Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Linux Binary Analysis
  • Table Of Contents Toc
  • Feedback & Rating feedback
Learning Linux Binary Analysis

Learning Linux Binary Analysis

By : "elfmaster" O'Neill
4.8 (10)
Buy this Book
close
close
Learning Linux Binary Analysis

Learning Linux Binary Analysis

4.8 (10)
By: "elfmaster" O'Neill
Buy this Book

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Table of Contents (11 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Free Chapter
1
1. The Linux Environment and Its Tools
chevron up
Icon
1. The Linux Environment and Its Tools
Icon
Linux tools
Icon
Useful devices and files
Icon
Linker-related environment points
Icon
Summary
2
2. The ELF Binary Format
Icon
2. The ELF Binary Format
Icon
ELF file types
Icon
ELF program headers
Icon
ELF section headers
Icon
ELF symbols
Icon
ELF relocations
Icon
ELF dynamic linking
Icon
Coding an ELF Parser
Icon
Summary
3
3. Linux Process Tracing
Icon
3. Linux Process Tracing
Icon
The importance of ptrace
Icon
ptrace requests
Icon
The process register state and flags
Icon
A simple ptrace-based debugger
Icon
A simple ptrace debugger with process attach capabilities
Icon
Advanced function-tracing software
Icon
ptrace and forensic analysis
Icon
Process image reconstruction – from the memory to the executable
Icon
Code injection with ptrace
Icon
Simple examples aren't always so trivial
Icon
Demonstrating the code_inject tool
Icon
A ptrace anti-debugging trick
Icon
Summary
4
4. ELF Virus Technology – Linux/Unix Viruses
Icon
4. ELF Virus Technology – Linux/Unix Viruses
Icon
ELF virus technology
Icon
ELF virus engineering challenges
Icon
ELF virus parasite infection methods
Icon
The PT_NOTE to PT_LOAD conversion infection method
Icon
Infecting control flow
Icon
Process memory viruses and rootkits – remote code injection techniques
Icon
ELF anti-debugging and packing techniques
Icon
ELF virus detection and disinfection
Icon
Summary
5
5. Linux Binary Protection
Icon
5. Linux Binary Protection
Icon
ELF binary packers – dumb protectors
Icon
Stub mechanics and the userland exec
Icon
Other jobs performed by protector stubs
Icon
Existing ELF binary protectors
Icon
Downloading Maya-protected binaries
Icon
Anti-debugging for binary protection
Icon
Resistance to emulation
Icon
Obfuscation methods
Icon
Protecting control flow integrity
Icon
Other resources
Icon
Summary
6
6. ELF Binary Forensics in Linux
Icon
6. ELF Binary Forensics in Linux
Icon
The science of detecting entry point modification
Icon
Detecting other forms of control flow hijacking
Icon
Identifying parasite code characteristics
Icon
Checking the dynamic segment for DLL injection traces
Icon
Identifying reverse text padding infections
Icon
Identifying text segment padding infections
Icon
Identifying protected binaries
Icon
IDA Pro
Icon
Summary
7
7. Process Memory Forensics
Icon
7. Process Memory Forensics
Icon
What does a process look like?
Icon
Process memory infection
Icon
Detecting the ET_DYN injection
Icon
Linux ELF core files
Icon
Summary
8
8. ECFS – Extended Core File Snapshot Technology
Icon
8. ECFS – Extended Core File Snapshot Technology
Icon
History
Icon
The ECFS philosophy
Icon
Getting started with ECFS
Icon
libecfs – a library for parsing ECFS files
Icon
readecfs
Icon
Examining an infected process using ECFS
Icon
The ECFS reference guide
Icon
Process necromancy with ECFS
Icon
Learning more about ECFS
Icon
Summary
9
9. Linux /proc/kcore Analysis
Icon
9. Linux /proc/kcore Analysis
Icon
Linux kernel forensics and rootkits
Icon
stock vmlinux has no symbols
Icon
/proc/kcore and GDB exploration
Icon
Direct sys_call_table modifications
Icon
Kprobe rootkits
Icon
Debug register rootkits – DRR
Icon
VFS layer rootkits
Icon
Other kernel infection techniques
Icon
vmlinux and .altinstructions patching
Icon
Using taskverse to see hidden processes
Icon
Infected LKMs – kernel drivers
Icon
Notes on /dev/kmem and /dev/mem
Icon
/dev/mem
Icon
K-ecfs – kernel ECFS
Icon
Kernel hacking goodies
Icon
Summary
10
Index
Icon
Index

Useful devices and files

Linux has many files, devices, and /proc entries that are very helpful for the avid hacker and reverse engineer. Throughout this book, we will be demonstrating the usefulness of many of these files. Here is a description of some of the commonly used ones throughout the book.

/proc/<pid>/maps

/proc/<pid>/maps file contains the layout of a process image by showing each memory mapping. This includes the executable, shared libraries, stack, heap, VDSO, and more. This file is critical for being able to quickly parse the layout of a process address space and is used more than once throughout this book.

/proc/kcore

The /proc/kcore is an entry in the proc filesystem that acts as a dynamic core file of the Linux kernel. That is, it is a raw dump of memory that is presented in the form of an ELF core file that can be used by GDB to debug and analyze the kernel. We will explore /proc/kcore in depth in Chapter 9, Linux /proc/kcore Analysis.

/boot/System.map

This file is available on almost all Linux distributions and is very useful for kernel hackers. It contains every symbol for the entire kernel.

/proc/kallsyms

The kallsyms is very similar to System.map, except that it is a /proc entry that means that it is maintained by the kernel and is dynamically updated. Therefore, if any new LKMs are installed, the symbols will be added to /proc/kallsyms on the fly. The /proc/kallsyms contains at least most of the symbols in the kernel and will contain all of them if specified in the CONFIG_KALLSYMS_ALL kernel config.

/proc/iomem

The iomem is a useful proc entry as it is very similar to /proc/<pid>/maps, but for all of the system memory. If, for instance, you want to know where the kernel's text segment is mapped in the physical memory, you can search for the Kernel string and you will see the code/text segment, the data segment, and the bss segment:

  $ grep Kernel /proc/iomem
  01000000-016d9b27 : Kernel code
  016d9b28-01ceeebf : Kernel data
  01df0000-01f26fff : Kernel bss

ECFS

Extended core file snapshot (ECFS) is a special core dump technology that was specifically designed for advanced forensic analysis of a process image. The code for this software can be found at https://github.com/elfmaster/ecfs. Also, Chapter 8, ECFS – Extended Core File Snapshot Technology, is solely devoted to explaining what ECFS is and how to use it. For those of you who are into advanced memory forensics, you will want to pay close attention to this.

End of Section 3
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY