static instrumentation based on executable file formats
play

Static instrumentation based on executable file formats About - PowerPoint PPT Presentation

Feb 20, 2024 •255 likes •1.04k views

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

  1. Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats

  2. About � Romain Thomas - Security engineer at Quarkslab � Working on various topics: Android, (de)obfuscation, software protection and reverse engineering � Author of LIEF

  3. Executable Formats Executable Formats: Overview

  4. Executable Formats � First layer of information when analysing a binary 1 entrypoint, libraries, ...

  5. Executable Formats � First layer of information when analysing a binary � Provide metadata 1 used by the operating system to load the binary. 1 entrypoint, libraries, ...

  6. Executable Formats � OSX / iOS : Mach-O � Linux : ELF � Windows : PE � Android : ELF, OAT

  7. Executable Formats Why modify formats ?

  8. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  9. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  10. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  11. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  12. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  13. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  14. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  15. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  16. Executable Formats Change segments / sections permissions Disable ASLR More privileged area Userland Format Loader Kernel Add shared libraries Load shared libraries Perform relocations Set permissions Create Process Map content

  17. Executable Formats LIEF : Library to Instrument Executable Formats

  18. LIEF � One library to deal with ELF, PE, Mach-O � Core in C++ � Bindings for different languages: Python, C 2 , . . . � Enable modification on these formats � User friendly API 2 C binding is not as mature as Python and C++

  19. Executable Formats DEX File Object VDEX File Object ART File Object ELF Binary Object PE Binary Object Parser Builder Mach-O Fat Binary Object OAT Binary Object Abstract Binary Information extraction Information adding . . .

  20. Executable Formats import lief target = lief.parse("ELF/PE/Mach-O/OAT") print(target.entrypoint)

  21. Executable Formats import lief target = lief.parse("ELF/PE/Mach-O/OAT") for section in target.sections: print(section.virtual_address) process(section.content)

  22. Executable Formats import lief target = lief.parse("some.exe") target.tls.callbacks.append(0x....) target.write("new.exe")

  23. Executable Formats import lief target = lief.parse(...) section = lief.ELF.Section(".text2") section.content = [0x90] * 0x1000 target += section target.write("new.elf")

  24. Executable Formats Next parts introduce interesting modifications on formats: � Hooking � Exporting hidden functions � Code injection through shared libraries

  25. PE Hooking PE Hooking

  26. PE Hooking Regarding to PE files, LIEF enables to rebuild the import table elsewhere in the binary so that one can add new functions, new libraries or patch the Import Address Table.

  27. Example Figure – Original IAT

  28. Example The following code patch the IAT entry of __acrt_iob_func with a trampoline to the function 0x140008000 pe = lief.parse("some.exe") pe.hook_function("__acrt_iob_func", 0x140008000) builder = lief.PE.Builder(pe) builder.build_imports(True).patch_imports(True) builder.build() builder.write("hooked.exe")

  29. Example

  30. Example Figure – Original IAT patched with trampoline functions

  31. Example Figure – Trampoline for non-hooked function Figure – Trampoline for hooked function

  32. Example Limitations This method only works if accesses to the IAT are performed with call instructions. Especially it doesn’t if there is lea on the original IAT

  33. ELF Hooking Regarding to ELF files, hooking can be done with a patch of the plt/got.

  34. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  35. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  36. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  37. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 3 2 .got ... 201028: 0x400486 ...

  38. ELF plt/got Figure – Relocations associated with plt/got

  39. ELF plt/got import lief elf = lief.parse("some_elf") elf.patch_pltgot("memcmp", 0xAAAAAAAA) elf.write("elf_modified")

  40. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  41. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  42. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  43. ELF plt/got .text ... 400637: jmp 400480 <memcmp@plt> ... 1 .plt ... 400480: jmp 201028 <memcmp@got> 400486: push 0x2 40048b: jmp 400450 <.plt> ... 2 .got ... 201028: XXXXXX <memcmp@hook> ... 3 .hook ... XXXXXX: memcmp hooked ... https://lief.quarkslab.com/recon18/demo1

  44. Exporting Functions Exporting Functions

  45. Idea

  46. Idea

  47. Example int main(int argc, char argv[]) { if (COMPLICATED CONDITION) { fuzz_me(argv[1]); } return 0; }

  48. Example

  49. Example Figure – Original Symbol Table

  50. Example import lief target = lief.parse("target") target.add_exported_function(0x63A, "to_fuzz") target.write("target_modified")

  51. Example

  52. Example Figure – New Symbol Table

  53. Example typedef void(*fnc_t)(const char*); // Access with dlopen / dlsym void* hdl = dlopen("./target_modified", RTLD_LAZY); fnc_t to_fuzz = (fnc_t)dlsym(hdl, "to_fuzz"); to_fuzz(TO FEED); https://lief.quarkslab.com/recon18/demo2

  54. Code injection Code injection through shared libraries

  55. Context Different techniques exist to inject code: � Using environment variables: LD_PRELOAD , DYLD_INSERT_LIBRARIES , . . . � Using operating system API: WriteProcessMemory , ptrace , . . . � Using custom kernel drivers � Using executable formats

  56. Context Depending on the scenario, methods can be suitable or not. Next part shows a method based on shared libraries and executable formats to leverage code injection.

  57. Linked Libraries - Loading New library: libexample.so More privileged area Userland Format Loader Kernel Execute: my_constructor()

  58. Injection process 1. Declare a constructor __attribute__((constructor)) void my_constructor(void) { printf("Run payload\n"); } gcc -fPIC -shared libexample.c -o libexample.so gcc -fPIC -shared libexample.c -o libexample.dylib

Recommend

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses

Sequence File Formats Sequence File Formats Different formats for different uses Competing formats developed in parallel Some easy to read, some easy to write programs Dont have to stick to these formats, but parsers

210 views • 18 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

413 views • 23 slides
Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module

Working with text xt file formats CSV, JSON, XML, Excel regular expressions module re, finditer Some fi file formats File extension Content File extension Description .html HyperText Markup Language .exe Windows executable

578 views • 15 slides
static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows

static file cache Static file caching using realurl, mod_rewrite and mod_expires. . . . It slows down the warming of the earth. Michiel Roos Netcreators What does it do? Ehrm . . . it caches static files? I mean . . . it statically caches

607 views • 46 slides
COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static verification Find defects early Work on incomplete components Work on non-executable items N.B. Testing and debugging cannot start until executable

498 views • 21 slides
A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean

A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean

A Tool for Automated Inference of Executable Rule- Based Biological Models Chelsea Voss, Jean Yang, Walter Fontana Static Analysis in Systems Biology, 2017 The need for biological models executable models for in silico experimentation

969 views • 72 slides
Modern Process Management with SOA, BAM und CEP From static process models to executable

Modern Process Management with SOA, BAM und CEP From static process models to executable

Modern Process Management with SOA, BAM und CEP From static process models to executable workflows and monitoring on business level Daniel Jobst Dr. Torsten Greiner Version 1.0 Overview SOA, BPM, BAM, Event Processing ARIS EPK (IDS)

434 views • 19 slides
Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen file formats Ramn photographer: file formats Casero Caas

Open source software for the keen photographer: Open source software for the keen file formats Ramn photographer: file formats Casero Caas Introduction Digital workflow Ramn Casero Caas From camera to computer File formats

493 views • 32 slides
Scien&amp;fic Data File Formats Han-Wei Shen The Ohio

Scien&amp;fic Data File Formats Han-Wei Shen The Ohio

Scien&amp;fic Data File Formats Han-Wei Shen The Ohio State University Scien&amp;fic File Format Common scien&amp;fic data file formats VTK

394 views • 25 slides
Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech

Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech

Grammar-based Specification and Parsing for Binary File Formats William Underwood Georgia Tech Research Institute Atlanta, Georgia, USA 7 th International Digital Curation Conference 2011 Bristol, UK December 5-7, 2011 GTRI_B-#

400 views • 26 slides
THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format (Linux) Executable and Linkable Format Standard unified binary format for: Relocatable object files (.o), Shared object files (.so)

421 views • 16 slides
beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

722 views • 25 slides
beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles &amp; formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

450 views • 21 slides
Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples

Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples

Graphic Design Year 7 This Lesson Know what is meant by a file extension and to give examples File Formats What are file formats/ extensions? A file format/ extension relates to the last three/ four letters at the end of a file name e.g.

610 views • 14 slides
Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static libraries (end in .a) are combined/linked into an executable Executables are large. If library is updated in a binary compatible way, programs

297 views • 8 slides
LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

614 views • 27 slides
Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai

Dissecting media file formats with Kaitai Struct FOSDEM 2017 Mikhail Yakshin (GreyCat) Kaitai Project http://kaitai.io/ Twitter: @kaitai_io File formats: a problem? Media software developers have to deal with multitude of different

396 views • 25 slides
LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview

RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com) - Security engineer Working on

1.12k views • 89 slides
Reducing the overhead of direct application instrumentation using prior static analysis 3 rd May

Reducing the overhead of direct application instrumentation using prior static analysis 3 rd May

Mitglied der Helmholtz-Gemeinschaft Reducing the overhead of direct application instrumentation using prior static analysis 3 rd May 2011 | Jan Muler, Daniel Lorenz, Felix Wolf Overview Performance analysis with Scalasca Filtering

435 views • 19 slides
1 Fermion Field File Formats We note at the beginning, that we do not use a different format for

1 Fermion Field File Formats We note at the beginning, that we do not use a different format for

1 Fermion Field File Formats We note at the beginning, that we do not use a different format for source or sink fermion fields. They are both stored using the same lime records. The meta-data stored in the same lime-packed file is supposed to

53 views • 4 slides
CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

BlackHat USA 2011, Las Vegas Mario Vuksan &amp; Tomislav Pericin, ReversingLabs CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT Constant Insecurity Maturing Code PE has been on Windows for 18

686 views • 41 slides

More recommend