SlideShare a Scribd company logo

DEF CON 23 - Ryan o'neil - advances in linux forensics with ecfs

Felipe Prado
Felipe Prado

DEF CON 23 - Ryan o'neil - advances in linux forensics with ecfs

Technology
1 of 39
Download to read offline
Advances in Linux process forensics with ECFS
Quick history ● Wanted to design a process snapshot format native to VMA Vudu ● http://www.bitlackeys.org/#vmavudu ● ECFS proved useful for other projects as well
Problem space  A process address space is complex with many components ➢ ELF binary format (structural nuances) ➢ Dynamic linking ➢ Architecture specific data and structures ➢ Kernel specific data and code (VDSO, VSYSCALL) ➢ Multiple threads
Hackers infect processes ● Process infection is stealth and flexible ● Processes are attacked in many ways ➢ Viruses ➢ Rootkits ➢ Backdoors ➢ Exploitation
Process forensics capable tools ● Volatility ● Rekall ● Second Look ● ptrace system call ● GDB ● Core dumps
Volatility in kernel land ● Use full system memory dumps ● Dwarf symbols to acquire high resolution insight into the Linux kernel ● Can be used to detect virtually any kernel malware ● System.map, and libdwarf are friendly for this (Creating kernel profiles)
Volatility in process memory ● detect_plt – A plugin for detecting PLT/GOT hooks by Georg Wicherski ● Process snapshots are raw ● Low resolution insight compared to kernel ● Plugin development is a big task ● No profile can exist for each process
Full memory dump vs. process memory dump ● Macrocosm: full memory dump ● Microcosm: process memory dump ● ECFS focuses on the Microcosm
Extended core file snapshot ● A custom core file format for forensics analysis ● Backwards compatible with Linux Core files ● HI-DEF resolution process-snapshots
Overview of attack surface ● ET_DYN Injection (.so files) ● ET_REL Injection (.o files) ● ET_EXEC Injection (exe files) ➢ LD_PRELOAD ➢ __libc_dlopen_mode ➢ sys_ptrace ➢ VDSO manipulation ➢ Shellcode based loading ● Symbol and code hijacking ➢ PLT/GOT poisoning ➢ Trampolines (inline hooks) ➢ .ctors/.dtors patching ➢ Text segment modifications and other anomalies
Process memory layout
Definition of process memory forensics & analysis ● Understanding the process layout and structure ● Learning the programs runtime characteristics ● Identifying anomalous code or data ● Identifying process infection ➢ Backdoors ➢ Rootkits ➢ Keyloggers ➢ Viruses ➢ protected binaries
Traditional core files .p1 ● A snapshot of a process ● Contains segments (text, data, stack, heap) ● Contains all memory mappings ● File mappings and shared libraries ● ELF file header ● Program headers describing memory layout
Traditional core files .p2 ● The PT_NOTE segment in a core file contains: ➢ Register state (struct elf_prstatus) ➢ Shared library paths ➢ Auxiliary vector ➢ Signal information
Traditional core files .p3 ● A core file is dumped by the kernel when a process is delivered SIGSEGV ● /usr/src/linux/binfmt_elf.c ● Core files are useful for debugging a crashing application
Traditional cores are useless for forensics ● Highly dependent on the original executable being available ● Do not provide more than 4096 bytes of text images ● Does not give high resolution insight into a process
Recap on forensics goals ● Detect shared library injection ● Detect function hijacking (Trampolines) ● Detect PLT/GOT hooks ● Detect ELF object injection ● Function pointer redirection ● Shellcode injection ● Strange segment permissions ● ETC.
We want to quickly identify ● Userland memory rootkits ● Exploitation residuals ● Runtime malware/viruses
ECFS Technology ● ECFS is a technology that transforms a process image into an ELF file format ● ECFS makes process analysis much easier ● Analogy (Photographing a process image) Core file (Low res) ECFS file (Hi res)
ECFS Use cases ● Live malware analysis ● Process forensics ● Help break protected binaries ● Pausing and re-starting processes (Process necromancy)
ECFS Features outline ● Hooks into the Linux kernels core handler ● Backwards compatible with core files ● Full symbol table reconstruction ● Section header table reconstruction ● Built-in heuristics ● Custom sections containing - file descriptor data - socket data - IPC data - Signal data - Auxiliary vector - Compressed /proc/<pid> directory ● Re-execution (Pausing a process and running it later) ● Libecfs (API) for parsing ECFS files
Core handler (core_pattern) ● /proc/sys/kernel/core_pattern ● We tell core_pattern to pipe core files into our ecfs handler which then constructs an ecfs file ● Snapshots without killing the process are also possible (Not using core handler) echo '|/opt/ecfs/bin/ecfs_handler -t -e %e -p %p -o /opt/ecfs/cores/%e.%p' > /proc/sys/kernel/core_pattern
Symbol table reconstruction .symtab ● The PT_GNU_EH_FRAME segment contains FDE (Frame descriptor entries) ● .eh_frame data is used for stack unwinding ● Can be used to find the location and size of every function within the binary ● http://www.bitlackeys.org/#eh_frame
.symtab reconstruction is paramount ● Auto control flow (such as with IDA) fails when: Binary is encrypted ● ECFS reconstructs symbol table with exact function location and size even with encrypted binaries ● Show example of reconstructed Maya protected binary
Symbol table reconstruction .dynsym ● located by looking at the dynamic segment and finding DT_SYMTAB ● resolve the address of every shared library function at runtime ● plug these values into the corresponding symbol table entry
ECFS Section headers ● Reconstructs most of the original section headers (i.e., .text, .data, .plt, .got.plt, etc.) ● ECFS adds many new never before seen section headers that are specific to process analysis
ECFS custom sections ● .heap – process heap ● .stack – process stack ● .vdso – virtual dynamic shared object ● .vsyscall – vsyscall page ● ._TEXT – text segment (Not the same as .text) ● ._DATA – data segment (Not the same as .data)
ECFS custom sections .p2 ● .procfs.tgz - compressed /proc/pid ● .prstatus - process status info, registers, etc. ● .fdinfo – file descriptors, sockets, pipes ● .siginfo – Signal and fault info ● .auxvector – auxiliary vector from stack ● .exepath – path of original executable ● .personality – ECFS personality info
ECFS custom sections .p3 ● .arglist – 'char **argv' of program ● .fpregset – Floating point registers
ECFS Custom section types ● SHT_SHLIB – Marks shared library segment mapping ● SHT_INJECTED – Marks injected ELF objects (ET_DYN, ET_REL, etc). ● SHT_PRELOADED – Marks shared libraries that were LD_PRELOAD'd
Injection detection heuristics ● ECFS uses techniques to detect injected ELF objects ● Can detect shared libraries that were not loaded by the dynamic linker ● Can detect any type of injected object file, executable or shared library ● Can differentiate between dlopen and __libc_dlopen_mode
Libecfs (API) ● ECFS parsing library ➢ Tool development is made very easy ➢ Program analysis on protected binaries ➢ Detecting advanced process infections ➢ Isolating the parasite code ➢ Distinct access to program structures and data types
/usr/bin/readecfs ● Readecfs utility ● Similar to readelf ● Uses libecfs to parse ecfs files ● Can extract parasites, code, sections from ecfs files ● Still in early development
ECFS Re-execution ● ECFS snapshots can be taken and then re-executed later in time ● Can be used for live process migration ● Analysis of a suspicious process (re- executed within a sandbox) ● Beta stages ● https://github.com/elfmaster/ecfs_exec
Demo 1 – Detecting anti-forensics process cloaking technique ● Take snapshot of process infected with Saruman PIE executable injection ● Detect infection using simple readelf ● Extract parasite code using readecfs http://www.bitlackeys.org/#saruman
Demo 2 – Detect userland rootkit ● Take snapshot of process infected with Azazel userland rootkit ● Use readecfs to extract the parasite code ● Use detect_plt_hooks to show PLT/GOT hooks in-place
Demo 3 – libecfs for tool development is easy ● The detect_plt_hooks.c is less than 60 lines of code ● Can detect ELF Object injection ● Can detect Shared library injection (ptrace/mmap/__libc_dlopen_mode) ● Can detect LD_PRELOAD libraries ● Can detect PLT/GOT hooks
Demo 4 – ECFS snapshot execution ● Take a snapshot of a simple process that is reading from /etc/passwd and printing the results ● Restore the snapshot, and demonstrate how it restores the file streams, and continues reading from the file
Questions? ● ECFS ● https://github.com/elfmaster/ecfs ● ECFS snapshot execution ● https://github.com/elfmaster/ecfs_exec ● Saruman anti-forensics execve ● https://github.com/elfmaster/saruman

Recommended

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Unix kernal
Unix kernalUnix kernal
Unix kernalShehrevar Davierwala
 
Distributed Elixir
Distributed ElixirDistributed Elixir
Distributed ElixirÓscar De Arriba González
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 

Recommended

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Unix kernal
Unix kernalUnix kernal
Unix kernalShehrevar Davierwala
 
Distributed Elixir
Distributed ElixirDistributed Elixir
Distributed ElixirÓscar De Arriba González
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O YourHelper1
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device DriversNEEVEE Technologies
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O YourHelper1
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OYourHelper1
 
Linux Kernel Introduction
Linux Kernel IntroductionLinux Kernel Introduction
Linux Kernel IntroductionSage Sharp
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running ModulesYourHelper1
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module ProgrammingAmir Payberah
 
A Dive Into ELF Binaries
A Dive Into ELF BinariesA Dive Into ELF Binaries
A Dive Into ELF BinariesBhashit Pandya
 
Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86Priyanka Aash
 

More Related Content

What's hot

Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O YourHelper1
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device DriversNEEVEE Technologies
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O YourHelper1
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OYourHelper1
 
Linux Kernel Introduction
Linux Kernel IntroductionLinux Kernel Introduction
Linux Kernel IntroductionSage Sharp
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running ModulesYourHelper1
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module ProgrammingAmir Payberah
 

What's hot (20)

Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
Linux Kernel Introduction
Linux Kernel IntroductionLinux Kernel Introduction
Linux Kernel Introduction
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module Programming
 

Similar to DEF CON 23 - Ryan o'neil - advances in linux forensics with ecfs

A Dive Into ELF Binaries
A Dive Into ELF BinariesA Dive Into ELF Binaries
A Dive Into ELF BinariesBhashit Pandya
 
Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86Priyanka Aash
 
OS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatOS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatAitezaz Mohsin
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Part 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxPart 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxTushar B Kute
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Windows internals
Windows internalsWindows internals
Windows internalsPiyush Jain
 
Process & Mutlithreading
Process & MutlithreadingProcess & Mutlithreading
Process & MutlithreadingRahul Jamwal
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHPweltling
 
brief intro to Linux device drivers
brief intro to Linux device driversbrief intro to Linux device drivers
brief intro to Linux device driversAlexandre Moreno
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 

Similar to DEF CON 23 - Ryan o'neil - advances in linux forensics with ecfs (20)

A Dive Into ELF Binaries
A Dive Into ELF BinariesA Dive Into ELF Binaries
A Dive Into ELF Binaries
 
Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86Intra process memory protection for applications on ARM and x86
Intra process memory protection for applications on ARM and x86
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
 
OS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatOS Internals and Portable Executable File Format
OS Internals and Portable Executable File Format
 
Intro reverse engineering
Intro reverse engineeringIntro reverse engineering
Intro reverse engineering
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Part 03 File System Implementation in Linux
Part 03 File System Implementation in LinuxPart 03 File System Implementation in Linux
Part 03 File System Implementation in Linux
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Linux
LinuxLinux
Linux
 
Null
NullNull
Null
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Windows internals
Windows internalsWindows internals
Windows internals
 
Process & Mutlithreading
Process & MutlithreadingProcess & Mutlithreading
Process & Mutlithreading
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHP
 
Windows XP operating system
Windows XP operating systemWindows XP operating system
Windows XP operating system
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
brief intro to Linux device drivers
brief intro to Linux device driversbrief intro to Linux device drivers
brief intro to Linux device drivers
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

DEF CON 23 - Ryan o'neil - advances in linux forensics with ecfs

  • 1. Advances in Linux process forensics with ECFS
  • 2. Quick history ● Wanted to design a process snapshot format native to VMA Vudu ● http://www.bitlackeys.org/#vmavudu ● ECFS proved useful for other projects as well
  • 3. Problem space  A process address space is complex with many components ➢ ELF binary format (structural nuances) ➢ Dynamic linking ➢ Architecture specific data and structures ➢ Kernel specific data and code (VDSO, VSYSCALL) ➢ Multiple threads
  • 4. Hackers infect processes ● Process infection is stealth and flexible ● Processes are attacked in many ways ➢ Viruses ➢ Rootkits ➢ Backdoors ➢ Exploitation
  • 5. Process forensics capable tools ● Volatility ● Rekall ● Second Look ● ptrace system call ● GDB ● Core dumps
  • 6. Volatility in kernel land ● Use full system memory dumps ● Dwarf symbols to acquire high resolution insight into the Linux kernel ● Can be used to detect virtually any kernel malware ● System.map, and libdwarf are friendly for this (Creating kernel profiles)
  • 7. Volatility in process memory ● detect_plt – A plugin for detecting PLT/GOT hooks by Georg Wicherski ● Process snapshots are raw ● Low resolution insight compared to kernel ● Plugin development is a big task ● No profile can exist for each process
  • 8. Full memory dump vs. process memory dump ● Macrocosm: full memory dump ● Microcosm: process memory dump ● ECFS focuses on the Microcosm
  • 9. Extended core file snapshot ● A custom core file format for forensics analysis ● Backwards compatible with Linux Core files ● HI-DEF resolution process-snapshots
  • 10. Overview of attack surface ● ET_DYN Injection (.so files) ● ET_REL Injection (.o files) ● ET_EXEC Injection (exe files) ➢ LD_PRELOAD ➢ __libc_dlopen_mode ➢ sys_ptrace ➢ VDSO manipulation ➢ Shellcode based loading ● Symbol and code hijacking ➢ PLT/GOT poisoning ➢ Trampolines (inline hooks) ➢ .ctors/.dtors patching ➢ Text segment modifications and other anomalies
  • 12. Definition of process memory forensics & analysis ● Understanding the process layout and structure ● Learning the programs runtime characteristics ● Identifying anomalous code or data ● Identifying process infection ➢ Backdoors ➢ Rootkits ➢ Keyloggers ➢ Viruses ➢ protected binaries
  • 13. Traditional core files .p1 ● A snapshot of a process ● Contains segments (text, data, stack, heap) ● Contains all memory mappings ● File mappings and shared libraries ● ELF file header ● Program headers describing memory layout
  • 14. Traditional core files .p2 ● The PT_NOTE segment in a core file contains: ➢ Register state (struct elf_prstatus) ➢ Shared library paths ➢ Auxiliary vector ➢ Signal information
  • 15. Traditional core files .p3 ● A core file is dumped by the kernel when a process is delivered SIGSEGV ● /usr/src/linux/binfmt_elf.c ● Core files are useful for debugging a crashing application
  • 16. Traditional cores are useless for forensics ● Highly dependent on the original executable being available ● Do not provide more than 4096 bytes of text images ● Does not give high resolution insight into a process
  • 17. Recap on forensics goals ● Detect shared library injection ● Detect function hijacking (Trampolines) ● Detect PLT/GOT hooks ● Detect ELF object injection ● Function pointer redirection ● Shellcode injection ● Strange segment permissions ● ETC.
  • 18. We want to quickly identify ● Userland memory rootkits ● Exploitation residuals ● Runtime malware/viruses
  • 19. ECFS Technology ● ECFS is a technology that transforms a process image into an ELF file format ● ECFS makes process analysis much easier ● Analogy (Photographing a process image) Core file (Low res) ECFS file (Hi res)
  • 20. ECFS Use cases ● Live malware analysis ● Process forensics ● Help break protected binaries ● Pausing and re-starting processes (Process necromancy)
  • 21. ECFS Features outline ● Hooks into the Linux kernels core handler ● Backwards compatible with core files ● Full symbol table reconstruction ● Section header table reconstruction ● Built-in heuristics ● Custom sections containing - file descriptor data - socket data - IPC data - Signal data - Auxiliary vector - Compressed /proc/<pid> directory ● Re-execution (Pausing a process and running it later) ● Libecfs (API) for parsing ECFS files
  • 22. Core handler (core_pattern) ● /proc/sys/kernel/core_pattern ● We tell core_pattern to pipe core files into our ecfs handler which then constructs an ecfs file ● Snapshots without killing the process are also possible (Not using core handler) echo '|/opt/ecfs/bin/ecfs_handler -t -e %e -p %p -o /opt/ecfs/cores/%e.%p' > /proc/sys/kernel/core_pattern
  • 23. Symbol table reconstruction .symtab ● The PT_GNU_EH_FRAME segment contains FDE (Frame descriptor entries) ● .eh_frame data is used for stack unwinding ● Can be used to find the location and size of every function within the binary ● http://www.bitlackeys.org/#eh_frame
  • 24. .symtab reconstruction is paramount ● Auto control flow (such as with IDA) fails when: Binary is encrypted ● ECFS reconstructs symbol table with exact function location and size even with encrypted binaries ● Show example of reconstructed Maya protected binary
  • 25. Symbol table reconstruction .dynsym ● located by looking at the dynamic segment and finding DT_SYMTAB ● resolve the address of every shared library function at runtime ● plug these values into the corresponding symbol table entry
  • 26. ECFS Section headers ● Reconstructs most of the original section headers (i.e., .text, .data, .plt, .got.plt, etc.) ● ECFS adds many new never before seen section headers that are specific to process analysis
  • 27. ECFS custom sections ● .heap – process heap ● .stack – process stack ● .vdso – virtual dynamic shared object ● .vsyscall – vsyscall page ● ._TEXT – text segment (Not the same as .text) ● ._DATA – data segment (Not the same as .data)
  • 28. ECFS custom sections .p2 ● .procfs.tgz - compressed /proc/pid ● .prstatus - process status info, registers, etc. ● .fdinfo – file descriptors, sockets, pipes ● .siginfo – Signal and fault info ● .auxvector – auxiliary vector from stack ● .exepath – path of original executable ● .personality – ECFS personality info
  • 29. ECFS custom sections .p3 ● .arglist – 'char **argv' of program ● .fpregset – Floating point registers
  • 30. ECFS Custom section types ● SHT_SHLIB – Marks shared library segment mapping ● SHT_INJECTED – Marks injected ELF objects (ET_DYN, ET_REL, etc). ● SHT_PRELOADED – Marks shared libraries that were LD_PRELOAD'd
  • 31. Injection detection heuristics ● ECFS uses techniques to detect injected ELF objects ● Can detect shared libraries that were not loaded by the dynamic linker ● Can detect any type of injected object file, executable or shared library ● Can differentiate between dlopen and __libc_dlopen_mode
  • 32. Libecfs (API) ● ECFS parsing library ➢ Tool development is made very easy ➢ Program analysis on protected binaries ➢ Detecting advanced process infections ➢ Isolating the parasite code ➢ Distinct access to program structures and data types
  • 33. /usr/bin/readecfs ● Readecfs utility ● Similar to readelf ● Uses libecfs to parse ecfs files ● Can extract parasites, code, sections from ecfs files ● Still in early development
  • 34. ECFS Re-execution ● ECFS snapshots can be taken and then re-executed later in time ● Can be used for live process migration ● Analysis of a suspicious process (re- executed within a sandbox) ● Beta stages ● https://github.com/elfmaster/ecfs_exec
  • 35. Demo 1 – Detecting anti-forensics process cloaking technique ● Take snapshot of process infected with Saruman PIE executable injection ● Detect infection using simple readelf ● Extract parasite code using readecfs http://www.bitlackeys.org/#saruman
  • 36. Demo 2 – Detect userland rootkit ● Take snapshot of process infected with Azazel userland rootkit ● Use readecfs to extract the parasite code ● Use detect_plt_hooks to show PLT/GOT hooks in-place
  • 37. Demo 3 – libecfs for tool development is easy ● The detect_plt_hooks.c is less than 60 lines of code ● Can detect ELF Object injection ● Can detect Shared library injection (ptrace/mmap/__libc_dlopen_mode) ● Can detect LD_PRELOAD libraries ● Can detect PLT/GOT hooks
  • 38. Demo 4 – ECFS snapshot execution ● Take a snapshot of a simple process that is reading from /etc/passwd and printing the results ● Restore the snapshot, and demonstrate how it restores the file streams, and continues reading from the file