lief library to instrument executable formats table of
play

LIEF: Library to Instrument Executable Formats Table of Contents - PowerPoint PPT Presentation

Jan 31, 2023 •329 likes •614 views

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

  1. Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats

  2. Table of Contents Introduction Architecture Demo Conclusion

  3. About ◮ Romain Thomas - Security engineer at Quarkslab ◮ Working on obfuscation and software protection, reverse engineering ◮ Contributor to the Triton project ( https://triton.quarkslab.com )

  4. Layers of information Tools Format pefile, readelf, otool, LLVM . . . ELF, PE, Mach-O, COFF, XCOFF... Content LLVM, IDA, diStorm . . . Disassembler: x86, ARM, MIPS, AArch64 ... Behavior Intel PIN, Qemu, DBI, emulator, sandbox, debugger gdb, Triton . . . ... Figure: Layer of information in an executable

  5. Howto? ◮ Get assembly code? ◮ Get symbols? ◮ Get imported functions?

  6. Executable File Formats in a Nutshell

  7. Executable File Formats in a Nutshell Executable file format gives information such as: ◮ First instruction address to execute. ◮ Libraries used ◮ Target architecture ( x86 , ARM . . . )

  8. Executable File Formats in a Nutshell The three mainstream formats: ◮ ELF : Linux, Android . . . ◮ PE : Windows ◮ Mach-O : OS-X, iOS, . . .

  9. Modification Format modifications can be a starting point to: ◮ Packing ◮ Watermarking ◮ Hooking: Perform interposition on functions ◮ Persistent code injection ◮ Malware analysis (static unpacking . . . )

  10. Purpose of LIEF ◮ Provide a cross-platform library to parse ELF, PE and Mach-O formats ◮ Abstract common features from the different formats (section, header, entry point, symbols . . . ) ◮ Enable format modifications ◮ Provide an API for different languages (Python, C++, C . . . )

  11. Howto? (answers) Get assembly code?

  12. Howto? (answers) Get assembly code? 1 import lief 2 binary = lief.parse("C:\\ Windows \\ explorer.exe") # PE 3 asm = binary. get_section (".text")

  13. Howto? (answers) Get symbols?

  14. Howto? (answers) Get symbols? 1 import lief 2 binary = lief.parse("/bin/ls") # ELF 3 for symbol in binary.symbols: 4 print(symbols)

  15. Howto? (answers) Get imported functions?

  16. Howto? (answers) Get imported functions? 1 import lief 2 binary = lief.parse("/usr/lib/libc ++ abi.dylib") # Mach -O 3 for function in binary. imported_functions : 4 print(function)

  17. Table of Contents Introduction Architecture Demo Conclusion

  18. Overview LIEF ELF PE Mach-O ELF::Binary ELF::Parser ELF::Builder PE::Binary PE::Parser PE::Builder MACHO::Binary MACHO::Parser MACHO::Builder Abstract layer C++ Python / C Figure: Global architecture

  19. Modification process LIEF object LIEF object Header Header Sections Sections .text .text Modification .data .data .new section Segments Segments LOAD LOAD DYNAMIC DYNAMIC Parser Builder /bin/ls /bin/ls (modified)

  20. Table of Contents Introduction Architecture Demo Conclusion

  21. Demo!

  22. Table of Contents Introduction Architecture Demo Conclusion

  23. Roadmap Some ideas for next versions: ◮ Graphical User Interface (Work in progress) ◮ Handle the OAT format (subset of the ELF format) ◮ PE API to hook functions ◮ PE/Mach-O fuzzer ◮ Handle the Dwarf format

  24. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com

  25. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com Missing feature or bug?

  26. ◮ Source code is available on GitHub: https://github.com/lief-project ( Apache 2.0 license) ◮ Website: https://lief.quarkslab.com Missing feature or bug? lief@quarkslab.com or Open an issue / pull request

  27. Thank you!

Recommend

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com) - Security engineer Working on

1.12k views • 89 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to

Table A2 Field Descriptions for the Laboratory Instrument Table (Table A2) Contains related to laboratory instrument calibration on an analyte level and GC/MS Tune information. This table is optional depending on project requirements. Do not

288 views • 5 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Static instrumentation based on executable file formats About Romain Thomas - Security

Static instrumentation based on executable file formats About Romain Thomas - Security

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

1.04k views • 77 slides
EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and how it fits with other Executable languages Leon Starr leon_starr@modelint.com MODEL INTEGRATION LLC www.modelint.com 1 LiU Seminar xUML MBSE -

527 views • 39 slides
Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Jonathan Misurda jmisurda@cs.pitt.edu Executables Older Executable Formats What

302 views • 3 slides
Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table

Library of Congress Classification: Module 11.3 Library of Congress Classification Module 11.3 Deciding Whether to Use the Biography Table Policy, Training, and Cooperative Programs Division Library of Congress September 2019 1 Library of

612 views • 49 slides
Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test

Table A1 Field Descriptions for the Analytical Results Table (Table A1) Contains laboratory test results and related information for field and QC samples (excluding instrument calibrations) on an analyte level for environmental chemistry

69 views • 3 slides
Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification Module 10.3 Using the Translation Table & Texts in

Library of Congress Classification: Module 10.3 Library of Congress Classification Module 10.3 Using the Translation Table & Texts in Parallel Languages Policy, Training, and Cooperative Programs Division Library of Congress September

586 views • 46 slides
3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact design All integrated: Sensor head, Controller and Support Stand New developments Key hardware features B&W camera 1360x1024 One LED

350 views • 10 slides
Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents

Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents

-1- Presentation 7.3b: Multiple linear re- gression Murray Logan August 9, 2016 Table of contents 1 Theory 1 2 Worked Examples 3 0.1. Preparations 0.1.1. Packages library(ggplot2) library(car) library(GGally) library(rstan)

372 views • 4 slides
Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and

Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and

Library of Congress Classification: Module 11.4 Library of Congress Classification Module 11.4 Using the Biography Table Policy, Training, and Cooperative Programs Division Library of Congress September 2019 1 Library of Congress

654 views • 31 slides
Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat

Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat

Beyond Library Walls: Integrating 3D Printing into the Curriculum Susan M. Ryan Taking Our Seat at the Table Dean of the Library & Learning Technologies University Library Section duPont-Ball Library American Library Association Stetson

751 views • 26 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief

In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief

In Integrating Glo lobal l EO and Modeli ling Systems to support Dis isaster Reli lief Agencie ies Albert Kettner 1 Robert Brakenridge 1 Guy Schumann 1,2 Bob Adler 3 Fritz Policelli 4 Dan Slayback 4 Patrick Matgen 5 Michael Souffront 6 1)

725 views • 38 slides
Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act

Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act

Understanding the Coronavirus Aid id, , Reli lief, and Economic Security (C (CARES) ) Act and What it it Means for Your Community UNDERSTANDING THE CARES ACT Int Introductions Shelby y Fie iegel Je Jenn Gre regory Director,

860 views • 44 slides
Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief

Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief

Electrified Vehicles Barclays November 21, 2019 Creating Tomorrow Together Our Be Belie lief Freedom dom of of mov ovement dr drives human pr progr ogress Our ur As Aspirat ation To o be becom ome the wor world ds mos

755 views • 31 slides
Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models For design, prototyping, analysis. To clarify ideas, squash insidious bugs early on many bugs / flaws can be found by just formalizing

669 views • 50 slides

More recommend