From Collaborative RCE Knowledge Library

Jump to: navigation, search

Linux


Item name: Manual binary mangling with radare
Rating: 4.0 (1 vote)
Author: pancake                        
Home URL: http://rada.re/
Last updated: November 6, 2009
Version (if appl.):
Direct D/L link: http://phrack.org/issues/66/14.html
Description: 1 - Introduction
1.1 - The framework
1.2 - First steps
1.3 - Base conversions
1.4 - The target

2 - Injecting code in ELF
2.1 - Resolving register based branches
2.2 - Resizing data section
2.3 - Basics on code injection
2.4 - Mmap trampoline
2.4.1 - Call trampoline
2.4.2 - Extending trampolines

3 - Protections and manipulations
3.1 - Trashing the ELF header
3.2 - Source level watermarks
3.3 - Ciphering .data section
3.4 - Finding differences in binaries
3.5 - Removing library dependencies
3.6 - Syscall obfuscation
3.7 - Replacing library symbols
3.8 - Checksumming

4 - Playing with code references
4.1 - Finding xrefs
4.2 - Blind code references
4.3 - Graphing xrefs
4.4 - Randomizing xrefs

5 - Conclusion
6 - Future work
7 - References
8 - Greetings

"Reverse engineering is something usually related to w32 environments where
there is lot of non-free software and where the use of protections is more
extended to enforce evaluation time periods or protect intellectual (?)
property, using binary packing and code obfuscation techniques.

These kind of protections are also used by viruses and worms to evade
anti-virus engines in order to detect sandboxes. This makes reverse
engineering a double-edged sword..."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles, Linux Protection Technique Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Advanced malare analysis lab
Rating: 0.0 (0 votes)
Author: Wes Brown                        
Home URL: http://www.ioactive.com/
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link: http://conference.hitb.org/hitbsecconf2010ams/materials/D2T3%20-%20Wes%20Brown%20-%20Advanced%20Malware%20Analysis%20Lab.pdf
Description: Among the techniques reviewed will be memory inspection, debugging, hooking, as well as PE file examination. Techniques that malware use to avoid being inspected will be discussed along with ways to work around them. The malware workshop environment will also be walked through and each tool demonstrated so that the workshop attendee would leave with a good grasp of how and when to use them.
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Alien Autopsy rev. 2008
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid9.htm
Description: This video tutorial will teach you how to reverse a Windows crackme under Linux with IDA Pro.
Also listed in: Linux Tool Tutorials, Linux Unpacking Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Anti Reversing Articles, Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Cryptexec: next-generation runtime binary encryption
Rating: 0.0 (0 votes)
Author: Zeljko Vrba                        
Home URL: http://www.phrack.org
Last updated: 2005
Version (if appl.):
Direct D/L link: http://phrack.org/issues/63/13.html#article
Description: 1 Introduction
2 OS- and hardware-assisted tracing
3 Userland tracing
3.1 Provided API
3.2 High-level description
3.3 Actual usage example
3.4 XDE bug
3.5 Limitations
3.6 Porting considerations
4 Further ideas
5 Related work
5.1 ELFsh
5.2 Shiva
5.3 Burneye
5.4 Conclusion
6 References
7 Credits
A Appendix: source code
A.1 crypt_exec.S
A.2 cryptfile.c
A.3 test2.c

"What is binary encryption and why encrypt at all? For the answer to
this question the reader is referred to the Phrack#58 [1] and article
therein titled "Runtime binary encryption". This article describes a
method to control the target program that doesn't does not rely on
any assistance from the OS kernel or processor hardware. The method
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
method is devised, it is relatively trivial to include on-the-fly
code decryption."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: dnsbf.py - Python script for Reverse dns search in a subnet (dns brute force)
Rating: 0.0 (0 votes)
Author: t0ka7a                        
Home URL: http://infond.blogspot.com
Last updated: April 5, 2010
Version (if appl.):
Direct D/L link: http://infond.blogspot.com/2010/02/dnsbfpy-python-script-for-reverse-dns.html
Description: The first step of a penetration test is to discover hosts in a subnet. In this aim, DNS is your second best friend (after Google :).
First, to know which subnet (ex: 72.14.204.0/23) is associated to a hostname (ex: www.google.fr), you can use the Whois database (ex: with a site as http://www.robtex.com).
Then, to know which hosts are declared in DNS database in this subnet, you can use dnsbf.py :)
dnsbf.py is a script, written in Python, which conducts a Reverse DNS search for all the IPs in a subnet.
Also listed in: Linux Tool Articles, Mac OS Tool Articles, Windows Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Embedded ELF Debugging : the middle head of Cerberus
Rating: 0.0 (0 votes)
Author: The ELF shell crew                        
Home URL: http://www.eresi-project.org/
Last updated: January 8, 2005
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=9&mode=txt
Description: I. Hardened software debugging introduction
a. Previous work & limits
b. Beyond PaX and ptrace()
c. Interface improvements
II. The embedded debugging playground
a. In-process injection
b. Alternate ondisk and memory ELF scripting (feat. linkmap)
c. Real debugging : dumping, backtrace, breakpoints
d. A note on dynamic analyzers generation
III. Better multiarchitecture ELF redirections
a. CFLOW: PaX-safe static functions redirection
b. ALTPLT technique revised
c. ALTGOT technique : the RISC complement
d. EXTPLT technique : unknown function postlinking
e. IA32, SPARC32/64, ALPHA64, MIPS32 compliant algorithms
V. Constrained Debugging
a. ET_REL relocation in memory
b. ET_REL injection for Hardened Gentoo (ET_DYN + pie + ssp)
c. Extending static executables
d. Architecture independant algorithms
VI. Past and present
VII. Greetings
VIII. References
Also listed in: Linux Internals Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: firmware reversing : Netgear DG834PN
Rating: 0.0 (0 votes)
Author: Nicolas Krassas                        
Home URL: http://0entropy.blogspot.com
Last updated: August 17, 2011
Version (if appl.):
Direct D/L link: http://0entropy.blogspot.com/2011/08/firmware-reversing-netgear-dg834pn.html
Description: This short blogpost describes a technique used to identify the structure of a firmware image (an aDSL router in this case) and how to extract and mount its filesystem.
Also listed in: Linux Reversing Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Forensic discovery - Malware analysis basics
Rating: 0.0 (0 votes)
Author: Wietse Venema, Dan Farmer                        
Home URL: http://www.porcupine.org
Last updated: January 9, 2005
Version (if appl.):
Direct D/L link: http://www.porcupine.org/forensics/forensic-discovery/chapter6.html
Description: This chapter about malware analysis basics comes from a larger book about forensic discovery, (a must read) all about UNIX !
Also listed in: Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: GDB Reference Card
Rating: 0.0 (0 votes)
Author: Free Software Foundation                        
Home URL: http://www.fsf.org/
Last updated: 1998
Version (if appl.): v4
Direct D/L link: http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf
Description: This reference card immediately gives you the needed options to master GDB on every UNIX-like platforms.
Also listed in: Linux Tool Tidbits, Mac OS Tool Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux Improvised Userland Scheduler Virus
Rating: 0.0 (0 votes)
Author: Izik                        
Home URL: http://uninformed.org
Last updated: December 29, 2005
Version (if appl.):
Direct D/L link: http://uninformed.org/?v=3&a=6&t=txt
Description: "This paper discusses the combination of a userland scheduler and
runtime process infection for a virus. These two concepts complete
each other. The runtime process infection opens the door to invading
into other processes, and the userland scheduler provides a way to
make the injected code coexist with the original process code. This
allows the virus to remain stealthy and active inside an infected
process."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Anti Reversing Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux on the Half-ELF
Rating: 0.0 (0 votes)
Author: Mammon_                        
Home URL: http://www.eccentrix.com/members/mammon/
Last updated:
Version (if appl.):
Direct D/L link: http://www.eccentrix.com/members/mammon/tales/linux_re.txt
Description: Long time ago, Mammon_ wrote a tale about Linux reversing...


"This paper is concerned with reverse engineering in the Linux environment: a
topic which is still sparsely covered despite years of attention from security
consultants, software crackers, and programmers writing device drivers or
Windows interoperability software. The question will naturally arise: why
would anyone be interested in reverse engineering on Linux, an operating system
in which the applications which are not open-source are usually available for
no charge?"
Also listed in: Linux ELF Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Malware Analysis: Environment Design and Architecture
Rating: 0.0 (0 votes)
Author: Adrian Sanabria                        
Home URL: http://www.sans.org/
Last updated: January 18, 2007
Version (if appl.):
Direct D/L link: http://www.sans.org/reading_room/whitepapers/threats/malware_analysis_environment_design_and_artitecture_1841
Description: This academic article precisely describes the possible ways of setting up a malware analysis environment (both physical and virtualized).
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Next generation debuggers for reverse engineering
Rating: 0.0 (0 votes)
Author: The ELFsh Crew                        
Home URL: http://www.eresi-project.org
Last updated: 2007
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/bheu-eresi-article-2007.pdf
Description: "Classical debuggers make use of an interface provided by the operating system in order to access the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level. This alternative modelization is also more performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how to keep memory unintrusiveness using a new technique called allocation proxying. We reveal how we developed the organization of our multiarchitecture framework and its multiple modules so that they allow for graph-based binary code analysis, ad-hoc typing, compositional fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. We reveal the reflective essence of our framework by embedding its internal structures in our own reverse engineering language, thus recalling concepts of aspect oriented programming."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Process Dump and Binary Reconstruction
Rating: 0.0 (0 votes)
Author: ilo                        
Home URL: http://www.phrack.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=12&mode=txt
Description: This article describes process dumping and binary reconstruction, through the coding of a tool called PD.

"PD is a proof of concept tool being released to help rebuilding
or recovering a binary file from a running process, even if the file never
existed in the disk. Computer Forensics, reverse engineering, intruders,
administrators, software protection, all share the same piece of the puzzle
in a computer."
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Resolving ELF Relocation Name / Symbols
Rating: 0.0 (0 votes)
Author: Chris Rohlf                        
Home URL: http://em386.blogspot.com
Last updated: October 7, 2007
Version (if appl.):
Direct D/L link: http://em386.blogspot.com/2006/10/resolving-elf-relocation-name-symbols.html
Description: This article explains how relocation is done for names and symbols

"From the ELF 1.2 standard:

"Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. In other words, relocatable files must have information that describes how to modify their section contents, thus allowing executable and shared object files to hold the right information for a process's program image. Relocation entries are these data.""
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stepping with GDB during PLT uses and .GOT fixup
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated:
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-runtime-fixup.txt
Description: "This text is a GDB tutorial about runtime process fixup using the Procedure
Linkage Table section (.plt) and the Global Offset Table section (.got) .
If you dont know what is ELF, you should read the ELF ultimate documentation
you can find easily on google .

Some basic ASM knowledge may be requested .

This text has not been written for ELF specialists . This tutorial is an
alternative , interactive way to understand the PLT mechanisms. "
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Life of Binaries
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: September 6, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/LifeOfBinaries.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--


Topics include but are not limited to:
• Scanning and tokenizing source code.
• Parsing a grammar.
• Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).
• Linking object files together to create a well-formed binary.
• Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:
• Manipulating compiler options to change the type of assembly which is output
• Manipulating linker options to change the structure of binary formats
• Reading and understanding PE files with PEView
• Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• Using WinDbg and/or GDB to watch the loader dynamically link an executable
• Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism
• Creating a simple example virus for PE
• Analyze the changes made to the binary format when a file is packed with UPX
• Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. (Both also at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Protection Technique Tutorials, Generic Reversing Technique Tutorials, Linux ELF Articles, Windows Internals Tutorials, Windows Malware Analysis Tutorials, Windows Reversing Technique Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: trusted platforms module (TPM), openssl and ecryptfs tutorial
Rating: 0.0 (0 votes)
Author: t0ka7a                        
Home URL: http://infond.blogspot.com
Last updated: April 6, 2010
Version (if appl.):
Direct D/L link: http://infond.blogspot.com/2010/03/trusted-platforms-module-tpm-openssl.html
Description: Trusted Platform modules (TPM) are cryptographic processors mounted on computers. Their goal is to provide an encryption and authentification service package by keeping secret keys in hardware. It makes then difficult for an attacker to retrieve these keys. With an educational purpose, when a computer is not equipped with the chip, it is possible to emulate its behavior. This tutorial extends (french security computer researcher) Noemie Floissac article [3]. It describes the use of TPM with Linux OS and its application for openssl and ecryptfs.
English and french versions available on http://infond.blogspot.com
Also listed in: Linux Protection Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: tutorial mutual authentication - trusted platform module (TPM) - apache2 - openssl
Rating: 0.0 (0 votes)
Author: t0ka7a                        
Home URL: http://infond.blogspot.com
Last updated: April 9, 2010
Version (if appl.):
Direct D/L link: http://infond.blogspot.com/2010/04/tutorial-mutual-authentication-trusted.html
Description: The administrator of an Apache2 Server can restrict the access to a part of his website to authenticated users. This article is dealing with mutual authentication (strong authentication) with X509 certificates, between an Apache2 server and a client. In addition, the client's certificate is protected in the trusted platform module (TPM) of his computer.
With this solution, only granted computers gain access to the site. Also, it becomes more complicated for a hacker to access to the private key of a compromised computer. Indeed, this key is difficult to copy or extract, as it is kept in hardware TPM.
English and french version available on http://infond.blogspot.com
Also listed in: Linux Protection Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Understanding Linux ELF RTLD internals
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated: 2002
Version (if appl.): 0.2
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-rtld.txt
Description: "Actually there's many ELF documentation at this time, most of them
are virii coding or backdooring related . To be honest, I never found
any documentation on the dynamic linking sources, and thats why I wrote
this one . Sometimes it looks more like an internal ld.so reference or
a comments review on the ELF dynamic linking implementation in ld-linux.so .

It's not that unuseful since the dynamic linking is one of the worse
documented part of the Linux operating system . I also decided to write
a (tiny) chapter on ELF kernel handling code, because it is
really necessary to know some kernel level stuffs (like the stack
initialisation) to understand the whole interpreting. "

O] Prologue
A) Kernel handling code
B) Introducting glibc macros
1] Dynamic linker implementation
A) Sources graphics
B) The link_map structure explained
C) Relocating the interpretor
D) Runtime GOT relocation
E) Symbol resolution
2] FAQ, thanks and references


TODO :
X) Stack information gathering
X) SHT_DYNAMIC information gathering
X) PHT interpreting
X) Loading shared libraries
X) Shared libraries relocation
Also listed in: Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views