Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Linux Binary Analysis
  • Table Of Contents Toc
  • Feedback & Rating feedback
Learning Linux Binary Analysis

Learning Linux Binary Analysis

By : "elfmaster" O'Neill
4.8 (10)
Buy this Book
close
close
Learning Linux Binary Analysis

Learning Linux Binary Analysis

4.8 (10)
By: "elfmaster" O'Neill
Buy this Book

Overview of this book

Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more. This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them. The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis. This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Table of Contents (11 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Free Chapter
1
1. The Linux Environment and Its Tools
Icon
1. The Linux Environment and Its Tools
Icon
Linux tools
Icon
Useful devices and files
Icon
Linker-related environment points
Icon
Summary
2
2. The ELF Binary Format
Icon
2. The ELF Binary Format
Icon
ELF file types
Icon
ELF program headers
Icon
ELF section headers
Icon
ELF symbols
Icon
ELF relocations
Icon
ELF dynamic linking
Icon
Coding an ELF Parser
Icon
Summary
3
3. Linux Process Tracing
Icon
3. Linux Process Tracing
Icon
The importance of ptrace
Icon
ptrace requests
Icon
The process register state and flags
Icon
A simple ptrace-based debugger
Icon
A simple ptrace debugger with process attach capabilities
Icon
Advanced function-tracing software
Icon
ptrace and forensic analysis
Icon
Process image reconstruction – from the memory to the executable
Icon
Code injection with ptrace
Icon
Simple examples aren't always so trivial
Icon
Demonstrating the code_inject tool
Icon
A ptrace anti-debugging trick
Icon
Summary
4
4. ELF Virus Technology – Linux/Unix Viruses
Icon
4. ELF Virus Technology – Linux/Unix Viruses
Icon
ELF virus technology
Icon
ELF virus engineering challenges
Icon
ELF virus parasite infection methods
Icon
The PT_NOTE to PT_LOAD conversion infection method
Icon
Infecting control flow
Icon
Process memory viruses and rootkits – remote code injection techniques
Icon
ELF anti-debugging and packing techniques
Icon
ELF virus detection and disinfection
Icon
Summary
5
5. Linux Binary Protection
Icon
5. Linux Binary Protection
Icon
ELF binary packers – dumb protectors
Icon
Stub mechanics and the userland exec
Icon
Other jobs performed by protector stubs
Icon
Existing ELF binary protectors
Icon
Downloading Maya-protected binaries
Icon
Anti-debugging for binary protection
Icon
Resistance to emulation
Icon
Obfuscation methods
Icon
Protecting control flow integrity
Icon
Other resources
Icon
Summary
6
6. ELF Binary Forensics in Linux
Icon
6. ELF Binary Forensics in Linux
Icon
The science of detecting entry point modification
Icon
Detecting other forms of control flow hijacking
Icon
Identifying parasite code characteristics
Icon
Checking the dynamic segment for DLL injection traces
Icon
Identifying reverse text padding infections
Icon
Identifying text segment padding infections
Icon
Identifying protected binaries
Icon
IDA Pro
Icon
Summary
7
7. Process Memory Forensics
Icon
7. Process Memory Forensics
Icon
What does a process look like?
Icon
Process memory infection
Icon
Detecting the ET_DYN injection
Icon
Linux ELF core files
Icon
Summary
8
8. ECFS – Extended Core File Snapshot Technology
Icon
8. ECFS – Extended Core File Snapshot Technology
Icon
History
Icon
The ECFS philosophy
Icon
Getting started with ECFS
Icon
libecfs – a library for parsing ECFS files
Icon
readecfs
Icon
Examining an infected process using ECFS
Icon
The ECFS reference guide
Icon
Process necromancy with ECFS
Icon
Learning more about ECFS
Icon
Summary
9
9. Linux /proc/kcore Analysis
chevron up
Icon
9. Linux /proc/kcore Analysis
Icon
Linux kernel forensics and rootkits
Icon
stock vmlinux has no symbols
Icon
/proc/kcore and GDB exploration
Icon
Direct sys_call_table modifications
Icon
Kprobe rootkits
Icon
Debug register rootkits – DRR
Icon
VFS layer rootkits
Icon
Other kernel infection techniques
Icon
vmlinux and .altinstructions patching
Icon
Using taskverse to see hidden processes
Icon
Infected LKMs – kernel drivers
Icon
Notes on /dev/kmem and /dev/mem
Icon
/dev/mem
Icon
K-ecfs – kernel ECFS
Icon
Kernel hacking goodies
Icon
Summary
10
Index
Icon
Index

Using taskverse to see hidden processes

In the Linux kernel, there are a several ways to modify the kernel so that process hiding can work. Since this chapter is not meant to be an exegesis on all kernel rootkits, I will cover only the most commonly used method and then propose a way of detecting it, which is implemented in the taskverse program I made available in 2014.

In Linux, the process IDs are stored as directories within the /proc filesystem; each directory contains a plethora of information about the process. The /bin/ps program does a directory listing in /proc to see which pids are currently running on the system. A directory listing in Linux (such as with ps or ls) uses the sys_getdents64 system call and the filldir64 kernel function. Many kernel rootkits hijack one of these functions (depending on the kernel version) and then insert some code that skips over the directory entry containing the d_name of the hidden process. As a result, the /bin/ps program is unable to find the...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 9
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY