Table of Contents for
Learning Linux Binary Analysis

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Learning Linux Binary Analysis by Ryan elfmaster O'Neill Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Learning Linux Binary Analysis
  4. Learning Linux Binary Analysis
  5. Credits
  6. About the Author
  7. Acknowledgments
  8. About the Reviewers
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. The Linux Environment and Its Tools
  17. Useful devices and files
  18. Linker-related environment points
  19. Summary
  20. 2. The ELF Binary Format
  21. ELF program headers
  22. ELF section headers
  23. ELF symbols
  24. ELF relocations
  25. ELF dynamic linking
  26. Coding an ELF Parser
  27. Summary
  28. 3. Linux Process Tracing
  29. ptrace requests
  30. The process register state and flags
  31. A simple ptrace-based debugger
  32. A simple ptrace debugger with process attach capabilities
  33. Advanced function-tracing software
  34. ptrace and forensic analysis
  35. Process image reconstruction – from the memory to the executable
  36. Code injection with ptrace
  37. Simple examples aren't always so trivial
  38. Demonstrating the code_inject tool
  39. A ptrace anti-debugging trick
  40. Summary
  41. 4. ELF Virus Technology �� Linux/Unix Viruses
  42. ELF virus engineering challenges
  43. ELF virus parasite infection methods
  44. The PT_NOTE to PT_LOAD conversion infection method
  45. Infecting control flow
  46. Process memory viruses and rootkits – remote code injection techniques
  47. ELF anti-debugging and packing techniques
  48. ELF virus detection and disinfection
  49. Summary
  50. 5. Linux Binary Protection
  51. Stub mechanics and the userland exec
  52. Other jobs performed by protector stubs
  53. Existing ELF binary protectors
  54. Downloading Maya-protected binaries
  55. Anti-debugging for binary protection
  56. Resistance to emulation
  57. Obfuscation methods
  58. Protecting control flow integrity
  59. Other resources
  60. Summary
  61. 6. ELF Binary Forensics in Linux
  62. Detecting other forms of control flow hijacking
  63. Identifying parasite code characteristics
  64. Checking the dynamic segment for DLL injection traces
  65. Identifying reverse text padding infections
  66. Identifying text segment padding infections
  67. Identifying protected binaries
  68. IDA Pro
  69. Summary
  70. 7. Process Memory Forensics
  71. Process memory infection
  72. Detecting the ET_DYN injection
  73. Linux ELF core files
  74. Summary
  75. 8. ECFS – Extended Core File Snapshot Technology
  76. The ECFS philosophy
  77. Getting started with ECFS
  78. libecfs – a library for parsing ECFS files
  79. readecfs
  80. Examining an infected process using ECFS
  81. The ECFS reference guide
  82. Process necromancy with ECFS
  83. Learning more about ECFS
  84. Summary
  85. 9. Linux /proc/kcore Analysis
  86. stock vmlinux has no symbols
  87. /proc/kcore and GDB exploration
  88. Direct sys_call_table modifications
  89. Kprobe rootkits
  90. Debug register rootkits – DRR
  91. VFS layer rootkits
  92. Other kernel infection techniques
  93. vmlinux and .altinstructions patching
  94. Using taskverse to see hidden processes
  95. Infected LKMs – kernel drivers
  96. Notes on /dev/kmem and /dev/mem
  97. /dev/mem
  98. K-ecfs – kernel ECFS
  99. Kernel hacking goodies
  100. Summary
  101. Index

Process memory infection

There are many rootkits, viruses, backdoors, and other tools out there that can be used to infect a system's userland memory. We will now name and describe a few of these.

Process infection tools

  • Azazel: This is a simple but effective LD_PRELOAD injection userland rootkit for Linux that is based on its predecessor rootkit named Jynx. LD_PRELOAD rootkits will preload a shared object into the program that you want to infect. Typically, such a rootkit will hijack functions such as open, read, write, and so on. These hijacked functions will show up as PLT hooks (modified GOT). For more information, visit https://github.com/chokepoint/azazel.
  • Saruman: This is a relatively new anti-forensics infection technique that allows a user to inject a complete dynamically linked executable into an existing process. Both the injected and the injectee will run concurrently within the same address space. This allows stealthy and advanced remote process infection. For more information, visit https://github.com/elfmaster/saruman.
  • sshd_fucker (phrack .so injection paper): sshd_fucker is the software that comes with the Phrack 59 paper Runtime process infection. The software infects the sshd process and hijacks PAM functions that usernames and passwords are passed through. For more information, visit http://phrack.org/issues/59/8.html

Process infection techniques

What does process infection mean? For our purposes, it means describing ways of injecting code into a process, hijacking functions, hijacking control flow, and anti-forensics tricks to make analysis more difficult. Many of these techniques were covered in Chapter 4, ELF Virus Technology – Linux/Unix Viruses, but we will recapitulate some of these here.

Injection methods

  • ET_DYN (shared object) injection: This is accomplished using the ptrace() system call and shellcode that uses either the mmap() or __libc_dlopen_mode() function to load the shared library file. A shared object might not be a shared object at all; it may be a PIE executable, as with the Saruman infection technique, which is a form of anti-forensics for allowing a program to run inside of an existing process address space. This technique is what I call process cloaking.

    Note

    LD_PRELOAD is another common trick for loading a malicious shared library into a process address space to hijack shared library functions. This can be detected by validating the PLT/GOT. The environment variables on the stack can also be analyzed to find out whether LD_PRELOAD has been set.

  • ET_REL (relocatable object) injection: The idea here is to inject a relocatable object file into a process for advanced hot patching techniques. The ptrace system call (or programs that use ptrace(), such as GDB) can be used to inject shellcode into the process, which in turn memory-maps the object file to the memory.
  • PIC code (shellcode) injection: Injecting shellcode into a process is typically done with ptrace. Often, shellcode is the first stage in injecting more sophisticated code (such as ET_DYN and ET_REL files) into the process.

Techniques for hijacking execution

  • PLT/GOT redirection: Hijacking shared library functions is most commonly accomplished by modifying the GOT entry for the given shared library so that the address reflects the location of the code injected by the attacker. This is essentially the same thing as overwriting a function pointer. We will discuss methods of detecting this later in this chapter.
  • Inline function hooking: This method, also called function trampolines, is common both on disk and in memory. An attacker can replace the first 5 to 7 bytes of code in a function with a jmp instruction that transfers control to a malicious function. This can be detected easily by scanning the initial byte code in every function.
  • Patching .ctors and .dtors: The .ctors and .dtors sections in a binary (which can be located in the memory) contain an array of function pointers for initialization and finalization functions. These can be patched by an attacker on disk and in memory so that they point to parasite code.
  • Hijacking VDSO for syscall interception: The VDSO page that is mapped to the process address space contains code for invoking system calls. An attacker can use ptrace(PTRACE_SYSCALL, …) to locate this code and then replace the %rax register with the system call number that they want to invoke. This allows a clever attacker to invoke any system call that they want to in a process without having to inject shellcode. Check out this paper I wrote in 2009; it describes the technique in detail at http://vxheaven.org/lib/vrn00.html.