lief library to instrument executable formats table of
play

LIEF: Library to Instrument Executable Formats Table of Contents - PowerPoint PPT Presentation

May 24, 2023 •217 likes •1.12k views

RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com) - Security engineer Working on

  1. RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats

  2. Table of Contents Introduction Project Overview Demo Conclusion

  3. About � Romain Thomas (rthomas@quarkslab.com) - Security engineer � Working on obfuscation, software protection and reverse engineering � Contributor to the Triton project, a dynamic binary analysis framework.

  4. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  5. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  6. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  7. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  8. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  9. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  10. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF , PE , Mach-O , COFF , XCOFF ... Content LLVM, IDA, capstone . . . x86 , ARM , MIPS , AArch64 . . . Behavior Frida, Intel Pin, Triton, Qemu . . . DBI, emulator, sandbox, debugger . . .

  11. Howto? � Get assembly code? � Get symbols? � Get imported functions? � Get entry point?

  12. Executable Formats What is an executable format ?

  13. Executable File Formats in a Nutshell

  14. Executable File Formats in a Nutshell Executable file format gives information such as: � First instruction address to execute

  15. Executable File Formats in a Nutshell Executable file format gives information such as: � First instruction address to execute � Libraries used

  16. Executable File Formats in a Nutshell Executable file format gives information such as: � First instruction address to execute � Libraries used � Target architecture ( x86 , ARM . . . )

  17. Executable File Formats in a Nutshell The three mainstream formats: � ELF : Linux, Android . . . � PE : Windows � Mach-O : OS-X, iOS, . . .

  18. Purpose of LIEF � Provide a cross-platform library to parse ELF, PE and Mach-O formats

  19. Purpose of LIEF � Provide a cross-platform library to parse ELF, PE and Mach-O formats � Abstract common features from the different formats (section, header, entry point, symbols . . . )

  20. Purpose of LIEF � Provide a cross-platform library to parse ELF, PE and Mach-O formats � Abstract common features from the different formats (section, header, entry point, symbols . . . ) � Enable format modifications

  21. Purpose of LIEF � Provide a cross-platform library to parse ELF, PE and Mach-O formats � Abstract common features from the different formats (section, header, entry point, symbols . . . ) � Enable format modifications � Provide an API for different languages (Python, C++ , C . . . )

  22. Purpose of LIEF � Provide a cross-platform library to parse ELF, PE and Mach-O formats � Abstract common features from the different formats (section, header, entry point, symbols . . . ) � Enable format modifications � Provide an API for different languages (Python, C++ , C . . . ) Provide an all-in-one library to deal with executable formats

  23. Table of Contents Introduction Project Overview Architecture Abstract Layer Tests and CI Demo Conclusion

  24. Architecture

  25. Architecture LIEF ELF PE Mach-O Binary Parser Builder Binary Parser Builder Binary Parser Builder Abstract layer C++ Python / C

  26. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  27. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  28. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  29. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  30. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  31. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  32. Architecture Format Binary Parser Builder Files Files Files Format modeling � ELF/{Binary Header Section ...}.cpp � ELF/Parser.{tcc,cpp} � ELF/Builder.{tcc,cpp} � Header Parse the format and create � PE/{Binary DosHeader Section ...}.cpp � PE/Parser.{tcc,cpp} � PE/Builder.{tcc,cpp} Take the Binary object � Sections a Binary object and reconstruct an executable � MachO/{Binary Header LoadCommand ...}.cpp � MachO/BinaryParser.{tcc,cpp} � MachO/Builder.{tcc,cpp} � . . .

  33. Abstract Layer

  34. Abstract Layer ELF Entry point Sections Symbols Libraries Relocations PE Mach-O

  35. What is abstracted - Binary Binary level � Imported functions � Exported functions � Patch value(s) from a given address � Retrieve value(s) from a given address

  36. What is abstracted - Header Header: � Type � Entry point � Architecture � Modes � Endianness

  37. What is abstracted - Header Header: � Type � LIEF::OBJECT_TYPES::TYPE_EXECUTABLE � LIEF::OBJECT_TYPES::TYPE_LIBRARY � . . . � Entry point � Architecture � Modes � Endianness

  38. What is abstracted - Header Header: � Type � Entry point � Architecture � LIEF::ARCHITECTURES::ARCH_ARM � LIEF::ARCHITECTURES::ARCH_X86 � LIEF::ARCHITECTURES::ARCH_ARM64 � . . . � Modes � Endianness

  39. What is abstracted - Header Header: � Type � Entry point � Architecture � Modes � LIEF::MODES::MODE_64 � LIEF::MODES::MODE_THUMB � LIEF::MODES::MODE_V9 � . . . � Endianness

  40. What is abstracted - Header Header: � Type � Entry point � Architecture � Modes � Endianness � LIEF::ENDIANNESS::ENDIAN_BIG � LIEF::ENDIANNESS::ENDIAN_LITTLE

  41. What is abstracted - Section Section: � Name � Offset � Size � Virtual Address � Raw content � Entropy

  42. What is abstracted - Symbol Symbol: � Name

  43. Architecture

Recommend

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

614 views • 27 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to laboratory instrument calibration on an analyte level and GC/MS Tune information. This table is optional depending on project requirements. Do not

288 views • 5 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Static instrumentation based on executable file formats About Romain Thomas - Security

Static instrumentation based on executable file formats About Romain Thomas - Security

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

1.04k views • 77 slides
EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and how it fits with other Executable languages Leon Starr leon_starr@modelint.com MODEL INTEGRATION LLC www.modelint.com 1 LiU Seminar xUML MBSE -

527 views • 39 slides
Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Jonathan Misurda jmisurda@cs.pitt.edu Executables Older Executable Formats What

302 views • 3 slides
Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification: Module 11.3 Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table Policy, Training, and Cooperative Programs Division Library of Congress September 2019 1 Library of

612 views • 49 slides
Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test results and related information for field and QC samples (excluding instrument calibrations) on an analyte level for environmental chemistry

69 views • 3 slides
Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification: Module 10.3 Library of Congress Classification Module 10.3 Using the Translation Table & Texts in Parallel Languages Policy, Training, and Cooperative Programs Division Library of Congress September

586 views • 46 slides
3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact design All integrated: Sensor head, Controller and Support Stand New developments Key hardware features B&W camera 1360x1024 One LED

350 views • 10 slides
Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents

Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents

-1- Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents 1 Theory 1 2 Worked Examples 3 0.1. Preparations 0.1.1. Packages library(ggplot2) library(car) library(GGally) library(rstan)

372 views • 4 slides
Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and

Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and

Library of Congress Classification: Module 11.4 Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and Cooperative Programs Division Library of Congress September 2019 1 Library of Congress

654 views • 31 slides
Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat

Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat

Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat at the Table Dean of the Library & Learning Technologies University Library Section duPont-Ball Library American Library Association Stetson

751 views • 26 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief

In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief

In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief Agencie ies Albert Kettner 1 Robert Brakenridge 1 Guy Schumann 1,2 Bob Adler 3 Fritz Policelli 4 Dan Slayback 4 Patrick Matgen 5 Michael Souffront 6 1)

725 views • 38 slides
Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act

Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act

Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act and What it it Means for Your Community UNDERSTANDING THE CARES ACT Int Introductions Shelby y Fie iegel Je Jenn Gre regory Director,

860 views • 44 slides
Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief

Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief

Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief Freedom dom of of mov ovement dr drives human pr progr ogress Our ur As Aspirat ation To o be becom ome the wor world ds mos

755 views • 31 slides
Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models For design, prototyping, analysis. To clarify ideas, squash insidious bugs early on many bugs / flaws can be found by just formalizing

669 views • 50 slides

More recommend