Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Null

60 views

Published on

What are these executables and how do they work? Why is that importance and what to do about it? Lets answer these questions!

Published in: Engineering
  • Be the first to comment

Null

  1. 1. A Dive Into ELF Binaries Null Mumbai 12rd Jan 2019 By Bhashit Pandya
  2. 2. Who am I ● Information Security Consultant ● Scriptologist ● Not a bug hunter!! ● Explorer
  3. 3. Today we will: ● ask, why to understand them? ● know about executable files. ● peep into the internals. ● see, how to read and analyse it. ● check out some tools.
  4. 4. Its a Saturday morning!!!
  5. 5. I knew..
  6. 6. Motivation ● What if you encounter a linux bin? ● What if you are given a file to reverse and patch the file? ● What if you have a software to crack? ● What if you know that this file is vulnerable which can grant you a root access?
  7. 7. What are executables? ● Not a simple text files. ● Complied and linked against the syscall or WinAPI. ● Has relocatable tables. ● Number of sections to define itself. What are some binary file formats?
  8. 8. ELF Binary ● Initially developed by Unix System Laboratories for ABI support for unix os. ● Named as System V Release 4 (SVR4) ● Quickly adopted by different vendors of unix systems because of its support for endiannesses and address size. ● Independent of CPU and instruction sets. ● In 1999, it was chosen as a standard binary file format
  9. 9. ELF Binary Format ● It is just one of the binary format. ● Short abbrevation for Executable and Linkable Format. ● Mostly linux executables are in ELF Format. How to detect them? Will See..
  10. 10. ELF Structure ELF Header Section Headers Program Headers Symbol Table* readelf -a <file> About Linking and relocation mmap() Debuging purpose
  11. 11. It Worked!!
  12. 12. Volunteers Required 1.Candidate 2.Security Guard 3.Hiring Manager
  13. 13. ELF Parsing 1. Examine ELF Header {load_elf_binary()} 2. Loops into Program Header entries to check for an interpreter and executable stack. 3. Initialize Program headers attributes to a new program. 4. {flush_old_exec()} It clears up state in the kernel that refers to prev program. 5. Location of the executable file for the program is updated at /proc/pid/exe 6. Thread name is created using {_set_task_comm()} 7. Kernel Memory tracking structure is created.
  14. 14. ELF Parsing (Cont..) 1. Code loops through PT_LOAD seg and maps to process addr space. 2.Additional pages are also being loaded such as virtual dynamic shared object (vDSO) and empty page for backward compatibility reasons. 3.Security attributes are being added. 4.Final preparation for running is to setup the rest of the stack {create_elf_tables()}
  15. 15. Loading ELF ● Check format information of ELF Header. ● Read the ELF Program Header. ● Map all the values of PT_LOAD segment into new program memory. ● Leave space for interpreter BSS segment (object or statically allocated var).
  16. 16. Basically Loading ELF ● Base Address ● It helps the code to load into memory. ● When ESP values are assigned to base address, the execution of the program starts. ● The code segment of the ELF File is loaded into the memory to execute.
  17. 17. Patching The Imported Calls! 1. Most programs are dynamically linked. (shared libs are to be located and linked in run-time.) 2. The ELF Handler write ELF Interpreter filename to a new space. 3. Loads the ELF program into memory. 4. ELF Interpreter take care of the linkage program from the user space and resolves the program undefined symbols. 5. The interpreter starts the execution of the new program itself. (AT_ENTRY which holds the entry point of text seg. which was set during preparation)
  18. 18. Patching the calls ● Execution begins with ELF interpreter. ● Finds the linkage requirements. ● Loads those shared libs. ● Resolves the undefined symbols. ● Starts the execution of the new program.
  19. 19. Resources Reversing and Exploiting Resources ● Infecting the Procedure Linkage Table. ● http://phrack.org/issues/56/7.html ● More about ELF ● https://smshaker.files.wordpress.com/2008/0 1/reveng-02.pdf
  20. 20. Thank you!

×