André’s Reviews > Learning Linux Binary Analysis > Status Update
André
is on page 195 of 282
・anti-debug: detect emulator(!), false disassembly, crypto, ctrl flow integrity, self-ptrace
・identify ctrl flow hijack: entry point, .ctors/.init_array, plt/got hooks, function trampolines
・id parasite code: position indep. code, direct syscalls, int3, atypical compiler code
・id (reverse) text padding
・mem forensics: /proc/$pid/maps, stack,…
・id .so injection: __libc_dlopen_mode, ptrace, vdso
・core files, eu-readelf
— Nov 17, 2018 10:52AM
・identify ctrl flow hijack: entry point, .ctors/.init_array, plt/got hooks, function trampolines
・id parasite code: position indep. code, direct syscalls, int3, atypical compiler code
・id (reverse) text padding
・mem forensics: /proc/$pid/maps, stack,…
・id .so injection: __libc_dlopen_mode, ptrace, vdso
・core files, eu-readelf
Like flag
André’s Previous Updates
André
is on page 244 of 282
better ABRT/SEGV core dumps via ExtendedCoreFileSnapshot (ECFS)
ECFS exams:
・process cloaking: Saruman injects complete, dyn linked PIE executable into exist. process addr space (ftpd, sshd,…) w own thread
・Azazel
・extract parasite
・valid PLT/GOT
Kernel:
・brief chapters on detecting sys_call_table infection, intr handler patch, fun trampoline, debug register rootkit, kprobe, VFS rootkit, infected driver
・taskverse
— Nov 21, 2018 02:50AM
ECFS exams:
・process cloaking: Saruman injects complete, dyn linked PIE executable into exist. process addr space (ftpd, sshd,…) w own thread
・Azazel
・extract parasite
・valid PLT/GOT
Kernel:
・brief chapters on detecting sys_call_table infection, intr handler patch, fun trampoline, debug register rootkit, kprobe, VFS rootkit, infected driver
・taskverse
André
is on page 121 of 282
nice read so far:
- basic tools: readelf, objdump, gdb, ...
- Linux ELF "Executable and Linkable Format": file types, headers, symbols, relocations, dynamic linking, talks both 32 and 64 bit;
I watch https://www.youtube.com/playlist?list... in parallel (see ELF)
- process tracing (ptrace)
- ELF viruses: infection methods, anti-debugging
many C and assembler (GAS syntax) code examples
— Oct 07, 2018 06:40PM
- basic tools: readelf, objdump, gdb, ...
- Linux ELF "Executable and Linkable Format": file types, headers, symbols, relocations, dynamic linking, talks both 32 and 64 bit;
I watch https://www.youtube.com/playlist?list... in parallel (see ELF)
- process tracing (ptrace)
- ELF viruses: infection methods, anti-debugging
many C and assembler (GAS syntax) code examples
