finding library subroutines in stripped statically linked
play

Finding library subroutines in stripped statically-linked binaries - PowerPoint PPT Presentation

Aug 18, 2023 •560 likes •1.15k views

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universitt Mnchen Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

  1. Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universität München Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

  2. obligatory tl;dr me slide y ▸ Computer Science student ▸ Member of the H4x0rPsch0rr CTF-Team and CTF-Player for fun (and sometimes profit) ▸ Interested in reverse engineering for long time ▸ Hates QR-Codes K. Bogad findmagic SS 2015 January 18, 2017 2 / 39

  3. Preliminary audience questions y Who of you has... ▸ basic knowledge of graph theory? K. Bogad findmagic SS 2015 January 18, 2017 3 / 39

  4. Preliminary audience questions y Who of you has... ▸ basic knowledge of graph theory? ▸ reverse engineered a statically linked binary at least once? K. Bogad findmagic SS 2015 January 18, 2017 3 / 39

  5. Problem description Why? y ▸ Traditional pattern-matching: exact library needed for decent results ▸ Works reasonably well in homogenous environments like MSVCRT ▸ Open source libraries? ▸ Embedded devices? K. Bogad findmagic SS 2015 January 18, 2017 4 / 39

  6. Problem description Why? y So, what are we doing if we cannot have symbols? ▸ Looking at the arguments? ▸ Looking at suspicious constants? Think of 0x8080808080 for strlen(3) Let’s automate this! K. Bogad findmagic SS 2015 January 18, 2017 5 / 39

  7. Problem description Why? y However, there are caveats: ▸ Finding arguments is not a trivial task. ▸ What makes a constant suspicious? K. Bogad findmagic SS 2015 January 18, 2017 6 / 39

  8. Problem description Why? y However, there are caveats: ▸ Finding arguments is not a trivial task. ▸ What makes a constant suspicious? But automating gives new perspectives: Comparing callgraphs! K. Bogad findmagic SS 2015 January 18, 2017 6 / 39

  9. Algorithm Design Graph definition y ▸ Program is a set of attributed graphs G = ( N , B ) ▸ Nodes N are functions ▸ Branches B are calls between functions K. Bogad findmagic SS 2015 January 18, 2017 7 / 39

  10. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  11. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) Printable characters from extended ASCII ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  12. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... and \n , \r , \t and 0x00 ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  13. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... with a minimum length of 2 ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  14. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... where the last character is 0x00 and no other character is 0x00 . K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  15. Algorithm Design Definitions for later use y We need: ▸ A node definition N = ( n , s , C , S , I ) ▸ n : Function name ▸ s : Function address ▸ C : Multiset of constant values ▸ S : Multiset of cross-referenced strings ▸ I : Ordered multiset of the machine instructions K. Bogad findmagic SS 2015 January 18, 2017 9 / 39

  16. Algorithm Design Get crackin’ y Objective: Generate a bijective mapping M = N 1 → N 2 ▸ N 1 : known library function ▸ N 2 : function inside the target library K. Bogad findmagic SS 2015 January 18, 2017 10 / 39

  17. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  18. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  19. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it 3 Build graphs for the binary we analyse K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  20. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it 3 Build graphs for the binary we analyse 4 Match them K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  21. Algorithm Design Get crackin’ y Do we need exactly the same binary used for linking? ▸ Short answer: no. K. Bogad findmagic SS 2015 January 18, 2017 12 / 39

  22. Algorithm Design Get crackin’ y Do we need exactly the same binary used for linking? ▸ Short answer: no. ▸ Long answer: it depends. K. Bogad findmagic SS 2015 January 18, 2017 12 / 39

  23. Algorithm Design Get crackin’ y ▸ A reasonably close version is enough ▸ Watch out for compiler flags ▸ Also problematic: assert() K. Bogad findmagic SS 2015 January 18, 2017 13 / 39

  24. Algorithm Design Why assert() is evil y Caution: real world example 2391 assert(( unsigned long ) (old_size) < ( unsigned long ) (nb + MINSIZE)); with relocation: without relocation: 1 ( unsigned long ) (old_size) < ( unsigned 1 ( unsigned long ) (old_size) < ( unsigned long ) ( long ) ( nb + ( unsigned long )( nb + ( unsigned long )( 2 2 (((__builtin_offsetof ( struct (((__builtin_offsetof( struct 3 3 malloc_chunk, fd_nextsize)) + malloc_chunk, fd_nextsize)) + ((2 * ( sizeof (size_t)) < 4 ( 4 (2 * ( sizeof (size_t))) - 1 __alignof__ ( long double ) ? 5 __alignof__ ( long double ) : )) 6 5 2 * ( sizeof (size_t)) 7 & ~( 6 (2 * ( sizeof (size_t))) - 1 ) - 1)) 8 7 9 )))) 8 & ~( (2 * ( sizeof (size_t)) < 9 __alignof__ ( long double ) ? No code, but debug strings vary! __alignof__ ( long double ) : 10 2 * ( sizeof (size_t)) 11 ) - 1 12 13 )))) K. Bogad findmagic SS 2015 January 18, 2017 14 / 39

  25. Automatic binary analysis Overview y 1 Iterate over subroutines 2 Iterate over the instructions of these subroutines 3 If something interesting is found, add it to the corresponding list 1 1 See the paper for a marvellous formal definitions for this K. Bogad findmagic SS 2015 January 18, 2017 15 / 39

  26. Automatic binary analysis call analysis y ▸ call instructions add a new branch to the functions callgraph ▸ Additionally for Intel x86_64 architecture: ▸ Only if it’s a near call - opcode 0xE8 ▸ This ensures we’re in the same section ▸ Other architectures may need different conditions! K. Bogad findmagic SS 2015 January 18, 2017 16 / 39

  27. Automatic binary analysis Strings y ▸ Look for something that loads a pointer (x86_64: lea , mov ) ▸ Check if it’s a string by our definition ▸ If so, add it to the Strings of the current function K. Bogad findmagic SS 2015 January 18, 2017 17 / 39

  28. Automatic binary analysis Constants y ▸ We don’t want to add pointer arithmetic as constants ▸ Interesting constants are often bitmasks ▸ Thus, we limit ourselves to the immediates of and , or , xor and mov ▸ Optionally, we may exclude further by doing value checking on the constant K. Bogad findmagic SS 2015 January 18, 2017 18 / 39

  29. Automatic binary analysis Matching y Isomorphism: ▸ Ancient greek: isos = equal and morphe = shape ▸ Mathematical way to compare the structure of objects K. Bogad findmagic SS 2015 January 18, 2017 19 / 39

  30. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  31. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  32. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  33. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest

727 views • 55 slides
Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org

Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org

Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org Objectives: Introduce subroutines, subroutine nesting, processor stack, and passing the parameters to subroutines. 1. Subroutines In a given program, it is

198 views • 7 slides
Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your

Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your

Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your applications grow, you need to break them into separate logical units. The code associated with accomplishing each task is separated from the code the

1.21k views • 83 slides
In and out: Work flows between library data and linked- data at the National Library of Spain

In and out: Work flows between library data and linked- data at the National Library of Spain

BIBLIOTECA NACIONAL DE ESPAA In and out: Work flows between library data and linked- data at the National Library of Spain Semantic Web in Libraries November, 25-27th, 2019, Hamburg Ricardo Santos National Library of Spain @3186Ricardo

630 views • 25 slides
Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

CS 230 Introduction to Computers and Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called functions, methods, or procedures all the same thing in assembly language examples from C: sqrt()

798 views • 46 slides
Improving the presentation of library data using FRBR and Linked data When a library end-user

Improving the presentation of library data using FRBR and Linked data When a library end-user

Improving the presentation of library data using FRBR and Linked data When a library end-user searches the online catalogue for works by a particular author, he will typically get a long list that contains different translations and editions of

239 views • 11 slides
Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes

Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes

Digital Enterprise Research Institute www.deri.ie Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes Rebecca Grant Brian Raghallaigh Eoghan Carragin Sandra Collins Stefan Decker September

591 views • 30 slides
CUE Library Information Everything you need to know about CUE Library. We're here to help!

CUE Library Information Everything you need to know about CUE Library. We're here to help!

Welcome Students! CUE Library Information Everything you need to know about CUE Library. We're here to help! JoAnne Dana Myrna Lynette Dan Meghan Jenna Victoria With Your Research With Your Citations Whether you need help finding

459 views • 19 slides
The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir

The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir

The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir Rekkavik and Benjamin Rokseth Oslo Public Library/Deichmanske bibliotek, Norway SWIB 2012 - Cologne 26.-28.Nov 2012 Tim Berners-Lee: Some people

871 views • 41 slides
Objectives: Discuss linked lists Syntax Implementation Linked List

Objectives: Discuss linked lists Syntax Implementation Linked List

Linked List Objectives: Discuss linked lists Syntax Implementation Linked List Characteristics: A collection Holds objects to store, retreive and manipulate Java Library LinkedList Store type Object

387 views • 10 slides
Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823

Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823

Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823 by the General Assembly Holds 129 million manuscripts Holds 3 million printed resources Open Monday Saturday 9:00 am -5:00 pm Check our

596 views • 17 slides
Introduction to Introduction to Statically Statically c ompatibility relationships ,

Introduction to Introduction to Statically Statically c ompatibility relationships ,

Additional equations come from Introduction to Introduction to Statically Statically c ompatibility relationships , Indeterminate Analysis Indeterminate Analysis which ensure continuity of displacements throughout the structure . The

402 views • 15 slides
Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Maximising (Re)Usability of Library metadata using Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de Madrid asun@fi.upm.es @asungomezperez Acknowledgments: Daniel Vila Suero (Library linked data and

987 views • 77 slides
From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen

From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen

From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen DCMI webinar February 28, 2017 About the National Library of Finland The National Library of Finland is the oldest and largest scholarly

856 views • 37 slides
A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA

A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA

A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA Music Library Callie Holmes and Matthew Vest, UCLA Music Library IAML Congress, Riga 2017 The list of works considered to be permanently

557 views • 34 slides
Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate Structures Structures Every successful structure must be capable of reaching stable equilibrium under its applied loads, regardless of

470 views • 32 slides
Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP

Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP

CS 584 / CMPE 584 Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP RFC 2543) Shahab Baqai LUMS SDP In the context of a multimedia multicast Internet, a session directory tool is used to:

609 views • 49 slides
Introduction II (extended) Radu Nicolescu Department of Computer Science University of Auckland

Introduction II (extended) Radu Nicolescu Department of Computer Science University of Auckland

A#1R Drive Lambdas Frs Read Err Args Introduction II (extended) Radu Nicolescu Department of Computer Science University of Auckland 19 July 2018 1 / 26 A#1R Drive Lambdas Frs Read Err Args 1 Assignment #1R 2 Driving FP 3 Lambdas

680 views • 37 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Basic Types in C Dalhousie University Winter 2019 Basic Types in C Integer types: Floating

Basic Types in C Dalhousie University Winter 2019 Basic Types in C Integer types: Floating

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science Basic Types in C Dalhousie University Winter 2019 Basic Types in C Integer types: Floating point types: int float (32 bits) Most long (64 bits) double

505 views • 27 slides
BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large Communities: a new BGP Routing Heuristic Lucenildo Aquino Jnior Agenda BGP Communities BGP Extended Communities BGP Large Communities

549 views • 26 slides
Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36, London 1 In brief. BGP Communities Attribute (RFC 1997, Aug 1996) Designed for Internet Broad support in BGP implementations. 32

429 views • 9 slides
Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for

Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for

HELSINKI UNIVERSITY OF TECHNOLOGY Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for S-38.192 3.3.2005 Mika Ilvesmki Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmki, Lic.Sc.

362 views • 15 slides
Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate the Lasso Cssio F. DANTAS, Rmi GRIBONVAL cassio.fraga-dantas@inria.fr, remi.gribonval@inria.fr 1 - 03/04/18 Accelerate the Lasso

664 views • 54 slides

More recommend