SlideShare a Scribd company logo

Fight with linux reverse

C
chao yang

Something about reverse engineering on Linux

Technology
1 of 59
Download to read offline
FIGHT WITH LINUX Firmy@XDSEC https://github.com/firmianay firmianay@gmail.com 1
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 2 What? Why? How?
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 3 What? Why? How?
WHAT IS GNU/LINUX?  Hello, this is Linus Torvalds, and I pronounce Linux as Linux!  Inspired by the UNIX OS, the Linux kernel was developed as a clone of UNIX  GNU was started in 1984 with a mission to develop a free UNIX-like OS  Linux was the best fit as the kernel for the GNU Project  Linux kernel was passed onto many interested developers throughout the Internet 4
DISTRIBUTIONS  Linux is basically a kernel, it was combined with the various software and compilers from GNU Project form an OS, called GNU/Linux  Linux is a full-fledged OS available in the form of various Linux Distributions  Archlinux, Ubuntu, Debian, RedHat, Fedora are examples of Linux distros  Linux is supported by big names as IBM, Google, Sun, Oracle and many more  http://distrowatch.com/ 5
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 6 What? Why? How?
WHY USE LINUX?  Powerful  Runs on multiple hardware platforms  Users like its speed and stability  No requirement for latest hardware  Convenience  A consistent software environments that is completely machine independent  Every system will have a GNU toolchain to compile code for the resident platform!  It’s “free”  Licensed under GPL 7
JUST FOR FUN 8
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 9 What? Why? How?
SETUP YOUR VM  What is a virtual machine?  Simply, a computer in your computer  Really, a (usually) segregated virtual environment that emulates real hardware  Virtual Box, VMware Workstation Pro/Player, QEMU  Why we need a virtual machine?  Safety, reliability, consistency, it’s easy  Keep the binary in a contained environment  Snapshots  What’s in a virtual machine?  Lots of tools: debuggers, disassemblers, analyzers, unpackers, compilers…  迅雷,百度云,QQ 10
HOW TO USE LINUX?  Environments  Arch Linux  GNU bash 4.4.12(1)  Resources  鸟哥的 Linux 私房菜  http://linux.vbird.org/  man bash 11
BASIC COMMAND LINE  ls [path]  list directory contents  “ls -al /”  /bin, /boot, /dev, /etc, /home, /lib, /mnt, /proc, /root, /tmp, /usr  cd [path]  change the working directory  pwd  print the path of current/working directory  cat [file]  concatenate files and print on the standard output  “less”, “more” 12
BASIC COMMAND LINE  cp [file] [location]  copy the file/directory to the location  mv [file] [location]  move (rename) the file to the location  rm [file]  remove the file or directory  never do “sudo rm -rf /”  vim  command line text editors  “type :quit<Enter> to quit VIM” 13
BASIC COMMAND LINE  grep [pattern]  print lines matching a pattern  find  search for files in a directory hierarchy  man [command]  an interface to the on-line reference manuals  apropos [whatever]  search the manual page names and descriptions  [command] --help  display help pages 14
PIPES AND REDIRECTION  Redirection  /proc/[PID]/fd  0: stdin  1: stdout  2: stderr  “>”: take the standard output of the command on the left and redirects it to the file on the right  “>>”: take the standard output of the command on the left and appends it to the file on the right  “<”: takes the standard input from the file on the right and input into the program on the left Pipes - “|”  take the standard output of the program on the left and input into the program on the right 15
JUST FOR SAD 16  :(){ :|:& };:  Fork bomb  https://en.wikipedia.org/wiki/Fork_bomb
LINUX FILE PERMISSIONS  Owner, group  Permissions set by owner/root  Resolving permissions:  If user=owner, then owner privileges  If user in group, then group privileges  Otherwise, all privileges 17 1 2 3 4 5 6 7 8 9 10 File Type User Permission Group Permission Other Permission Read Write Execute Read Write Execute Read Write Execute d/l/s/p/-/c/b r w e r w e r w e
LINUX PROCESS PERMISSIONS  Process (normally) runs with permissions of user that invoked process  “/etc/shadow” is owned by root  Users shouldn’t be able to write to it generally 18
LINUX PROCESS PERMISSIONS UID 0 is root  Real user ID (RUID)  same as UID of parent (who started process)  Effective user ID (EUID)  from set user ID bit of file being executed or due to sys call  Saved user ID (SUID)  place to save the previous UID if one temporarily changes it Also SGID, EGID, etc… 19
EXECUTABLE FILES HAVE 3 SETUID BITS  Setuid bit – set EUID of process to owner’s ID  Setgid bit – set EGID of process to group’s ID  sticky bit:  0 means user with write on directory can rename/remove file  1 means only file owner, directory owner, root can do so  So, “passwd” is a setuid program  It runs at permission level of owner, not user that runs it 20
EXECUTABLE LINKABLE FORMAT (ELF)  Relocatable file  holds code and data suitable for linking with other object files to create an executable or a shared object file  a.o  Executable File  holds a program suitable for execution  a.out  Shared Object File  holds code and data suitable for linking in two contexts. First, the linker process it with other relocatable and shared files to create another object file. Second, the dynamic linker combines it with an executable file and other shared objects to create a process image  libc-2.25.so 21
EXECUTABLE LINKABLE FORMAT (ELF) 22
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 23 What? Why? How?
FROM C CODE TO BINARY FILE 24 gcc -save-temps hello.c
WHAT IS REVERSE ENGINEERING?  The process of analyzing a subject system to  (i) identify the system’s components and their inter-relationships and  (ii) create representations of the system in another form or at a higher level of abstraction • From New Frontiers of Reverse Engineering http://cipressosjsu.info/CS266/pdf/new_frontiers_of_reverse_engine ering.pdf 25
TERMINOLOGY  Machine  A computer, server, sometimes refers to the actual CPU  Binary  An executable such as an .EXE, ELF, Mach-O or other code containers that run on a machine  Malware  A malicious binary meant to persist on a machine such as a Rootkit or Remote Access Tool (RAT) 26
TERMINOLOGY  Vulnerability  A bug in a binary that can be leveraged by an exploit  Exploit  Specially crafted data that utilizes vulnerabilities to force the binary into doing something unintended  0day  A previously unknown or unpatched vulnerability that can be used by an exploit  An 0day can also be an exploit using the unpatched vulnerability  Pwn/Pwning  In security, pwning commonly refers to vulnerability research, exploit development and sometimes luckily found a 0day 27
APPLICATIONS  Military or commercial espionage  Software security analysis  Bug digging and fixing  Game external plugins  Algorithm copy  Saving money  … 28
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 29 What? Why? How?
WHY LEARN REVERSE ENGINEERING?  Understanding of how programs really work  It’s a big challenge  Almost non-existent in academia  Few people have mastered  Satisfy your curiosity  Gain a sense of accomplishment  Just for fun  … 30
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 31 What? Why? How?
WHY DOES SOFTWARE HAVE VULNERABILITIES?  Programmers are humans  Use tools  Programmers often aren’t security-aware  learn about common types of security flaws  Programmers languages aren’t designed well for security  Use better languages (Java, Python, …) 32
HOW TO DO REVERSE ENGINEERING? Static Analysis  Disassembly, Decompile, Unpack, Deobfuscate  Analyzing a binary without executing any code  Can provide complementary insights to guide dynamic and advanced analysis  Potential for more comprehensive assessment  Lots of tools involved  Safer 33
HOW TO DO REVERSE ENGINEERING? Dynamic Analysis  Debugging, Tracing, Memory dumping  Analyze what happens when the binary is executed  Are files made, processes created, websites contacted, files downloaded/executed, etc  Show you the effect the binary has on the system/network  Run binaries in a sandbox for safe 34
EVASIONS AND OBFUSCATIONS  To Defeat Static Analysis  Encryption (packing)  API and control-flow obfuscations  Anti-disassembly  To Defeat Dynamic Analysis  Anti-debugging, anti-tracing, anti-memory dumping  VM detection, emulator detection The main purpose of obfuscation is to slow down the security community 35
REVERSE ENGINEERING PHASES  Unpacking  The image of a running binary is often considered damaged: No known OEP. Imported APIs are invoked dynamically and the original import table is destroyed. Arbitrary section names and r/w/e permissions.  Disassembly  Identification of code and data segments  Relies on the unpacker to capture all code and data segments 36
REVERSE ENGINEERING PHASES  Decompilation  Reconstruction of the code segment into a C-like higher level representation  Relies on the disassembler to recognize function boundaries, targets of call sites, imports, and OEP  Program understanding  Relies on the decompiler to produce readable C code, by recognizing the compiler, calling conventions, stack frames manipulation, functions prologs and epilogs, user-defined data structures 37
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 38 What? Why? How?
WHAT WE CAN/WILL DO? attack  Integer overflows  Buffer overflows  Format string vulnerabilities  Heap overflows  Return-Oriented Programming (ROP)  Sigreturn-Oriented Programming (SROP)  Return-into-libc exploits protect  Stack canary  Non-eXecutable memory pages (NX)  Data Execution Prevention (DEP)  W xor X (W^X)  Position Independent Executable (PIE)  Address Space Layout Randomization (ASLR)  Position Independent Executables (PIE) 39
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 40 What? Why? How?
WHY REVERSE ENGINEERING ON LINUX IS NEEDED? 41http://www.cvedetails.com/vendor/33/Linux.html
WHY REVERSE ENGINEERING ON LINUX IS NEEDED? 42 http://www.sic.gov.cn/archiver/SIC/UpFile/Files/Default/20170807115920801889.pdf
OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 43 What? Why? How?
LINUX TOOLS Hex editors / viewers  wxHexEditor (GUI)  xxd  “-i”: output in C include file style  “-g”: number of octets per group in normal output  “-l len”: stop after <len> octets  “-u”: use upper case hex letters  “xxd -g1” 44
LINUX TOOLS ASCII readable hex  strings  print the strings of printable characters in files  “-a --all”: scan the entire file, not just the data section [default]  “-t --radix={o, d, x}”: print the location of the string in base 8, 10 or 16  “-e –encoding={s, S, b, l, B, L}”: select size and endianess  s = 7-bit, S = 8-bit, {b, l} = 16-bit, {B, L} = 32-bit  “strings -t x /lib32/libc-2.24.so | grep /bin/sh”  “strings [executable] | grep -i upx” 45
LINUX TOOLS File format on disk  file  determine file type  “file -L [file]”: follow symlinks  readelf  displays information about ELF files  “-h --file-header”: display the ELF file header  “-l --program-headers”: display the program headers  “-S --section-headers”: display the sections’ header  “-e --headers”: Equivalent to: -h -l –S  “-s --relocs”: display the relocations (if present)  “-d --dynamic”: display the dynamic section (if present) 46
LINUX TOOLS Display information from object files  objdump  “-d --disassemble”: display assembler contents of executable sections  “-R --dynamic-reloc”: display the dynamic relocation entries in the file  “objdump -d [executable] | grep -A 30 [function_name]”  ldd  print shared object dependencies 47
LINUX TOOLS Tracing ltrace  trace runtime library calls in dynamically linked programs  “-f”: trace children (fork() and clone())  “-p pid”: attach to the process with the process id  “-S”: trace system calls as well as library calls  strace  trace system calls and signals  “-o file”: send trace output to FILE instead of stderr  “-c”: count time, calls, and errors for each syscall and report summary  “-p pid”: trace process with process id, may be repeated 48
LINUX TOOLS Debugger  edb (GUI)  gdb  GNU Debugger  A debugger for several languages, including C and C++  It allows you to inspect what the program is doing at a certain point during execution  Errors like “segmentation faults” may be easier to find with the help of gdb  peda / gef  “mv special ~/.gdbinit” 49
GDB  (b) break [file:]function  set a breakpoint at function (or file:function)  (i b) info breakpoints  show information about all declared breakpoints  (r) run [arglist]  start your program (with arglist)  (s) step  execute next program line; step into any function calls in the line  (n) next  execute next program line; step over any function calls in the line  (q) quit  exit from gdb 50
GDB  (bt) backtrace  display the program stack  (p) print [expr]  print the value of an expression  (c) continue  continue running your program  (fin) finish  execute until selected stack frame returns  (h) help [name]  show information about gdb command 51
GDB  x/NFU <addr>  examine memory  “N”: repeat count followed by a format letter and a size letter  “F”: format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char), s(string) and z(hex, zero padded on the left)  “U”: size letter are b(byte), h(halfword), w(word), g(giant, 8 bytes) 52
GDB  gcc -g hello.c  the “-g” option will enable built-in debugging support  list [file:]function  list specified function or line  edit [file:]function  edit specified file or function 53
GNU BINUTILS  The GNU Binutils are a collection of binary tools  ld  the GNU linker  as  the GNU assembler  Cross compile  i386, arm, mips, sparc, powerpc  amd64, aarch64, mips64, sparc64, powerpc64 54
MORE TECHNIQUES AND TOOLS  Fuzzing  An automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.  AFL, LibFuzzer  Symbolic Execution  Analyzing a program to determine what inputs cause each part of a program to execute  angr, Triton, S2E  LLVM  Collection of modular and reusable compiler and toolchain technologies  clang  Machine Learning 55
RESOURCES  Reverse Engineering for Beginners by Dennis Yurichev  https://beginners.re/  Practical Reverse Engineering by Dang, Gazet, Bachaalany  Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson  The Shell coder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition by Chris Anley et al  Secure Coding in C and C++, 2nd Edition by Robert C. Seacord 56
CONTACTS  Chao Yang  Blog  https://firmianay.github.io  Contact with me POLITELY  Tel:  QQ:  Telegram: @firmianay  Contact me if you have any questions, or just want to talk with me  57
一直学习就可以了 58 -- @Icemakr
THANKS 59 2017.10.14

Recommended

Distro Recipes 2013: What&rsquo;s new in gcc 4.8?
Distro Recipes 2013: What&rsquo;s new in gcc 4.8?Distro Recipes 2013: What&rsquo;s new in gcc 4.8?
Distro Recipes 2013: What&rsquo;s new in gcc 4.8?Anne Nicolas
 
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...Anne Nicolas
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchSherif Mousa
 
Linux notes
Linux notesLinux notes
Linux notesTeja Bheemanapally
 
Linux internals v4
Linux internals v4Linux internals v4
Linux internals v4Liran Ben Haim
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 
Galvin-operating System(Free bsd)
Galvin-operating System(Free bsd)Galvin-operating System(Free bsd)
Galvin-operating System(Free bsd)dsuyal1
 
Linux introduction, class 1
Linux introduction, class 1Linux introduction, class 1
Linux introduction, class 1Adrian Mikeliunas
 

Recommended

Distro Recipes 2013: What&rsquo;s new in gcc 4.8?
Distro Recipes 2013: What&rsquo;s new in gcc 4.8?Distro Recipes 2013: What&rsquo;s new in gcc 4.8?
Distro Recipes 2013: What&rsquo;s new in gcc 4.8?Anne Nicolas
 
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...Anne Nicolas
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchSherif Mousa
 
Linux notes
Linux notesLinux notes
Linux notesTeja Bheemanapally
 
Linux internals v4
Linux internals v4Linux internals v4
Linux internals v4Liran Ben Haim
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 
Galvin-operating System(Free bsd)
Galvin-operating System(Free bsd)Galvin-operating System(Free bsd)
Galvin-operating System(Free bsd)dsuyal1
 
Linux introduction, class 1
Linux introduction, class 1Linux introduction, class 1
Linux introduction, class 1Adrian Mikeliunas
 
OWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electronsOWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electronsParis Open Source Summit
 
Assignment unix & shell programming
Assignment unix & shell programmingAssignment unix & shell programming
Assignment unix & shell programmingMohit Aggarwal
 
linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixSherif Mousa
 
Linux
Linux Linux
Linux Teja Babu
 
001 linux revision
001 linux revision001 linux revision
001 linux revisionSherif Mousa
 
Linux OS presentation
Linux OS presentationLinux OS presentation
Linux OS presentationSahilGothoskar
 
Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesMotaz Saad
 
Operating System..!
Operating System..!Operating System..!
Operating System..!benremoz
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating systembanwait
 
Building Embedded Linux
Building Embedded LinuxBuilding Embedded Linux
Building Embedded LinuxSherif Mousa
 
Android platform
Android platform Android platform
Android platform Rashmi Warghade
 
Advance linux presentation_0702011
Advance linux presentation_0702011Advance linux presentation_0702011
Advance linux presentation_0702011Aravindan Arun
 
linux introduction
linux introductionlinux introduction
linux introductionAmiya Krishna Singh
 
Ppt af linux
Ppt af linuxPpt af linux
Ppt af linuxMary Grace M. Rocafort
 
Linux introduction
Linux introductionLinux introduction
Linux introductionMd. Zahid Hossain Shoeb
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 
Linux
LinuxLinux
LinuxSiliconExpert Technologies
 
linux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in Hyderabadlinux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in HyderabadDevops Trainer
 
Introduction to linux ppt
Introduction to linux pptIntroduction to linux ppt
Introduction to linux pptOmi Vichare
 
2nd
2nd2nd
2ndErm78
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 

More Related Content

What's hot

OWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electronsOWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electronsParis Open Source Summit
 
Assignment unix & shell programming
Assignment unix & shell programmingAssignment unix & shell programming
Assignment unix & shell programmingMohit Aggarwal
 
linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixSherif Mousa
 
001 linux revision
001 linux revision001 linux revision
001 linux revisionSherif Mousa
 
Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesMotaz Saad
 
Operating System..!
Operating System..!Operating System..!
Operating System..!benremoz
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating systembanwait
 
Building Embedded Linux
Building Embedded LinuxBuilding Embedded Linux
Building Embedded LinuxSherif Mousa
 
Advance linux presentation_0702011
Advance linux presentation_0702011Advance linux presentation_0702011
Advance linux presentation_0702011Aravindan Arun
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 
linux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in Hyderabadlinux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in HyderabadDevops Trainer
 
Introduction to linux ppt
Introduction to linux pptIntroduction to linux ppt
Introduction to linux pptOmi Vichare
 

What's hot (20)

OWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electronsOWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
OWF12/PAUG Conf Days Android system development, maxime ripard, free electrons
 
Assignment unix & shell programming
Assignment unix & shell programmingAssignment unix & shell programming
Assignment unix & shell programming
 
linux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrixlinux minimal os tutorial - by shatrix
linux minimal os tutorial - by shatrix
 
Linux
Linux Linux
Linux
 
001 linux revision
001 linux revision001 linux revision
001 linux revision
 
Linux OS presentation
Linux OS presentationLinux OS presentation
Linux OS presentation
 
Browsing The Source Code of Linux Packages
Browsing The Source Code of Linux PackagesBrowsing The Source Code of Linux Packages
Browsing The Source Code of Linux Packages
 
Operating System..!
Operating System..!Operating System..!
Operating System..!
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating system
 
Building Embedded Linux
Building Embedded LinuxBuilding Embedded Linux
Building Embedded Linux
 
Android platform
Android platform Android platform
Android platform
 
Advance linux presentation_0702011
Advance linux presentation_0702011Advance linux presentation_0702011
Advance linux presentation_0702011
 
linux introduction
linux introductionlinux introduction
linux introduction
 
Ppt af linux
Ppt af linuxPpt af linux
Ppt af linux
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
 
Linux
LinuxLinux
Linux
 
linux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in Hyderabadlinux os-basics,Devops training in Hyderabad
linux os-basics,Devops training in Hyderabad
 
Introduction to linux ppt
Introduction to linux pptIntroduction to linux ppt
Introduction to linux ppt
 
2nd
2nd2nd
2nd
 

Similar to Fight with linux reverse

Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
Linux nic training_intro_14_dec_09
Linux nic training_intro_14_dec_09Linux nic training_intro_14_dec_09
Linux nic training_intro_14_dec_09Aravindan Arun
 
Linux operating system ppt
Linux operating system pptLinux operating system ppt
Linux operating system pptAchyut Sinha
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxSagar Kumar
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Open source freeopensource & linux
Open source freeopensource & linuxOpen source freeopensource & linux
Open source freeopensource & linuxManura Perera
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
OS Lab: Introduction to Linux
OS Lab: Introduction to LinuxOS Lab: Introduction to Linux
OS Lab: Introduction to LinuxMotaz Saad
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootAnne Nicolas
 

Similar to Fight with linux reverse (20)

Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)
 
Linux nic training_intro_14_dec_09
Linux nic training_intro_14_dec_09Linux nic training_intro_14_dec_09
Linux nic training_intro_14_dec_09
 
Foss Presentation
Foss PresentationFoss Presentation
Foss Presentation
 
Linux operating system ppt
Linux operating system pptLinux operating system ppt
Linux operating system ppt
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
 
Linux
LinuxLinux
Linux
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on Linux
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
Intro to linux
Intro to linuxIntro to linux
Intro to linux
 
Unix Administration 1
Unix Administration 1Unix Administration 1
Unix Administration 1
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Open source freeopensource & linux
Open source freeopensource & linuxOpen source freeopensource & linux
Open source freeopensource & linux
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
OS Lab: Introduction to Linux
OS Lab: Introduction to LinuxOS Lab: Introduction to Linux
OS Lab: Introduction to Linux
 
Linux
Linux Linux
Linux
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using Buildroot
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tsp
 

Recently uploaded

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Fight with linux reverse

  • 2. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 2 What? Why? How?
  • 3. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 3 What? Why? How?
  • 4. WHAT IS GNU/LINUX?  Hello, this is Linus Torvalds, and I pronounce Linux as Linux!  Inspired by the UNIX OS, the Linux kernel was developed as a clone of UNIX  GNU was started in 1984 with a mission to develop a free UNIX-like OS  Linux was the best fit as the kernel for the GNU Project  Linux kernel was passed onto many interested developers throughout the Internet 4
  • 5. DISTRIBUTIONS  Linux is basically a kernel, it was combined with the various software and compilers from GNU Project form an OS, called GNU/Linux  Linux is a full-fledged OS available in the form of various Linux Distributions  Archlinux, Ubuntu, Debian, RedHat, Fedora are examples of Linux distros  Linux is supported by big names as IBM, Google, Sun, Oracle and many more  http://distrowatch.com/ 5
  • 6. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 6 What? Why? How?
  • 7. WHY USE LINUX?  Powerful  Runs on multiple hardware platforms  Users like its speed and stability  No requirement for latest hardware  Convenience  A consistent software environments that is completely machine independent  Every system will have a GNU toolchain to compile code for the resident platform!  It’s “free”  Licensed under GPL 7
  • 9. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 9 What? Why? How?
  • 10. SETUP YOUR VM  What is a virtual machine?  Simply, a computer in your computer  Really, a (usually) segregated virtual environment that emulates real hardware  Virtual Box, VMware Workstation Pro/Player, QEMU  Why we need a virtual machine?  Safety, reliability, consistency, it’s easy  Keep the binary in a contained environment  Snapshots  What’s in a virtual machine?  Lots of tools: debuggers, disassemblers, analyzers, unpackers, compilers…  迅雷,百度云,QQ 10
  • 11. HOW TO USE LINUX?  Environments  Arch Linux  GNU bash 4.4.12(1)  Resources  鸟哥的 Linux 私房菜  http://linux.vbird.org/  man bash 11
  • 12. BASIC COMMAND LINE  ls [path]  list directory contents  “ls -al /”  /bin, /boot, /dev, /etc, /home, /lib, /mnt, /proc, /root, /tmp, /usr  cd [path]  change the working directory  pwd  print the path of current/working directory  cat [file]  concatenate files and print on the standard output  “less”, “more” 12
  • 13. BASIC COMMAND LINE  cp [file] [location]  copy the file/directory to the location  mv [file] [location]  move (rename) the file to the location  rm [file]  remove the file or directory  never do “sudo rm -rf /”  vim  command line text editors  “type :quit<Enter> to quit VIM” 13
  • 14. BASIC COMMAND LINE  grep [pattern]  print lines matching a pattern  find  search for files in a directory hierarchy  man [command]  an interface to the on-line reference manuals  apropos [whatever]  search the manual page names and descriptions  [command] --help  display help pages 14
  • 15. PIPES AND REDIRECTION  Redirection  /proc/[PID]/fd  0: stdin  1: stdout  2: stderr  “>”: take the standard output of the command on the left and redirects it to the file on the right  “>>”: take the standard output of the command on the left and appends it to the file on the right  “<”: takes the standard input from the file on the right and input into the program on the left Pipes - “|”  take the standard output of the program on the left and input into the program on the right 15
  • 16. JUST FOR SAD 16  :(){ :|:& };:  Fork bomb  https://en.wikipedia.org/wiki/Fork_bomb
  • 17. LINUX FILE PERMISSIONS  Owner, group  Permissions set by owner/root  Resolving permissions:  If user=owner, then owner privileges  If user in group, then group privileges  Otherwise, all privileges 17 1 2 3 4 5 6 7 8 9 10 File Type User Permission Group Permission Other Permission Read Write Execute Read Write Execute Read Write Execute d/l/s/p/-/c/b r w e r w e r w e
  • 18. LINUX PROCESS PERMISSIONS  Process (normally) runs with permissions of user that invoked process  “/etc/shadow” is owned by root  Users shouldn’t be able to write to it generally 18
  • 19. LINUX PROCESS PERMISSIONS UID 0 is root  Real user ID (RUID)  same as UID of parent (who started process)  Effective user ID (EUID)  from set user ID bit of file being executed or due to sys call  Saved user ID (SUID)  place to save the previous UID if one temporarily changes it Also SGID, EGID, etc… 19
  • 20. EXECUTABLE FILES HAVE 3 SETUID BITS  Setuid bit – set EUID of process to owner’s ID  Setgid bit – set EGID of process to group’s ID  sticky bit:  0 means user with write on directory can rename/remove file  1 means only file owner, directory owner, root can do so  So, “passwd” is a setuid program  It runs at permission level of owner, not user that runs it 20
  • 21. EXECUTABLE LINKABLE FORMAT (ELF)  Relocatable file  holds code and data suitable for linking with other object files to create an executable or a shared object file  a.o  Executable File  holds a program suitable for execution  a.out  Shared Object File  holds code and data suitable for linking in two contexts. First, the linker process it with other relocatable and shared files to create another object file. Second, the dynamic linker combines it with an executable file and other shared objects to create a process image  libc-2.25.so 21
  • 23. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 23 What? Why? How?
  • 24. FROM C CODE TO BINARY FILE 24 gcc -save-temps hello.c
  • 25. WHAT IS REVERSE ENGINEERING?  The process of analyzing a subject system to  (i) identify the system’s components and their inter-relationships and  (ii) create representations of the system in another form or at a higher level of abstraction • From New Frontiers of Reverse Engineering http://cipressosjsu.info/CS266/pdf/new_frontiers_of_reverse_engine ering.pdf 25
  • 26. TERMINOLOGY  Machine  A computer, server, sometimes refers to the actual CPU  Binary  An executable such as an .EXE, ELF, Mach-O or other code containers that run on a machine  Malware  A malicious binary meant to persist on a machine such as a Rootkit or Remote Access Tool (RAT) 26
  • 27. TERMINOLOGY  Vulnerability  A bug in a binary that can be leveraged by an exploit  Exploit  Specially crafted data that utilizes vulnerabilities to force the binary into doing something unintended  0day  A previously unknown or unpatched vulnerability that can be used by an exploit  An 0day can also be an exploit using the unpatched vulnerability  Pwn/Pwning  In security, pwning commonly refers to vulnerability research, exploit development and sometimes luckily found a 0day 27
  • 28. APPLICATIONS  Military or commercial espionage  Software security analysis  Bug digging and fixing  Game external plugins  Algorithm copy  Saving money  … 28
  • 29. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 29 What? Why? How?
  • 30. WHY LEARN REVERSE ENGINEERING?  Understanding of how programs really work  It’s a big challenge  Almost non-existent in academia  Few people have mastered  Satisfy your curiosity  Gain a sense of accomplishment  Just for fun  … 30
  • 31. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 31 What? Why? How?
  • 32. WHY DOES SOFTWARE HAVE VULNERABILITIES?  Programmers are humans  Use tools  Programmers often aren’t security-aware  learn about common types of security flaws  Programmers languages aren’t designed well for security  Use better languages (Java, Python, …) 32
  • 33. HOW TO DO REVERSE ENGINEERING? Static Analysis  Disassembly, Decompile, Unpack, Deobfuscate  Analyzing a binary without executing any code  Can provide complementary insights to guide dynamic and advanced analysis  Potential for more comprehensive assessment  Lots of tools involved  Safer 33
  • 34. HOW TO DO REVERSE ENGINEERING? Dynamic Analysis  Debugging, Tracing, Memory dumping  Analyze what happens when the binary is executed  Are files made, processes created, websites contacted, files downloaded/executed, etc  Show you the effect the binary has on the system/network  Run binaries in a sandbox for safe 34
  • 35. EVASIONS AND OBFUSCATIONS  To Defeat Static Analysis  Encryption (packing)  API and control-flow obfuscations  Anti-disassembly  To Defeat Dynamic Analysis  Anti-debugging, anti-tracing, anti-memory dumping  VM detection, emulator detection The main purpose of obfuscation is to slow down the security community 35
  • 36. REVERSE ENGINEERING PHASES  Unpacking  The image of a running binary is often considered damaged: No known OEP. Imported APIs are invoked dynamically and the original import table is destroyed. Arbitrary section names and r/w/e permissions.  Disassembly  Identification of code and data segments  Relies on the unpacker to capture all code and data segments 36
  • 37. REVERSE ENGINEERING PHASES  Decompilation  Reconstruction of the code segment into a C-like higher level representation  Relies on the disassembler to recognize function boundaries, targets of call sites, imports, and OEP  Program understanding  Relies on the decompiler to produce readable C code, by recognizing the compiler, calling conventions, stack frames manipulation, functions prologs and epilogs, user-defined data structures 37
  • 38. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 38 What? Why? How?
  • 39. WHAT WE CAN/WILL DO? attack  Integer overflows  Buffer overflows  Format string vulnerabilities  Heap overflows  Return-Oriented Programming (ROP)  Sigreturn-Oriented Programming (SROP)  Return-into-libc exploits protect  Stack canary  Non-eXecutable memory pages (NX)  Data Execution Prevention (DEP)  W xor X (W^X)  Position Independent Executable (PIE)  Address Space Layout Randomization (ASLR)  Position Independent Executables (PIE) 39
  • 40. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 40 What? Why? How?
  • 41. WHY REVERSE ENGINEERING ON LINUX IS NEEDED? 41http://www.cvedetails.com/vendor/33/Linux.html
  • 42. WHY REVERSE ENGINEERING ON LINUX IS NEEDED? 42 http://www.sic.gov.cn/archiver/SIC/UpFile/Files/Default/20170807115920801889.pdf
  • 43. OVERVIEW  Linux  Reverse Engineering  Reverse Engineering on Linux 43 What? Why? How?
  • 44. LINUX TOOLS Hex editors / viewers  wxHexEditor (GUI)  xxd  “-i”: output in C include file style  “-g”: number of octets per group in normal output  “-l len”: stop after <len> octets  “-u”: use upper case hex letters  “xxd -g1” 44
  • 45. LINUX TOOLS ASCII readable hex  strings  print the strings of printable characters in files  “-a --all”: scan the entire file, not just the data section [default]  “-t --radix={o, d, x}”: print the location of the string in base 8, 10 or 16  “-e –encoding={s, S, b, l, B, L}”: select size and endianess  s = 7-bit, S = 8-bit, {b, l} = 16-bit, {B, L} = 32-bit  “strings -t x /lib32/libc-2.24.so | grep /bin/sh”  “strings [executable] | grep -i upx” 45
  • 46. LINUX TOOLS File format on disk  file  determine file type  “file -L [file]”: follow symlinks  readelf  displays information about ELF files  “-h --file-header”: display the ELF file header  “-l --program-headers”: display the program headers  “-S --section-headers”: display the sections’ header  “-e --headers”: Equivalent to: -h -l –S  “-s --relocs”: display the relocations (if present)  “-d --dynamic”: display the dynamic section (if present) 46
  • 47. LINUX TOOLS Display information from object files  objdump  “-d --disassemble”: display assembler contents of executable sections  “-R --dynamic-reloc”: display the dynamic relocation entries in the file  “objdump -d [executable] | grep -A 30 [function_name]”  ldd  print shared object dependencies 47
  • 48. LINUX TOOLS Tracing ltrace  trace runtime library calls in dynamically linked programs  “-f”: trace children (fork() and clone())  “-p pid”: attach to the process with the process id  “-S”: trace system calls as well as library calls  strace  trace system calls and signals  “-o file”: send trace output to FILE instead of stderr  “-c”: count time, calls, and errors for each syscall and report summary  “-p pid”: trace process with process id, may be repeated 48
  • 49. LINUX TOOLS Debugger  edb (GUI)  gdb  GNU Debugger  A debugger for several languages, including C and C++  It allows you to inspect what the program is doing at a certain point during execution  Errors like “segmentation faults” may be easier to find with the help of gdb  peda / gef  “mv special ~/.gdbinit” 49
  • 50. GDB  (b) break [file:]function  set a breakpoint at function (or file:function)  (i b) info breakpoints  show information about all declared breakpoints  (r) run [arglist]  start your program (with arglist)  (s) step  execute next program line; step into any function calls in the line  (n) next  execute next program line; step over any function calls in the line  (q) quit  exit from gdb 50
  • 51. GDB  (bt) backtrace  display the program stack  (p) print [expr]  print the value of an expression  (c) continue  continue running your program  (fin) finish  execute until selected stack frame returns  (h) help [name]  show information about gdb command 51
  • 52. GDB  x/NFU <addr>  examine memory  “N”: repeat count followed by a format letter and a size letter  “F”: format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char), s(string) and z(hex, zero padded on the left)  “U”: size letter are b(byte), h(halfword), w(word), g(giant, 8 bytes) 52
  • 53. GDB  gcc -g hello.c  the “-g” option will enable built-in debugging support  list [file:]function  list specified function or line  edit [file:]function  edit specified file or function 53
  • 54. GNU BINUTILS  The GNU Binutils are a collection of binary tools  ld  the GNU linker  as  the GNU assembler  Cross compile  i386, arm, mips, sparc, powerpc  amd64, aarch64, mips64, sparc64, powerpc64 54
  • 55. MORE TECHNIQUES AND TOOLS  Fuzzing  An automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.  AFL, LibFuzzer  Symbolic Execution  Analyzing a program to determine what inputs cause each part of a program to execute  angr, Triton, S2E  LLVM  Collection of modular and reusable compiler and toolchain technologies  clang  Machine Learning 55
  • 56. RESOURCES  Reverse Engineering for Beginners by Dennis Yurichev  https://beginners.re/  Practical Reverse Engineering by Dang, Gazet, Bachaalany  Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson  The Shell coder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition by Chris Anley et al  Secure Coding in C and C++, 2nd Edition by Robert C. Seacord 56
  • 57. CONTACTS  Chao Yang  Blog  https://firmianay.github.io  Contact with me POLITELY  Tel:  QQ:  Telegram: @firmianay  Contact me if you have any questions, or just want to talk with me  57