based binary patching
- about / Relocatable code injection-based binary patching
remote code injection techniques
- about / Process memory viruses and rootkits – remote code injection techniques
- shared library injection / Shared library injection – .so injection/ET_DYN injection
- .so injection, with LD_PRELOAD / .so injection with LD_PRELOAD
- .so injection, with open()/mmap() shellcode / .so injection with open()/mmap() shellcode
- .so injection, with dlopen() shellcode / .so injection with dlopen() shellcode, Illustration 4.8 – C code invoking __libc_dlopen_mode()
- .so injection, with VDSO manipulation / .so injection with VDSO manipulation
- text segment code injections / Text segment code injections
- executable injections / Executable injections
- relocatable code injection / Relocatable code injection – the ET_REL injection
resistance, to emulation
- about / Resistance to emulation
- emulation, detecting through syscall testing / Detecting emulation through syscall testing
- emulated CPU inconsistencies, detecting / Detecting emulated CPU inconsistencies
- timing delays, checking between certain instructions / Checking timing delays between certain instructions
Retaliation
- URL / The PT_NOTE to PT_LOAD conversion infection method
ret instruction
- example / An example with the ret instruction
Return-Oriented Programming (ROP) / Maya's anti-exploitation
reverse text infection
- about / The reverse text infection
- algorithm / Algorithm for reverse text infection
reverse text infection method
- reference link / Algorithm for reverse text infection
reverse text padding infections
- identifying / Identifying reverse text padding infections
runtime kernel kmem patching
- reference link / Papers mentioned in this chapter

S

.so injection, with dlopen() shellcode
- about / .so injection with dlopen() shellcode, Illustration 4.8 – C code invoking __libc_dlopen_mode()
.so injection, with LD_PRELOAD
- about / .so injection with LD_PRELOAD
.so injection, with open()/mmap() shellcode
- about / .so injection with open()/mmap() shellcode
.so injection, with VDSO manipulation
- about / .so injection with VDSO manipulation
.so injection detection
- principles / Heuristics for .so injection detection
Saruman
- about / Process infection tools
- reference link / Process infection tools, Examining an infected process using ECFS
Saruman virus
- about / Parasite code must be self-contained
section header analysis
- about / The section header analysis
section headers, ECFS
- about / ECFS section headers
- ._TEXT / ECFS section headers
- ._DATA / ECFS section headers
- .stack / ECFS section headers
- .heap / ECFS section headers
- .bss / ECFS section headers
- .vdso / ECFS section headers
- .vsyscall / ECFS section headers
- .procfs.tgz / ECFS section headers
- .prstatus / ECFS section headers
- .fdinfo / ECFS section headers
- .siginfo / ECFS section headers
- .auxvector / ECFS section headers
- .exepath / ECFS section headers
- .personality / ECFS section headers
- .arglist / ECFS section headers
security vulnerability-based attacks / Security vulnerability-based attacks
shared library injection
- about / Shared library injection – .so injection/ET_DYN injection
shared library mappings
- about / Shared library mappings
shared object loading
- about / Shared object loading – legitimate or not?
- legitimate shared object loading / Legitimate shared object loading
- illegitimate shared object loading / Illegitimate shared object loading
Shiva
- about / Shiva by Neil Mehta and Shawn Clowes – 2003
SIGABRT
- about / Plugging ECFS into the core handler
SIGSEGV
- about / Plugging ECFS into the core handler
SIGTRAP handler technique
- about / The SIGTRAP handler technique
Silvio .text infection method
- algorithm / Algorithm for the Silvio .text infection method
Silvio padding infection
- use cases / Use cases for the Silvio padding infection
Silvio padding infection method
- about / The Silvio padding infection method
Skeksi virus
- URL / Solution
sshd_fucker (phrack .so injection paper)
- about / Process infection tools
- reference link / Process infection tools
stack
- about / The stack, vdso, and vsyscall
- LD_PRELOAD, finding on / Finding LD_PRELOAD on the stack
static keyword / Symbol bindings
stock vmlinux
- no symbols / stock vmlinux has no symbols
strace
- about / strace
string table transformation technique
- about / The string table transformation technique
strip
- about / stock vmlinux has no symbols
stub
- tasks / Stub mechanics and the userland exec
stub mechanics
- about / Stub mechanics and the userland exec
symbol hijacking
- about / Method 1 for infecting LKM files – symbol hijacking
symbol table analysis
- about / The symbol table analysis
symbol table reconstruction, ECFS / ECFS symbol table reconstruction
syscall testing
- emulation, detecting through / Detecting emulation through syscall testing
sys_call_table
- navigating, example / An example of navigating sys_call_table
- checking, textify used / An example of using textify to check sys_call_table
sys_call_table modifications
- detecting / Detecting sys_call_table modifications
sys_write
- hijacking, on 32-bit kernel / An example code for hijacking sys_write on a 32-bit kernel

T

taskverse
- about / Linux kernel forensics and rootkits
- used, for viewing hidden processes / Using taskverse to see hidden processes
taskverse techniques
- about / Taskverse techniques
- reference link / Taskverse techniques
techniques, for hijacking execution
- PLT/GOT redirection / Techniques for hijacking execution
- inline function hooking / Techniques for hijacking execution
- .ctors, patching / Techniques for hijacking execution
- .dtors, patching / Techniques for hijacking execution
- VDSO, hijacking for syscall interception / Techniques for hijacking execution
textify
- used, for verifying kernel code integrity / Using textify to verify kernel code integrity
- used, for checking sys_call_table / An example of using textify to check sys_call_table
text padding infection, VX Heaven paper
- reference link / The Silvio padding infection method
text segment code injections
- about / Text segment code injections
text segment padding infection
- example / An example of text segment padding infection
text segment padding infections
- identifying / Identifying text segment padding infections
thread-local-storage (TLS) / The process register state and flags
tools, for detecting PLT/GOT hooks
- Linux VMA Voodoo / Tools for detecting PLT/GOT hooks
- ECFS / Tools for detecting PLT/GOT hooks
- Volatility plt_hook / Tools for detecting PLT/GOT hooks
tracee
- about / ptrace request types
tracer
- about / ptrace request types
tracer program
- using / Using the tracer program

U

UPX
- URL / ELF binary packers – dumb protectors
use cases, for Silvio padding infection
- about / Use cases for the Silvio padding infection
useful devices and files
- about / Useful devices and files
- /proc/<pid>/maps / /proc/<pid>/maps
- /proc/kcore / /proc/kcore
- /boot/System.map / /boot/System.map
- /proc/kallsyms / /proc/kallsyms
- /proc/iomem / /proc/iomem
- ECFS / ECFS
userland exec
- about / Stub mechanics and the userland exec
- reference link / Stub mechanics and the userland exec

V

VDSO
- about / The stack, vdso, and vsyscall
- manipulating / Manipulating VDSO to perform dirty work
VFS function pointer
- validating / Detecting VFS layer rootkits
VFS layer rootkits
- about / VFS layer rootkits
- detecting / Detecting VFS layer rootkits
VMA Monitor
- reference link / History
VMA Voodoo
- URL / ELF virus detection and disinfection
vmlinux
- building, with kdress / Building a proper vmlinux with kdress
vmlinux patching
- about / vmlinux and .altinstructions patching
Volatility plt_hook
- about / Tools for detecting PLT/GOT hooks
- reference link / Tools for detecting PLT/GOT hooks
vsyscall
- about / The stack, vdso, and vsyscall

Previous Chapter