From Collaborative RCE Knowledge Library

Jump to: navigation, search

Linux Internals Articles


Item name: Manual binary mangling with radare
Rating: 4.0 (1 vote)
Author: pancake                        
Home URL: http://rada.re/
Last updated: November 6, 2009
Version (if appl.):
Direct D/L link: http://phrack.org/issues/66/14.html
Description: 1 - Introduction
1.1 - The framework
1.2 - First steps
1.3 - Base conversions
1.4 - The target

2 - Injecting code in ELF
2.1 - Resolving register based branches
2.2 - Resizing data section
2.3 - Basics on code injection
2.4 - Mmap trampoline
2.4.1 - Call trampoline
2.4.2 - Extending trampolines

3 - Protections and manipulations
3.1 - Trashing the ELF header
3.2 - Source level watermarks
3.3 - Ciphering .data section
3.4 - Finding differences in binaries
3.5 - Removing library dependencies
3.6 - Syscall obfuscation
3.7 - Replacing library symbols
3.8 - Checksumming

4 - Playing with code references
4.1 - Finding xrefs
4.2 - Blind code references
4.3 - Graphing xrefs
4.4 - Randomizing xrefs

5 - Conclusion
6 - Future work
7 - References
8 - Greetings

"Reverse engineering is something usually related to w32 environments where
there is lot of non-free software and where the use of protections is more
extended to enforce evaluation time periods or protect intellectual (?)
property, using binary packing and code obfuscation techniques.

These kind of protections are also used by viruses and worms to evade
anti-virus engines in order to detect sandboxes. This makes reverse
engineering a double-edged sword..."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Protection Technique Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Cryptexec: next-generation runtime binary encryption
Rating: 0.0 (0 votes)
Author: Zeljko Vrba                        
Home URL: http://www.phrack.org
Last updated: 2005
Version (if appl.):
Direct D/L link: http://phrack.org/issues/63/13.html#article
Description: 1 Introduction
2 OS- and hardware-assisted tracing
3 Userland tracing
3.1 Provided API
3.2 High-level description
3.3 Actual usage example
3.4 XDE bug
3.5 Limitations
3.6 Porting considerations
4 Further ideas
5 Related work
5.1 ELFsh
5.2 Shiva
5.3 Burneye
5.4 Conclusion
6 References
7 Credits
A Appendix: source code
A.1 crypt_exec.S
A.2 cryptfile.c
A.3 test2.c

"What is binary encryption and why encrypt at all? For the answer to
this question the reader is referred to the Phrack#58 [1] and article
therein titled "Runtime binary encryption". This article describes a
method to control the target program that doesn't does not rely on
any assistance from the OS kernel or processor hardware. The method
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
method is devised, it is relatively trivial to include on-the-fly
code decryption."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Embedded ELF Debugging : the middle head of Cerberus
Rating: 0.0 (0 votes)
Author: The ELF shell crew                        
Home URL: http://www.eresi-project.org/
Last updated: January 8, 2005
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=9&mode=txt
Description: I. Hardened software debugging introduction
a. Previous work & limits
b. Beyond PaX and ptrace()
c. Interface improvements
II. The embedded debugging playground
a. In-process injection
b. Alternate ondisk and memory ELF scripting (feat. linkmap)
c. Real debugging : dumping, backtrace, breakpoints
d. A note on dynamic analyzers generation
III. Better multiarchitecture ELF redirections
a. CFLOW: PaX-safe static functions redirection
b. ALTPLT technique revised
c. ALTGOT technique : the RISC complement
d. EXTPLT technique : unknown function postlinking
e. IA32, SPARC32/64, ALPHA64, MIPS32 compliant algorithms
V. Constrained Debugging
a. ET_REL relocation in memory
b. ET_REL injection for Hardened Gentoo (ET_DYN + pie + ssp)
c. Extending static executables
d. Architecture independant algorithms
VI. Past and present
VII. Greetings
VIII. References
Also listed in: Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux Improvised Userland Scheduler Virus
Rating: 0.0 (0 votes)
Author: Izik                        
Home URL: http://uninformed.org
Last updated: December 29, 2005
Version (if appl.):
Direct D/L link: http://uninformed.org/?v=3&a=6&t=txt
Description: "This paper discusses the combination of a userland scheduler and
runtime process infection for a virus. These two concepts complete
each other. The runtime process infection opens the door to invading
into other processes, and the userland scheduler provides a way to
make the injected code coexist with the original process code. This
allows the virus to remain stealthy and active inside an infected
process."
Also listed in: Linux ELF Articles, Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux on the Half-ELF
Rating: 0.0 (0 votes)
Author: Mammon_                        
Home URL: http://www.eccentrix.com/members/mammon/
Last updated:
Version (if appl.):
Direct D/L link: http://www.eccentrix.com/members/mammon/tales/linux_re.txt
Description: Long time ago, Mammon_ wrote a tale about Linux reversing...


"This paper is concerned with reverse engineering in the Linux environment: a
topic which is still sparsely covered despite years of attention from security
consultants, software crackers, and programmers writing device drivers or
Windows interoperability software. The question will naturally arise: why
would anyone be interested in reverse engineering on Linux, an operating system
in which the applications which are not open-source are usually available for
no charge?"
Also listed in: Linux ELF Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Next generation debuggers for reverse engineering
Rating: 0.0 (0 votes)
Author: The ELFsh Crew                        
Home URL: http://www.eresi-project.org
Last updated: 2007
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/bheu-eresi-article-2007.pdf
Description: "Classical debuggers make use of an interface provided by the operating system in order to access the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level. This alternative modelization is also more performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how to keep memory unintrusiveness using a new technique called allocation proxying. We reveal how we developed the organization of our multiarchitecture framework and its multiple modules so that they allow for graph-based binary code analysis, ad-hoc typing, compositional fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. We reveal the reflective essence of our framework by embedding its internal structures in our own reverse engineering language, thus recalling concepts of aspect oriented programming."
Also listed in: Linux ELF Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stepping with GDB during PLT uses and .GOT fixup
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated:
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-runtime-fixup.txt
Description: "This text is a GDB tutorial about runtime process fixup using the Procedure
Linkage Table section (.plt) and the Global Offset Table section (.got) .
If you dont know what is ELF, you should read the ELF ultimate documentation
you can find easily on google .

Some basic ASM knowledge may be requested .

This text has not been written for ELF specialists . This tutorial is an
alternative , interactive way to understand the PLT mechanisms. "
Also listed in: Linux ELF Articles, Linux Tool Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Life of Binaries
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: September 6, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/LifeOfBinaries.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--


Topics include but are not limited to:
• Scanning and tokenizing source code.
• Parsing a grammar.
• Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).
• Linking object files together to create a well-formed binary.
• Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:
• Manipulating compiler options to change the type of assembly which is output
• Manipulating linker options to change the structure of binary formats
• Reading and understanding PE files with PEView
• Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• Using WinDbg and/or GDB to watch the loader dynamically link an executable
• Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism
• Creating a simple example virus for PE
• Analyze the changes made to the binary format when a file is packed with UPX
• Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. (Both also at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Protection Technique Tutorials, Generic Reversing Technique Tutorials, Linux ELF Articles, Windows Internals Tutorials, Windows Malware Analysis Tutorials, Windows Reversing Technique Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Understanding Linux ELF RTLD internals
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated: 2002
Version (if appl.): 0.2
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-rtld.txt
Description: "Actually there's many ELF documentation at this time, most of them
are virii coding or backdooring related . To be honest, I never found
any documentation on the dynamic linking sources, and thats why I wrote
this one . Sometimes it looks more like an internal ld.so reference or
a comments review on the ELF dynamic linking implementation in ld-linux.so .

It's not that unuseful since the dynamic linking is one of the worse
documented part of the Linux operating system . I also decided to write
a (tiny) chapter on ELF kernel handling code, because it is
really necessary to know some kernel level stuffs (like the stack
initialisation) to understand the whole interpreting. "

O] Prologue
A) Kernel handling code
B) Introducting glibc macros
1] Dynamic linker implementation
A) Sources graphics
B) The link_map structure explained
C) Relocating the interpretor
D) Runtime GOT relocation
E) Symbol resolution
2] FAQ, thanks and references


TODO :
X) Stack information gathering
X) SHT_DYNAMIC information gathering
X) PHT interpreting
X) Loading shared libraries
X) Shared libraries relocation
Also listed in: Linux ELF Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There is one subcategory to this category.





Views
Category Navigation Tree
   Tools