lief library to instrument executable formats table of
play

LIEF: Library to Instrument Executable Formats Table of Contents - PowerPoint PPT Presentation

Jan 31, 2023 •329 likes •614 views

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

  1. Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats

  2. Table of Contents Introduction Architecture Demo Conclusion

  3. About ◮ Romain Thomas - Security engineer at Quarkslab ◮ Working on obfuscation and software protection, reverse engineering ◮ Contributor to the Triton project ( https://triton.quarkslab.com )

  4. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF, PE, Mach-O, COFF, XCOFF... Content LLVM, IDA, diStorm . . . Disassembler: x86, ARM, MIPS, AArch64 ... Behavior Intel PIN, Qemu, DBI, emulator, sandbox, debugger gdb, Triton . . . ... Figure: Layer of information in an executable

  5. Howto? ◮ Get assembly code? ◮ Get symbols? ◮ Get imported functions?

  6. Executable File Formats in a Nutshell

  7. Executable File Formats in a Nutshell Executable file format gives information such as: ◮ First instruction address to execute. ◮ Libraries used ◮ Target architecture ( x86 , ARM . . . )

  8. Executable File Formats in a Nutshell The three mainstream formats: ◮ ELF : Linux, Android . . . ◮ PE : Windows ◮ Mach-O : OS-X, iOS, . . .

  9. Modification Format modifications can be a starting point to: ◮ Packing ◮ Watermarking ◮ Hooking: Perform interposition on functions ◮ Persistent code injection ◮ Malware analysis (static unpacking . . . )

  10. Purpose of LIEF ◮ Provide a cross-platform library to parse ELF, PE and Mach-O formats ◮ Abstract common features from the different formats (section, header, entry point, symbols . . . ) ◮ Enable format modifications ◮ Provide an API for different languages (Python, C++, C . . . )

  11. Howto? (answers) Get assembly code?

  12. Howto? (answers) Get assembly code? 1 import lief 2 binary = lief.parse("C:\\ Windows \\ explorer.exe") # PE 3 asm = binary. get_section (".text")

  13. Howto? (answers) Get symbols?

  14. Howto? (answers) Get symbols? 1 import lief 2 binary = lief.parse("/bin/ls") # ELF 3 for symbol in binary.symbols: 4 print(symbols)

  15. Howto? (answers) Get imported functions?

  16. Howto? (answers) Get imported functions? 1 import lief 2 binary = lief.parse("/usr/lib/libc ++ abi.dylib") # Mach -O 3 for function in binary. imported_functions : 4 print(function)

  17. Table of Contents Introduction Architecture Demo Conclusion

  18. Overview LIEF ELF PE Mach-O ELF::Binary ELF::Parser ELF::Builder PE::Binary PE::Parser PE::Builder MACHO::Binary MACHO::Parser MACHO::Builder Abstract layer C++ Python / C Figure: Global architecture

  19. Modification process LIEF object LIEF object Header Header Sections Sections .text .text Modification .data .data .new section Segments Segments LOAD LOAD DYNAMIC DYNAMIC Parser Builder /bin/ls /bin/ls (modified)

  20. Table of Contents Introduction Architecture Demo Conclusion

  21. Demo!

  22. Table of Contents Introduction Architecture Demo Conclusion

  23. Roadmap Some ideas for next versions: ◮ Graphical User Interface (Work in progress) ◮ Handle the OAT format (subset of the ELF format) ◮ PE API to hook functions ◮ PE/Mach-O fuzzer ◮ Handle the Dwarf format

  24. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com

  25. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com Missing feature or bug?

  26. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com Missing feature or bug? lief@quarkslab.com or Open an issue / pull request

  27. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com) - Security engineer Working on

1.12k views • 89 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to laboratory instrument calibration on an analyte level and GC/MS Tune information. This table is optional depending on project requirements. Do not

288 views • 5 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Static instrumentation based on executable file formats About Romain Thomas - Security

Static instrumentation based on executable file formats About Romain Thomas - Security

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

1.04k views • 77 slides
EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and how it fits with other Executable languages Leon Starr leon_starr@modelint.com MODEL INTEGRATION LLC www.modelint.com 1 LiU Seminar xUML MBSE -

527 views • 39 slides
Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Jonathan Misurda jmisurda@cs.pitt.edu Executables Older Executable Formats What

302 views • 3 slides
Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification: Module 11.3 Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table Policy, Training, and Cooperative Programs Division Library of Congress September 2019 1 Library of

612 views • 49 slides
Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test results and related information for field and QC samples (excluding instrument calibrations) on an analyte level for environmental chemistry

69 views • 3 slides
Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification: Module 10.3 Library of Congress Classification Module 10.3 Using the Translation Table & Texts in Parallel Languages Policy, Training, and Cooperative Programs Division Library of Congress September

586 views • 46 slides
3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact design All integrated: Sensor head, Controller and Support Stand New developments Key hardware features B&W camera 1360x1024 One LED

350 views • 10 slides
CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville and Steve Wolfman PART 1 SETS Unit 12: Sets and Functions 2 What is a Set? A set is an unordered collection of objects. The objects in a set

797 views • 32 slides
Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto Dipartimento di Informatica - University of Verona (Italy) BYTECODE/ETAPS 2013 Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis

776 views • 26 slides
Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02 Spring 13 1 Recap Given a set of elements, random sampling when number of elements N is known is easy if you have random access to any arbitrary

1.03k views • 34 slides
Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes

Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes

Mat 2170 Week 14 ArrayList Class Week14 Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes Search Spring 2014 Student Responsibilities Mat 2170 Week 14 ArrayList Class Week14 EXAM Thursday,

325 views • 21 slides
Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3 Gang Huang 1 , Xuanzhe Liu 1 , Felix Xiaozhu Lin 2 1 Peking University, 2 Purdue University, 3 Microsoft Research, 1 Video Analytics is a Killer App

984 views • 39 slides
The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk Tricks to cheat disassemblers objdump, readelf, IDA Pro, etc. 2 . 1 IDA Pro The best tool for reverse-engineering Take it as examples in this

1.16k views • 60 slides
Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference & IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference & IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference & IOT summit - Portland OR Agenda Introduction Knowing the Tools Data Types and sizes Variable and Function Types Loops Low Level

580 views • 27 slides
:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

Extension , Galois Galois Intermediate I : Extensions lame l Gal LEIF ) t.EE if ] ' tf Galois Elf is :i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and [ E : F) so let G - suppose

1.01k views • 15 slides

More recommend