際際滷

際際滷Share a Scribd company logo

A Dive Into ELF Binaries

Download as ODP, PDF
B
Bhashit Pandya

This document provides an overview of ELF (Executable and Linkable Format) binaries. It begins by establishing motivation for understanding ELF binaries, such as encountering a Linux binary file or being tasked with reversing and patching a file. It then discusses what executable files are, common binary file formats with a focus on the ELF format, and how to detect ELF files. The document proceeds to explain the structure of ELF binaries including the ELF header, section headers, and program headers. It outlines the process of loading and parsing ELF files, including examining the ELF header, loading program segments, and patching imported calls. The document concludes by providing additional reversing and exploiting resources.

1 of 21
Download to read offline
A Dive Into ELF Binaries Null Ahmedabad 23rd Dec 2018 By Bhashit Pandya
Who am I Information Security Consultant Scriptologist Not a bug hunter!! Explorer
Today we will: ask, why to understand them? know about executable files. peep into the internals. see, how to read and analyse it. check out some tools.
Its a sunday morning!!!
I knew..
Motivation What if you encounter a linux bin? What if you are given a file to reverse and patch the file? What if you have a software to crack? What if you know that this file is vulnerable which can grant you a root access?
What are executables? Not a simple text files. Complied and linked against the syscall or WinAPI. Has relocatable tables. Number of sections to define itself. What are some binary file formats?
ELF Binary Initially developed by Unix System Laboratories for ABI support for unix os. Named as System V Release 4 (SVR4) Quickly adopted by different vendors of unix systems because of its support for endiannesses and address size. Independent of CPU and instruction sets. In 1999, it was chosen as a standard binary file format
ELF Binary Format It is just one of the binary format. Short abbrevation for Executable and Linkable Format. Mostly linux executables are in ELF Format. How to detect them? Will See..
ELF Structure ELF Header Section Headers Program Headers Symbol Table* readelf -a <file> About Linking and relocation mmap() Debuging purpose
A Dive Into ELF Binaries
It Worked!!
Volunteers Required 1.Candidate 2.Security Guard 3.Hiring Manager
ELF Parsing 1. Examine ELF Header {load_elf_binary()} 2. Loops into Program Header entries to check for an interpreter and executable stack. 3. Initialize Program headers attributes to a new program. 4. {flush_old_exec()} It clears up state in the kernel that refers to prev program. 5. Location of the executable file for the program is updated at /proc/pid/exe 6. Thread name is created using {_set_task_comm()} 7. Kernel Memory tracking structure is created.
ELF Parsing (Cont..) 1. Code loops through PT_LOAD seg and maps to process addr space. 2.Additional pages are also being loaded such as virtual dynamic shared object (vDSO) and empty page for backward compatibility reasons. 3.Security attributes are being added. 4.Final preparation for running is to setup the rest of the stack {create_elf_tables()}
Loading ELF Check format information of ELF Header. Read the ELF Program Header. Map all the values of PT_LOAD segment into new program memory. Leave space for interpreter BSS segment (object or statically allocated var).
Basically Loading ELF Base Address It helps the code to load into memory. When ESP values are assigned to base address, the execution of the program starts. The code segment of the ELF File is loaded into the memory to execute.
Patching The Imported Calls! 1. Most programs are dynamically linked. (shared libs are to be located and linked in run-time.) 2. The ELF Handler write ELF Interpreter filename to a new space. 3. Loads the ELF program into memory. 4. ELF Interpreter take care of the linkage program from the user space and resolves the program undefined symbols. 5. The interpreter starts the execution of the new program itself. (AT_ENTRY which holds the entry point of text seg. which was set during preparation)
Patching the calls Execution begins with ELF interpreter. Finds the linkage requirements. Loads those shared libs. Resolves the undefined symbols. Starts the execution of the new program.
Resources Reversing and Exploiting Resources Infecting the Procedure Linkage Table. http://phrack.org/issues/56/7.html More about ELF https://smshaker.files.wordpress.com/2008/0 1/reveng-02.pdf
Thank you!

More Related Content

A Dive Into ELF Binaries

  • 1. A Dive Into ELF Binaries Null Ahmedabad 23rd Dec 2018 By Bhashit Pandya
  • 2. Who am I Information Security Consultant Scriptologist Not a bug hunter!! Explorer
  • 3. Today we will: ask, why to understand them? know about executable files. peep into the internals. see, how to read and analyse it. check out some tools.
  • 4. Its a sunday morning!!!
  • 6. Motivation What if you encounter a linux bin? What if you are given a file to reverse and patch the file? What if you have a software to crack? What if you know that this file is vulnerable which can grant you a root access?
  • 7. What are executables? Not a simple text files. Complied and linked against the syscall or WinAPI. Has relocatable tables. Number of sections to define itself. What are some binary file formats?
  • 8. ELF Binary Initially developed by Unix System Laboratories for ABI support for unix os. Named as System V Release 4 (SVR4) Quickly adopted by different vendors of unix systems because of its support for endiannesses and address size. Independent of CPU and instruction sets. In 1999, it was chosen as a standard binary file format
  • 9. ELF Binary Format It is just one of the binary format. Short abbrevation for Executable and Linkable Format. Mostly linux executables are in ELF Format. How to detect them? Will See..
  • 10. ELF Structure ELF Header Section Headers Program Headers Symbol Table* readelf -a <file> About Linking and relocation mmap() Debuging purpose
  • 14. ELF Parsing 1. Examine ELF Header {load_elf_binary()} 2. Loops into Program Header entries to check for an interpreter and executable stack. 3. Initialize Program headers attributes to a new program. 4. {flush_old_exec()} It clears up state in the kernel that refers to prev program. 5. Location of the executable file for the program is updated at /proc/pid/exe 6. Thread name is created using {_set_task_comm()} 7. Kernel Memory tracking structure is created.
  • 15. ELF Parsing (Cont..) 1. Code loops through PT_LOAD seg and maps to process addr space. 2.Additional pages are also being loaded such as virtual dynamic shared object (vDSO) and empty page for backward compatibility reasons. 3.Security attributes are being added. 4.Final preparation for running is to setup the rest of the stack {create_elf_tables()}
  • 16. Loading ELF Check format information of ELF Header. Read the ELF Program Header. Map all the values of PT_LOAD segment into new program memory. Leave space for interpreter BSS segment (object or statically allocated var).
  • 17. Basically Loading ELF Base Address It helps the code to load into memory. When ESP values are assigned to base address, the execution of the program starts. The code segment of the ELF File is loaded into the memory to execute.
  • 18. Patching The Imported Calls! 1. Most programs are dynamically linked. (shared libs are to be located and linked in run-time.) 2. The ELF Handler write ELF Interpreter filename to a new space. 3. Loads the ELF program into memory. 4. ELF Interpreter take care of the linkage program from the user space and resolves the program undefined symbols. 5. The interpreter starts the execution of the new program itself. (AT_ENTRY which holds the entry point of text seg. which was set during preparation)
  • 19. Patching the calls Execution begins with ELF interpreter. Finds the linkage requirements. Loads those shared libs. Resolves the undefined symbols. Starts the execution of the new program.
  • 20. Resources Reversing and Exploiting Resources Infecting the Procedure Linkage Table. http://phrack.org/issues/56/7.html More about ELF https://smshaker.files.wordpress.com/2008/0 1/reveng-02.pdf