From Collaborative RCE Knowledge Library

Jump to: navigation, search

Linux Anti Reversing Articles


Item name: Manual binary mangling with radare
Rating: 4.0 (1 vote)
Author: pancake                        
Home URL: http://rada.re/
Last updated: November 6, 2009
Version (if appl.):
Direct D/L link: http://phrack.org/issues/66/14.html
Description: 1 - Introduction
1.1 - The framework
1.2 - First steps
1.3 - Base conversions
1.4 - The target

2 - Injecting code in ELF
2.1 - Resolving register based branches
2.2 - Resizing data section
2.3 - Basics on code injection
2.4 - Mmap trampoline
2.4.1 - Call trampoline
2.4.2 - Extending trampolines

3 - Protections and manipulations
3.1 - Trashing the ELF header
3.2 - Source level watermarks
3.3 - Ciphering .data section
3.4 - Finding differences in binaries
3.5 - Removing library dependencies
3.6 - Syscall obfuscation
3.7 - Replacing library symbols
3.8 - Checksumming

4 - Playing with code references
4.1 - Finding xrefs
4.2 - Blind code references
4.3 - Graphing xrefs
4.4 - Randomizing xrefs

5 - Conclusion
6 - Future work
7 - References
8 - Greetings

"Reverse engineering is something usually related to w32 environments where
there is lot of non-free software and where the use of protections is more
extended to enforce evaluation time periods or protect intellectual (?)
property, using binary packing and code obfuscation techniques.

These kind of protections are also used by viruses and worms to evade
anti-virus engines in order to detect sandboxes. This makes reverse
engineering a double-edged sword..."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Protection Technique Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Cryptexec: next-generation runtime binary encryption
Rating: 0.0 (0 votes)
Author: Zeljko Vrba                        
Home URL: http://www.phrack.org
Last updated: 2005
Version (if appl.):
Direct D/L link: http://phrack.org/issues/63/13.html#article
Description: 1 Introduction
2 OS- and hardware-assisted tracing
3 Userland tracing
3.1 Provided API
3.2 High-level description
3.3 Actual usage example
3.4 XDE bug
3.5 Limitations
3.6 Porting considerations
4 Further ideas
5 Related work
5.1 ELFsh
5.2 Shiva
5.3 Burneye
5.4 Conclusion
6 References
7 Credits
A Appendix: source code
A.1 crypt_exec.S
A.2 cryptfile.c
A.3 test2.c

"What is binary encryption and why encrypt at all? For the answer to
this question the reader is referred to the Phrack#58 [1] and article
therein titled "Runtime binary encryption". This article describes a
method to control the target program that doesn't does not rely on
any assistance from the OS kernel or processor hardware. The method
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
method is devised, it is relatively trivial to include on-the-fly
code decryption."
Also listed in: Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Tools