finding library subroutines in stripped statically linked
play

Finding library subroutines in stripped statically-linked binaries - PowerPoint PPT Presentation

Aug 18, 2023 •560 likes •1.15k views

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universitt Mnchen Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

  1. Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universität München Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

  2. obligatory tl;dr me slide y ▸ Computer Science student ▸ Member of the H4x0rPsch0rr CTF-Team and CTF-Player for fun (and sometimes profit) ▸ Interested in reverse engineering for long time ▸ Hates QR-Codes K. Bogad findmagic SS 2015 January 18, 2017 2 / 39

  3. Preliminary audience questions y Who of you has... ▸ basic knowledge of graph theory? K. Bogad findmagic SS 2015 January 18, 2017 3 / 39

  4. Preliminary audience questions y Who of you has... ▸ basic knowledge of graph theory? ▸ reverse engineered a statically linked binary at least once? K. Bogad findmagic SS 2015 January 18, 2017 3 / 39

  5. Problem description Why? y ▸ Traditional pattern-matching: exact library needed for decent results ▸ Works reasonably well in homogenous environments like MSVCRT ▸ Open source libraries? ▸ Embedded devices? K. Bogad findmagic SS 2015 January 18, 2017 4 / 39

  6. Problem description Why? y So, what are we doing if we cannot have symbols? ▸ Looking at the arguments? ▸ Looking at suspicious constants? Think of 0x8080808080 for strlen(3) Let’s automate this! K. Bogad findmagic SS 2015 January 18, 2017 5 / 39

  7. Problem description Why? y However, there are caveats: ▸ Finding arguments is not a trivial task. ▸ What makes a constant suspicious? K. Bogad findmagic SS 2015 January 18, 2017 6 / 39

  8. Problem description Why? y However, there are caveats: ▸ Finding arguments is not a trivial task. ▸ What makes a constant suspicious? But automating gives new perspectives: Comparing callgraphs! K. Bogad findmagic SS 2015 January 18, 2017 6 / 39

  9. Algorithm Design Graph definition y ▸ Program is a set of attributed graphs G = ( N , B ) ▸ Nodes N are functions ▸ Branches B are calls between functions K. Bogad findmagic SS 2015 January 18, 2017 7 / 39

  10. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  11. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) Printable characters from extended ASCII ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  12. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... and \n , \r , \t and 0x00 ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  13. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... with a minimum length of 2 ... K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  14. Algorithm Design Definitions for later use y We need: ▸ A string definition (∀( i , c ) ∈ str ∶ c ≥ 0x20 ∧ c ≤ 0xDF ∨ c = 0x0A ∨ c = 0x0D ∨ c = 0x09 ∨ c = 0x00 ) ∧ ∣ str ∣ > 1 (1) ∧ (∀( i , c ) ∈ str ∣ i = max ( i , str ) ∶ c = 0x00 ) ∧ (∀( i , c ) ∈ str ∣ i ≠ max ( i , str ) ∶ c ≠ 0x00 ) ... where the last character is 0x00 and no other character is 0x00 . K. Bogad findmagic SS 2015 January 18, 2017 8 / 39

  15. Algorithm Design Definitions for later use y We need: ▸ A node definition N = ( n , s , C , S , I ) ▸ n : Function name ▸ s : Function address ▸ C : Multiset of constant values ▸ S : Multiset of cross-referenced strings ▸ I : Ordered multiset of the machine instructions K. Bogad findmagic SS 2015 January 18, 2017 9 / 39

  16. Algorithm Design Get crackin’ y Objective: Generate a bijective mapping M = N 1 → N 2 ▸ N 1 : known library function ▸ N 2 : function inside the target library K. Bogad findmagic SS 2015 January 18, 2017 10 / 39

  17. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  18. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  19. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it 3 Build graphs for the binary we analyse K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  20. Algorithm Design Get crackin’ y 1 Acquire target library with debug symbols 2 Build the graphs for it 3 Build graphs for the binary we analyse 4 Match them K. Bogad findmagic SS 2015 January 18, 2017 11 / 39

  21. Algorithm Design Get crackin’ y Do we need exactly the same binary used for linking? ▸ Short answer: no. K. Bogad findmagic SS 2015 January 18, 2017 12 / 39

  22. Algorithm Design Get crackin’ y Do we need exactly the same binary used for linking? ▸ Short answer: no. ▸ Long answer: it depends. K. Bogad findmagic SS 2015 January 18, 2017 12 / 39

  23. Algorithm Design Get crackin’ y ▸ A reasonably close version is enough ▸ Watch out for compiler flags ▸ Also problematic: assert() K. Bogad findmagic SS 2015 January 18, 2017 13 / 39

  24. Algorithm Design Why assert() is evil y Caution: real world example 2391 assert(( unsigned long ) (old_size) < ( unsigned long ) (nb + MINSIZE)); with relocation: without relocation: 1 ( unsigned long ) (old_size) < ( unsigned 1 ( unsigned long ) (old_size) < ( unsigned long ) ( long ) ( nb + ( unsigned long )( nb + ( unsigned long )( 2 2 (((__builtin_offsetof ( struct (((__builtin_offsetof( struct 3 3 malloc_chunk, fd_nextsize)) + malloc_chunk, fd_nextsize)) + ((2 * ( sizeof (size_t)) < 4 ( 4 (2 * ( sizeof (size_t))) - 1 __alignof__ ( long double ) ? 5 __alignof__ ( long double ) : )) 6 5 2 * ( sizeof (size_t)) 7 & ~( 6 (2 * ( sizeof (size_t))) - 1 ) - 1)) 8 7 9 )))) 8 & ~( (2 * ( sizeof (size_t)) < 9 __alignof__ ( long double ) ? No code, but debug strings vary! __alignof__ ( long double ) : 10 2 * ( sizeof (size_t)) 11 ) - 1 12 13 )))) K. Bogad findmagic SS 2015 January 18, 2017 14 / 39

  25. Automatic binary analysis Overview y 1 Iterate over subroutines 2 Iterate over the instructions of these subroutines 3 If something interesting is found, add it to the corresponding list 1 1 See the paper for a marvellous formal definitions for this K. Bogad findmagic SS 2015 January 18, 2017 15 / 39

  26. Automatic binary analysis call analysis y ▸ call instructions add a new branch to the functions callgraph ▸ Additionally for Intel x86_64 architecture: ▸ Only if it’s a near call - opcode 0xE8 ▸ This ensures we’re in the same section ▸ Other architectures may need different conditions! K. Bogad findmagic SS 2015 January 18, 2017 16 / 39

  27. Automatic binary analysis Strings y ▸ Look for something that loads a pointer (x86_64: lea , mov ) ▸ Check if it’s a string by our definition ▸ If so, add it to the Strings of the current function K. Bogad findmagic SS 2015 January 18, 2017 17 / 39

  28. Automatic binary analysis Constants y ▸ We don’t want to add pointer arithmetic as constants ▸ Interesting constants are often bitmasks ▸ Thus, we limit ourselves to the immediates of and , or , xor and mov ▸ Optionally, we may exclude further by doing value checking on the constant K. Bogad findmagic SS 2015 January 18, 2017 18 / 39

  29. Automatic binary analysis Matching y Isomorphism: ▸ Ancient greek: isos = equal and morphe = shape ▸ Mathematical way to compare the structure of objects K. Bogad findmagic SS 2015 January 18, 2017 19 / 39

  30. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  31. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  32. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

  33. Automatic binary analysis Matching y Choosing the right algorithm: ▸ Ullmann’s algorithm ▸ Nauty ( n o aut omporphism, y es?) ▸ VF2 K. Bogad findmagic SS 2015 January 18, 2017 20 / 39

Recommend

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest

727 views • 55 slides
Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org

Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org

Assembly Language Programming: Subroutines by Alex Milenkovich, milenkovic@computer.org Objectives: Introduce subroutines, subroutine nesting, processor stack, and passing the parameters to subroutines. 1. Subroutines In a given program, it is

198 views • 7 slides
Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your

Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your

Chapter 5 Subroutines and Functions 5.1 What Are Subroutines and Functions? As your applications grow, you need to break them into separate logical units. The code associated with accomplishing each task is separated from the code the

1.21k views • 83 slides
In and out: Work flows between library data and linked- data at the National Library of Spain

In and out: Work flows between library data and linked- data at the National Library of Spain

BIBLIOTECA NACIONAL DE ESPAA In and out: Work flows between library data and linked- data at the National Library of Spain Semantic Web in Libraries November, 25-27th, 2019, Hamburg Ricardo Santos National Library of Spain @3186Ricardo

630 views • 25 slides
Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called

CS 230 Introduction to Computers and Computer Systems Lecture 12 Subroutines CS 230 - Spring 2020 2-1 Subroutines Also called functions, methods, or procedures all the same thing in assembly language examples from C: sqrt()

798 views • 46 slides
Improving the presentation of library data using FRBR and Linked data When a library end-user

Improving the presentation of library data using FRBR and Linked data When a library end-user

Improving the presentation of library data using FRBR and Linked data When a library end-user searches the online catalogue for works by a particular author, he will typically get a long list that contains different translations and editions of

239 views • 11 slides
Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes

Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes

Digital Enterprise Research Institute www.deri.ie Linked Logainm: Enhancing Library Metadata using Linked Data of Irish Place Names Nuno Lopes Rebecca Grant Brian Raghallaigh Eoghan Carragin Sandra Collins Stefan Decker September

591 views • 30 slides
CUE Library Information Everything you need to know about CUE Library. We're here to help!

CUE Library Information Everything you need to know about CUE Library. We're here to help!

Welcome Students! CUE Library Information Everything you need to know about CUE Library. We're here to help! JoAnne Dana Myrna Lynette Dan Meghan Jenna Victoria With Your Research With Your Citations Whether you need help finding

459 views • 19 slides
The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir

The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir

The Library Catalogue as Linked Open Data - How to Do It and What to Do with It Speakers: Asgeir Rekkavik and Benjamin Rokseth Oslo Public Library/Deichmanske bibliotek, Norway SWIB 2012 - Cologne 26.-28.Nov 2012 Tim Berners-Lee: Some people

871 views • 41 slides
Objectives: Discuss linked lists Syntax Implementation Linked List

Objectives: Discuss linked lists Syntax Implementation Linked List

Linked List Objectives: Discuss linked lists Syntax Implementation Linked List Characteristics: A collection Holds objects to store, retreive and manipulate Java Library LinkedList Store type Object

387 views • 10 slides
Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823

Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823

Finding Your Virginia Roots at the Library of Virginia Library of Virginia Established in 1823 by the General Assembly Holds 129 million manuscripts Holds 3 million printed resources Open Monday Saturday 9:00 am -5:00 pm Check our

596 views • 17 slides
Introduction to Introduction to Statically Statically c ompatibility relationships ,

Introduction to Introduction to Statically Statically c ompatibility relationships ,

Additional equations come from Introduction to Introduction to Statically Statically c ompatibility relationships , Indeterminate Analysis Indeterminate Analysis which ensure continuity of displacements throughout the structure . The

402 views • 15 slides
Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de

Maximising (Re)Usability of Library metadata using Linked Data Asuncin Gmez-Prez Ontology Engineering Group Universidad Politcnica de Madrid asun@fi.upm.es @asungomezperez Acknowledgments: Daniel Vila Suero (Library linked data and

987 views • 77 slides
From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen

From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen

From MARC silos to Linked Data silos? Data models for bibliographic Linked Data Osma Suominen DCMI webinar February 28, 2017 About the National Library of Finland The National Library of Finland is the oldest and largest scholarly

856 views • 37 slides
A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA

A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA

A Post-Canon Music Library Finding, Collecting and Promoting Divergent Collections at the UCLA Music Library Callie Holmes and Matthew Vest, UCLA Music Library IAML Congress, Riga 2017 The list of works considered to be permanently

557 views • 34 slides
Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate Structures Structures Every successful structure must be capable of reaching stable equilibrium under its applied loads, regardless of

470 views • 32 slides
Finding Commonalities in Linked Open Data Simona Colucci 1 , Silvia Giannini 2 , Francesco M.

Finding Commonalities in Linked Open Data Simona Colucci 1 , Silvia Giannini 2 , Francesco M.

' $ Finding Commonalities in Linked Open Data Simona Colucci 1 , Silvia Giannini 2 , Francesco M. Donini 1 1 DISUCOM 2 DEI Universit` a della Tuscia Politecnico di Bari Viterbo, Italy Bari, Italy &amp; % Linked Open Data: where are

337 views • 13 slides
Bath and North East Somerset Library Service: Finding the way forward for Bath City One Stop

Bath and North East Somerset Library Service: Finding the way forward for Bath City One Stop

Bath and North East Somerset Library Service: Finding the way forward for Bath City One Stop Shop Library Community Did you know? Bath and North East Somerset Library members have access to 2.5million items through Library the shared

242 views • 11 slides
Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis Indeterminate Indeterminate Analysis Analysis nalysis S pport reactions and internal Support reactions and internal forces of statically determinate

887 views • 60 slides
Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in ASTI Systems Performance in ASTI Systems Siddhartha Shivshankar, Sunil Vangara and Alex Guimares Dean alex_dean@ncsu.edu Center for Embedded

441 views • 32 slides
The Local Amsterdam Cultural Heritage Linked Open Data Network Lukas Koster ( Library of the

The Local Amsterdam Cultural Heritage Linked Open Data Network Lukas Koster ( Library of the

The Local Amsterdam Cultural Heritage Linked Open Data Network Lukas Koster ( Library of the University of Amsterdam) Ivo Zandhuis ( Ivo Zandhuis Research &amp; Consultancy ) SWIB 2018 Bonn AdamNet Foundation: Amsterdam based Library

311 views • 27 slides
CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013

CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013

CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013 Faculty of Computer Science Dalhousie University 1 / 42 Basic Definitions Subroutines are what we normally call Functions, if they return a

610 views • 42 slides
CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013

CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013

CSCI 3136 Principles of Programming Languages Subroutines and Control Abstraction Summer 2013 Faculty of Computer Science Dalhousie University 1 / 17 Basic Definitions Subroutines are what we normally call Functions, if they return a

513 views • 17 slides
Status Quo and (current) limitations of Library Linked Data Asuncin Gmez-Prez 1 , Philipp

Status Quo and (current) limitations of Library Linked Data Asuncin Gmez-Prez 1 , Philipp

Status Quo and (current) limitations of Library Linked Data Asuncin Gmez-Prez 1 , Philipp Cimiano 2 and Daniel Vila-Suero 1 1 Facultad de Informtica, Universidad Politcnica de Madrid Campus de Montegancedo sn, 28660 Boadilla del Monte,

816 views • 29 slides

More recommend