Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more.
This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them.
The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis.
This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
- Preface
- Chapter 1: The Linux Environment and Its Tools
- Linux tools
- Useful devices and files
- Linker-related environment points
- Summary
- Chapter 2: The ELF Binary Format
- ELF file types
- ELF program headers
- ELF section headers
- ELF symbols
- ELF relocations
- ELF dynamic linking
- Coding an ELF Parser
- Summary
- Chapter 3: Linux Process Tracing
- The importance of ptrace
- ptrace requests
- The process register state and flags
- A simple ptrace-based debugger
- A simple ptrace debugger with process attach capabilities
- Advanced function-tracing software
- ptrace and forensic analysis
- Process image reconstruction – from the memory to the executable
- Code injection with ptrace
- Simple examples aren't always so trivial
- Demonstrating the code_inject tool
- A ptrace anti-debugging trick
- Summary
- Chapter 4: ELF Virus Technology – Linux/Unix Viruses
- ELF virus technology
- ELF virus engineering challenges
- ELF virus parasite infection methods
- The PT_NOTE to PT_LOAD conversion infection method
- Infecting control flow
- Process memory viruses and rootkits – remote code injection techniques
- ELF anti-debugging and packing techniques
- ELF virus detection and disinfection
- Summary
- Chapter 5: Linux Binary Protection
- ELF binary packers – dumb protectors
- Stub mechanics and the userland exec
- Other jobs performed by protector stubs
- Existing ELF binary protectors
- Downloading Maya-protected binaries
- Anti-debugging for binary protection
- Resistance to emulation
- Obfuscation methods
- Protecting control flow integrity
- Other resources
- Summary
- Chapter 6: ELF Binary Forensics in Linux
- The science of detecting entry point modification
- Detecting other forms of control flow hijacking
- Identifying parasite code characteristics
- Checking the dynamic segment for DLL injection traces
- Identifying reverse text padding infections
- Identifying text segment padding infections
- Identifying protected binaries
- IDA Pro
- Summary
- Chapter 7: Process Memory Forensics
- What does a process look like?
- Process memory infection
- Detecting the ET_DYN injection
- Linux ELF core files
- Summary
- Chapter 8: ECFS – Extended Core File Snapshot Technology
- History
- The ECFS philosophy
- Getting started with ECFS
- libecfs – a library for parsing ECFS files
- readecfs
- Examining an infected process using ECFS
- The ECFS reference guide
- Process necromancy with ECFS
- Learning more about ECFS
- Summary
- Chapter 9: Linux /proc/kcore Analysis
- Linux kernel forensics and rootkits
- stock vmlinux has no symbols
- /proc/kcore and GDB exploration
- Direct sys_call_table modifications
- Kprobe rootkits
- Debug register rootkits – DRR
- VFS layer rootkits
- Other kernel infection techniques
- vmlinux and .altinstructions patching
- Using taskverse to see hidden processes
- Infected LKMs – kernel drivers
- Notes on /dev/kmem and /dev/mem
- /dev/mem
- K-ecfs – kernel ECFS
- Kernel hacking goodies
- Summary
- Index