static instrumentation based on executable file formats
play

Static instrumentation based on executable file formats About - PowerPoint PPT Presentation

Feb 20, 2024 •255 likes •1.04k views

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

  1. Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats

  2. About � Romain Thomas - Security engineer at Quarkslab � Working on various topics: Android, (de)obfuscation, software protection and reverse engineering � Author of LIEF

  3. Executable Formats Executable Formats: Overview

  4. Executable Formats � First layer of information when analysing a binary 1 entrypoint, libraries, ...

  5. Executable Formats � First layer of information when analysing a binary � Provide metadata 1 used by the operating system to load the binary. 1 entrypoint, libraries, ...

  6. Executable Formats � OSX / iOS : Mach-O � Linux : ELF � Windows : PE � Android : ELF, OAT

  7. Executable Formats Why modify formats ?

  8. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  9. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  10. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  11. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  12. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  13. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  14. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  15. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  16. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  17. Executable Formats LIEF : Library to Instrument Executable Formats

  18. LIEF � One library to deal with ELF, PE, Mach-O � Core in C++ � Bindings for different languages: Python, C 2 , . . . � Enable modification on these formats � User friendly API 2 C binding is not as mature as Python and C++

  19. Executable Formats DEX File Object VDEX File Object ART File Object ELF Binary Object PE Binary Object Parser Builder Mach-O Fat Binary Object OAT Binary Object Abstract Binary Information extraction Information adding . . .

  20. Executable Formats import lief target = lief.parse("ELF/PE/Mach-O/OAT") print(target.entrypoint)

  21. Executable Formats import lief target = lief.parse("ELF/PE/Mach-O/OAT") for section in target.sections: print(section.virtual_address) process(section.content)

  22. Executable Formats import lief target = lief.parse("some.exe") target.tls.callbacks.append(0x....) target.write("new.exe")

  23. Executable Formats import lief target = lief.parse(...) section = lief.ELF.Section(".text2") section.content = [0x90] * 0x1000 target += section target.write("new.elf")

  24. Executable Formats Next parts introduce interesting modifications on formats: � Hooking � Exporting hidden functions � Code injection through shared libraries

  25. PE Hooking PE Hooking

  26. PE Hooking Regarding to PE files, LIEF enables to rebuild the import table elsewhere in the binary so that one can add new functions, new libraries or patch the Import Address Table.

  27. Example Figure – Original IAT

  28. Example The following code patch the IAT entry of __acrt_iob_func with a trampoline to the function 0x140008000 pe = lief.parse("some.exe") pe.hook_function("__acrt_iob_func", 0x140008000) builder = lief.PE.Builder(pe) builder.build_imports(True).patch_imports(True) builder.build() builder.write("hooked.exe")

  29. Example

  30. Example Figure – Original IAT patched with trampoline functions

  31. Example Figure – Trampoline for non-hooked function Figure – Trampoline for hooked function

  32. Example Limitations This method only works if accesses to the IAT are performed with call instructions. Especially it doesn’t if there is lea on the original IAT

  33. ELF Hooking Regarding to ELF files, hooking can be done with a patch of the plt/got.

  34. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  35. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  36. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  37. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  38. ELF plt/got Figure – Relocations associated with plt/got

  39. ELF plt/got import lief elf = lief.parse("some_elf") elf.patch_pltgot("memcmp", 0xAAAAAAAA) elf.write("elf_modified")

  40. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  41. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  42. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  43. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  44. Exporting Functions Exporting Functions

  45. Idea

  46. Idea

  47. Example int main(int argc, char argv[]) { if (COMPLICATED CONDITION) { fuzz_me(argv[1]); } return 0; }

  48. Example

  49. Example Figure – Original Symbol Table

  50. Example import lief target = lief.parse("target") target.add_exported_function(0x63A, "to_fuzz") target.write("target_modified")

  51. Example

  52. Example Figure – New Symbol Table

  53. Example typedef void(*fnc_t)(const char*); // Access with dlopen / dlsym void* hdl = dlopen("./target_modified", RTLD_LAZY); fnc_t to_fuzz = (fnc_t)dlsym(hdl, "to_fuzz"); to_fuzz(TO FEED); https://lief.quarkslab.com/recon18/demo2

  54. Code injection Code injection through shared libraries

  55. Context Different techniques exist to inject code: � Using environment variables: LD_PRELOAD , DYLD_INSERT_LIBRARIES , . . . � Using operating system API: WriteProcessMemory , ptrace , . . . � Using custom kernel drivers � Using executable formats

  56. Context Depending on the scenario, methods can be suitable or not. Next part shows a method based on shared libraries and executable formats to leverage code injection.

  57. Linked Libraries - Loading New library: libexample.so More privileged area Userland Format Loader Kernel Execute: my_constructor()

  58. Injection process 1. Declare a constructor __attribute__((constructor)) void my_constructor(void) { printf("Run payload\n"); } gcc -fPIC -shared libexample.c -o libexample.so gcc -fPIC -shared libexample.c -o libexample.dylib

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows down the warming of the earth. Michiel Roos Netcreators What does it do? Ehrm . . . it caches static files? I mean . . . it statically caches

607 views • 46 slides
COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static verification Find defects early Work on incomplete components Work on non-executable items N.B. Testing and debugging cannot start until executable

498 views • 21 slides
A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean

A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean

A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean Yang, Walter Fontana Static Analysis in Systems Biology, 2017 The need for biological models executable models for in silico experimentation

969 views • 72 slides
Modern Process Management with SOA, BAM und CEP From static process models to executable

Modern Process Management with SOA, BAM und CEP From static process models to executable

Modern Process Management with SOA, BAM und CEP From static process models to executable workflows and monitoring on business level Daniel Jobst Dr. Torsten Greiner Version 1.0 Overview SOA, BPM, BAM, Event Processing ARIS EPK (IDS)

434 views • 19 slides
Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen photographer: Open source software for the keen file formats Ramn photographer: file formats Casero Caas Introduction Digital workflow Ramn Casero Caas From camera to computer File formats

493 views • 32 slides
Scien&amp;fic Data File Formats Han-Wei Shen The Ohio

Scien&amp;fic Data File Formats Han-Wei Shen The Ohio

Scien&amp;fic Data File Formats Han-Wei Shen The Ohio State University Scien&amp;fic File Format Common scien&amp;fic data file formats VTK

394 views • 25 slides
Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech

Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech

Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech Research Institute Atlanta, Georgia, USA 7 th International Digital Curation Conference 2011 Bristol, UK December 5-7, 2011 GTRI_B-#

400 views • 26 slides
THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format (Linux) Executable and Linkable Format Standard unified binary format for: Relocatable object files (.o), Shared object files (.so)

421 views • 16 slides
beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

722 views • 25 slides
beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

450 views • 21 slides
When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began two years ago Host LLVM on OpenVMS Itanium Using older 3.4.2 due to Itanium C++ Convert our backends IR to LLVM IR Reuse existing

112 views • 8 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel

642 views • 36 slides
Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang,

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang,

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang, XiaoFeng Wang, and Dinghao Wu The Pennsylvania State University, Indiana University Bloomington, Institute of Information Engineering Motivation

822 views • 25 slides
Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to interact with the OS and request some core service be executed on their behalf. Examples of system calls we've already seen this quarter: open ,

108 views • 8 slides
7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The leading philosophical approach to shared agency 2. Limits of this approach 3. (Building blocks for) an alternative approach 4. Motor representation

1.15k views • 73 slides
Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2

Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2

Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2 , Xun Wang 1 , Gang Yang 2 1 Zhejiang Gongshang University 2 AI &amp; Media Computing Lab, Renmin University of China Video to Text (VTT) Task @

341 views • 18 slides
Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju:

Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju:

Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju: srikar@linux.vnet.ibm.com April 15, 2010 Linux is a registered trademark of Linus Torvalds. Topics Overview What and why? Two versions of uprobes

690 views • 22 slides

More recommend