Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dipartimento di Informatica e Sistemistica Operating Systems II - Laurea Magistrale in Computer Engineering Executable Format and Advanced Compiling Tools.

Similar presentations


Presentation on theme: "Dipartimento di Informatica e Sistemistica Operating Systems II - Laurea Magistrale in Computer Engineering Executable Format and Advanced Compiling Tools."— Presentation transcript:

1 Dipartimento di Informatica e Sistemistica Operating Systems II - Laurea Magistrale in Computer Engineering Executable Format and Advanced Compiling Tools Alessandro Pellegrini

2 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Linker Script File Makefile preprocessor compilerassembler Make Object File Shared Object Relocatable File Executable File Link Map File Linker Archive (ar) Compiling Process User-created files Sorgenti Assembly Sorgenti C/C++ e File Header C/C++ Sources And Header Files Assembly Sources Library File

3 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Object File Format For more than 20 years, *nix executable file format has been a.out per oltre 20 anni (since 1975 to 1998). This format was made up of at most 7 sections: exec header : loading information; text segment : machine instructions; data segment : initialized data; text relocations : information to update pointers; data relocations : information to update pointers; symbol table : information on variables and functions; string table : names associated with symbols.

4 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Object File Format This format's limits were: cross-compiling; dynamic linking; creation of symple shared libaries; support of initializers/finalizers (e.g. constructors and destructors in C++). Linux has definitively replaced a.out with ELF (Executable and Linkable Format) in version 1.2 (more or less in 1995).

5 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering ELF Types of Files ELF defines the format of binary executables. There are four different categories: Relocatabale (Created by compilers and assemblers. Must be processed by the linker before being run). Executable (All symbols are resolved, except for shared libraries symbols, which are resolved at runtime). Shared object (A library which is shared by different programs, contains all the symbols information used by the linker, and the code to be executed at runtime). Core file (a core dump). ELF files have a twofold nature Compilers, assemblers and linkers handle them as a set of logical sections; The system loader handles them as a set of segments.

6 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering ELF Files Structure Segments Program Header Section Header ELF Header Describes Sections Describes segments Sections (optional, ignored) Relocatable FileExecutable File

7 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering #define EI_NIDENT (16) typedef struct { unsigned char e_ident[EI_NIDENT];/* Magic number and other info */ Elf32_Half e_type; /* Object file type */ Elf32_Half e_machine; /* Architecture */ Elf32_Word e_version; /* Object file version */ Elf32_Addr e_entry; /* Entry point virtual address */ Elf32_Off e_phoff; /* Program header table file offset */ Elf32_Off e_shoff; /* Section header table file offset */ Elf32_Word e_flags; /* Processor-specific flags */ Elf32_Half e_ehsize; /* ELF header size in bytes */ Elf32_Half e_phentsize; /* Program header table entry size */ Elf32_Half e_phnum; /* Program header table entry count */ Elf32_Half e_shentsize; /* Section header table entry size */ Elf32_Half e_shnum; /* Section header table entry count */ Elf32_Half e_shstrndx; /* Section header string table index */ } Elf32_Ehdr; ELF Header

8 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Relocatable File A relocatable file or a shared object is a collection of sections Each section contains a single kind of information, such as exdecutable code, read-only data, read/write data, relocation entries, or symbols. Each symbols address is defined in relation to the section which contains it. For example, a functions entry point is defined in relation to the section of the program which contains it.

9 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Section Header typedef struct { Elf32_Word sh_name; /* Section name (string tbl index) */ Elf32_Word sh_type; /* Section type */ Elf32_Word sh_flags; /* Section flags */ Elf32_Addr sh_addr; /* Section virtual addr at execution */ Elf32_Off sh_offset; /* Section file offset */ Elf32_Word sh_size; /* Section size in bytes */ Elf32_Word sh_link; /* Link to another section */ Elf32_Word sh_info; /* Additional section information */ Elf32_Word sh_addralign; /* Section alignment */ Elf32_Word sh_entsize; /* Entry size if section holds table */ } Elf32_Shdr;

10 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Types and Flags in Section Header PROGBITS: The section contains the program content (code, data, debug information). NOBITS: Same as PROGBITS, yet with a null size. SYMTAB and DYNSYM: The section contains a symbol table. STRTAB: The section contains a string table. REL and RELA: The section contains relocation information. DYNAMIC and HASH: The section contains dynamic linking information. WRITE: The section contais runtime-writeable data. ALLOC: The section occupies memory at runtime. EXECINSTR: The section contains executable machine instructions.

11 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Some Sections.text: contains programs instructions Type: PROGBITS Flags: ALLOC + EXECINSTR.data: contains preinitialized read/write data Type: PROGBITS Flags: ALLOC + WRITE.rodata: contains preinitialized read-only data Type: PROGBITS Flags: ALLOC.bss: contains uninitialized data. The system will set them to zero at program startup. Type: NOBITS Flags: ALLOC + WRITE

12 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering String Table Sections keeping string tables contain sequence of null- terminated strings. Ojbect files use a string table to represent symbols and sections names. A string is referred using an index in the table. Symbol table and symbol names are separated because there is no limit in names length in C/C++

13 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Symbol Table Symbol table keeps in an object file the information necessary to identify and relocate symbolic definitions in a program and its references. typedef struct { Elf32_Word st_name; /* Symbol name */ Elf32_Addr st_value; /* Symbol value */ Elf32_Word st_size; /* Symbol size */ unsigned char st_info; /* Symbol binding */ unsigned char st_other; /* Symbol visibility */ Elf32_Section st_shndx; /* Section index */ } Elf32_Sym;

14 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Relocation is the process which connects references to symbols with definition of symbols. Relocatable files must keep information on how to modify the contents of sections. Static Relocation Table typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ } Elf32_Rel; typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ Elf32_Sword r_addend; /* Addend */ } Elf32_Rela;

15 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Executable Files Usually, an executable file has only few segments:: A read-only segment for code. A read-only segment for read-only data. A read/write segment for other data. Any section marked with flag ALLOCATE are packed in the proper segment, to that the operating system is able to map the file to memory with few operations. For example, if.data and.bss sections are pesent, they are placed within the same read/write segment.

16 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Program Header typedef struct { Elf32_Word p_type; /* Segment type */ Elf32_Off p_offset; /* Segment file offset */ Elf32_Addr p_vaddr; /* Segment virtual address */ Elf32_Addr p_paddr; /* Segment physical address */ Elf32_Word p_filesz; /* Segment size in file */ Elf32_Word p_memsz; /* Segment size in memory */ Elf32_Word p_flags; /* Segment flags */ Elf32_Word p_align; /* Segment alignment */ } Elf32_Phdr;

17 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering ELF Header Prog. Header Table Segment 1 Segment 2 Data Executable File Linkers Role Segment 3 Segment 2 ELF Header Sec. Header Table Section 1 Section 2 Relocatable File 1... Section n ELF Header Sec. Header Table Section 1 Section 2 Relocatable File 2... Section n

18 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Static Relocation 1bc1:e8 fc ff ff ff call 1bc2 1bc6:83 c4 10 add $0x10,%esp 1bc9:a mov 0x0,%eax 8054e59: e8 9a call 805a3f8 8054e5e: 83 c4 10 add $0x10,%esp 8054e61: a1 f mov 0x80602f8,%eax Varliables addresses Functions entry points Instructions position

19 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Directives: Linker Script SECTIONS {. = 0x10000;.text : { *(.text) }. = 0x ;.data : { *(.data) }.bss : { *(.bss) } } Sets location counters value Places all input filess.text sections in the output files.text section at the address specified by the location counter. The simplest form of linker script contains only a SECTIONS directive; The SECTIONS directive describes memory layout of the linker-generated file.

20 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Example: C code #include int xx, yy; int main(void) { xx = 1; yy = 2; printf ("xx %d yy %d\n", xx, yy); }

21 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Example: ELF Header $ objdump -x esempio-elf esempio-elf: file format elf32-i386 architecture: i386, flags 0x : EXEC_P, HAS_SYMS, D_PAGED start address 0x

22 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering PHDR off 0x vaddr 0x paddr 0x align 2**2 filesz 0x memsz 0x flags r-x INTERP off 0x vaddr 0x paddr 0x align 2**0 filesz 0x memsz 0x flags r-- LOAD off 0x vaddr 0x paddr 0x align 2**12 filesz 0x000004f4 memsz 0x000004f4 flags r-x LOAD off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12 filesz 0x memsz 0x flags rw- DYNAMIC off 0x00000f20 vaddr 0x08049f20 paddr 0x08049f20 align 2**2 filesz 0x000000d0 memsz 0x000000d0 flags rw- NOTE off 0x vaddr 0x paddr 0x align 2**2 filesz 0x memsz 0x flags r-- STACK off 0x vaddr 0x paddr 0x align 2**2 filesz 0x memsz 0x flags rw- RELRO off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0 filesz 0x000000f4 memsz 0x000000f4 flags r-- Example: Program Header

23 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering NEEDED libc.so.6 INIT 0x FINI 0x080484bc HASH 0x STRTAB 0x SYMTAB 0x080481b0 STRSZ 0x c SYMENT 0x DEBUG 0x PLTGOT 0x08049ff4 PLTRELSZ 0x PLTREL 0x JMPREL 0x There is the need to link to this shared library to use printf() Example: Dynamic Section

24 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Example: Sections Header Idx Name Size VMA LMA File off Algn 2.hash **2 CONTENTS, ALLOC, LOAD, READONLY, DATA 10.init **2 CONTENTS, ALLOC, LOAD, READONLY, CODE 11.plt c c c8 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 12.text ac **4 CONTENTS, ALLOC, LOAD, READONLY, CODE 13.fini c bc bc bc 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 14.rodata d d d8 2**2 CONTENTS, ALLOC, LOAD, READONLY, ATA 22.data a00c 0804a00c c 2**2 CONTENTS, ALLOC, LOAD, DATA 23.bss a a **2 ALLOC

25 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Example: Symbol Table l df *ABS* esempio-elf.c 08049f0c l.ctors hidden __init_array_end 08049f0c l.ctors hidden __init_array_start 08049f20 l O.dynamic hidden _DYNAMIC 0804a00c w.data data_start g F.text __libc_csu_fini g F.text _start w *UND* __gmon_start__ f18 g O.dtors hidden __DTOR_END__ g F.text a __libc_csu_init F *UND* a01c g O.bss yy 0804a014 g *ABS* __bss_start 0804a024 g *ABS* _end 0804a014 g *ABS* _edata a g F.text hidden __i686.get_pc_thunk.bx c4 g F.text d main g F.init _init 0804a020 g O.bss xx

26 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Symbols Visibility weak symbols: More module can have a simbol with the same name of a weak one; The declared entity cannot be overloaded by other modules; It is useful for libraries which want to avoid conflicts with user programs. gcc version 4.0 gives the command line option -fvisibility : default : normal behaviour, the symbol is seen by other modules; hidden : two declarations of an object refer the same object only if they are in the same shared object; internal : an entity declared in a module cannot be referenced even by pointer; protected : the symbol is weak;

27 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Symbols Visibility (2) int variable __attribute__ ((visibility (hidden))); #pragma GCC visibility push(hidden) int variable; int increment(void) { return ++variable; } #pragma GCC visibility pop

28 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Linux Loader In fs/exec.c: do_execve() : About 50 lines of code; Performs some error checks and fill the structure struct linux_binprm ; Looks for a binary file handler. search_binary_handler() : Scans a list of binary file hanlders registered in the kernel; If no handler is able to recognize the image format, syscall returs the ENOEXEC error (Exec Format Error); In fs/binfmt_elf.c: load_elf_binary() : Load image file to memory using mmap; Reads the program header and sets permissions accordingly

29 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering ELF Header Sec. Header Table Section 1 Section 2... Section n Section 3 Section 4 Alter an ELF: Reordering ELF Header Sec. Header Table Section 1 Section 2... Section n Section 3 Section 4

30 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter an ELF: Reordering #include int main(int argc, char **argv) { int elf_src, elf_dst, file_size, i; char *src_image, *dst_image, *ptr; Elf32_Ehdr *ehdr_src, *ehdr_dst; Elf32_Shdr *shdr_src, *shdr_dst; if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1); if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1); file_size = lseek(elf_src, 0L, SEEK_END); lseek(elf_src, 0L, SEEK_SET); src_image = malloc(file_size); ptr = dst_image = malloc(file_size); read(elf_src, src_image, file_size); ehdr_src = (Elf32_Ehdr *)src_image; ehdr_dst = (Elf32_Ehdr *)dst_image; memcpy(ptr, src_image, sizeof(Elf32_Ehdr)); ptr += sizeof(Elf32_Ehdr); To access structures describing and ELF file The two ELF header are (mostly) the same

31 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Modificare un ELF: Riordino shdr_dst = (Elf32_Shdr *)ptr; shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff); ehdr_dst->e_shoff = sizeof(Elf32_Ehdr); ptr += ehdr_src->e_shnum * ehdr_dst->e_shentsize; memcpy(shdr_dst, shdr_src, sizeof(Elf32_Shdr)); for(i = ehdr_src->e_shnum - 1; i > 0; i--) { memcpy(shdr_dst + ehdr_src->e_shnum - i, shdr_src + i, sizeof(Elf32_Shdr)); memcpy(ptr, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); shdr_dst[ehdr_src->e_shnum - i].sh_offset = ptr - dst_image; if(shdr_src[i].sh_link > 0) shdr_dst[ehdr_src->e_shnum - i].sh_link = ehdr_src->e_shnum - shdr_src[i].sh_link; if(shdr_src[i].sh_info > 0) shdr_dst[ehdr_src->e_shnum - i].sh_info = ehdr_src->e_shnum - shdr_src[i].sh_info; ptr += shdr_src[i].sh_size; } ehdr_dst->e_shstrndx = ehdr_src->e_shnum - ehdr_src->e_shstrndx; write(elf_dst, dst_image, file_size); close(elf_src); close(elf_dst); } Corrects the header position in the file Copies sections and headers

32 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: Reordering $ readelf -S esempio-elf.o There are 11 section headers, starting at offset 0x108: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL [ 1].text PROGBITS d 00 AX [ 2].rel.text REL a [ 3].data PROGBITS WA [ 4].bss NOBITS WA [ 5].rodata PROGBITS d 00 A [ 6].comment PROGBITS [ 7].note.GNU-stack PROGBITS b [ 8].shstrtab STRTAB b [ 9].symtab SYMTAB c0 0000c [10].strtab STRTAB

33 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: Reordering $ readelf -S riordinato.o There are 11 section headers, starting at offset 0x34: Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL [ 1].strtab STRTAB ec [ 2].symtab SYMTAB d 0000c [ 3].shstrtab STRTAB cd [ 4].note.GNU-stack PROGBITS e [ 5].comment PROGBITS e [ 6].rodata PROGBITS d 00 A [ 7].bss NOBITS WA [ 8].data PROGBITS WA [ 9].rel.text REL [10].text PROGBITS d 00 AX 0 0 4

34 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop ELF Header Tabella Header Sez. Sezione 1 Sezione 2... Sezione n Sezione 3 Sezione 4 ELF Header Tabella Header Sez. Sezione 1 Sezione 2... Sezione n Sezione 3 Sezione 4 nop

35 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (2) #include #define NOP_NUM 10 #define NOP_CODE 0x90 // 1 byte #define SEC_NUM 1 int main(int argc, char **argv) { int elf_src, elf_dst, file_size, i; char *src_image, *dst_image; Elf32_Ehdr *ehdr_src; Elf32_Shdr *shdr_src, *shdr_dst; if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1); if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1); file_size = lseek(elf_src, 0L, SEEK_END); lseek(elf_src, 0L, SEEK_SET); src_image = malloc(file_size); dst_image = malloc(file_size + NOP_NUM); read(elf_src, src_image, file_size); ehdr_src = (Elf32_Ehdr *)src_image; shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff);

36 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (3) shdr_dst = (Elf32_Shdr *)(dst_image + ehdr_src->e_shoff + NOP_NUM); memcpy(dst_image, src_image, sizeof(Elf32_Ehdr)); ((Elf32_Ehdr *)dst_image)->e_shoff += NOP_NUM; for(i = 0; i <= SEC_NUM; i++) memcpy(dst_image + shdr_src[i].sh_offset, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); memset(dst_image + shdr_src[SEC_NUM].sh_offset + shdr_src[SEC_NUM].sh_size, NOP_CODE, NOP_NUM); for(i = SEC_NUM + 1; i e_shnum; i++) memcpy(dst_image + shdr_src[i].sh_offset + NOP_NUM, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); for(i = 0; i <= SEC_NUM; i++) memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr)); shdr_dst[SEC_NUM].sh_size += NOP_NUM; for(i = SEC_NUM + 1; i e_shnum; i++) { memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr)); shdr_dst[i].sh_offset += NOP_NUM; } write(elf_dst, dst_image, file_size + NOP_NUM); close(elf_src); close(elf_dst); } Inserts nops Corrects sections size Moves forward other sections

37 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (4) $ objdump -S esempio-elf.o Disassembly of section.text: : 0:8d 4c lea 0x4(%esp),%ecx 4:83 e4 f0 and $0xfffffff0,%esp 7:ff 71 fc pushl -0x4(%ecx) a:55 push %ebp [...] 38:c movl $0x0,(%esp) 3f:e8 fc ff ff ff call 40 44:83 c4 14 add $0x14,%esp 47:59 pop %ecx 48:5d pop %ebp 49:8d 61 fc lea -0x4(%ecx),%esp 4c:c3 ret

38 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (5) $ objdump -S nop.o Disassembly of section.text: : 0:8d 4c lea 0x4(%esp),%ecx 4:83 e4 f0 and $0xfffffff0,%esp 7:ff 71 fc pushl -0x4(%ecx) a:55 push %ebp [...] 38:c movl $0x0,(%esp) 3f:e8 fc ff ff ff call 40 44:83 c4 14 add $0x14,%esp 47:59 pop %ecx 48:5d pop %ebp 49:8d 61 fc lea -0x4(%ecx),%esp 4c:c3 ret 4d:90 nop 4e:90 nop 4f:90 nop 50:90 nop [...]

39 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Lin/Glaurung.676/666 0x0000.ELF Codice Prog. 0x0bd3 0x0000.ELF Codice Prog. 0xbd3 0xbd4 Codice Virus 0xe6e Entry point Its an appending virus; Changes the fiels EI_PAD at offset (0x0007-0x000f) changing its value from 0 to 21; Files entry value is the position of the injected code (0x08049bd4 instead of 0x ); Infects every ELF file found in PWD and in /bin; The analyzed infected file passed from 3028 bytes (0x0bd3) to 3694 bytes (0xe6e), an increment of 666 bytes (0x29a). ELF files size is incremented ( p_filesize and p_memsize become 0x0a1e instead of 0x00e0 e 0x00f8, respectively)

40 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Lin/Glaurung.676/666 (2) F 45 4C ELF...! D4 9B Ô EC i ( C C À...À F F ô...ô F C ô C P...P P...P A E 0A E 0A C6 C P B C A A C D C E C F F 6C F 6C 64 2D 6C 69 6E /lib/ld-linu E 73 6F 2E x.so

41 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Code Instrumentation If it is possible to alter an ELF files structure, then it is possible to modify the original behavior of the code: this technique is called instrumentation. Problems of this technique: Must work at machine-code level: it is necessary to insert in an ELF file a byte stream which corresponds to particular assembly instructions; To instrument transparently to the the user, it is important to keep references coherence in the code; It is necessary as well the ability to interpret the original programs code, to find the right positions in the code where to inject instrumentation code. This technique is highly used in debugging and in vulnerability assessment.

42 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering PrefixesOpcodeModR/MSIBDisplacementImmediate Reg / Opcode R/MScaleIndexBase Up to 4, 1 byte each Mod 1, 2 or 3 byte 1 byte (if present) 1 byte (if present) 0, 1, 2 or 4 byte Instructions are therefore of variable length (with an upper bound of 15 bytes): 85 c0 test %eax,%eax jnz 4c c7 45 ec movl $0x0,-0x14(%ebp) eb 59 jmp a5 8b mov 0x8(%ebp),%eax 8d 4c lea 0x4(%esp),%ecx 0f b7 40 2e movzwl 0x2e(%eax),%eax Instruction Set i386 Opcode, ModR/M, SIB, Displacement, Immediate

43 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Instruction Set i386 (2) R/M fields in ModR/M byte and Scale /Index fields in SIB byte identify registers; General purpose registers are numbered from da 0 a 7 in this order: eax (000), ecx (001), edx (010), ebx (011), esp (100), ebp (101), esi (110), edi (111).

44 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering ELF File Altering: an Example Section Header Table is scanned looking for sections containing code (type: PROGBITS, flag: EXECINSTR ); Each section is parsed one byte by one; Using an opcode-family table the instructions are disassembled, identifying the instructions which have as destination operand a memory location (global variables or dynamically allocated memory); Destination operand is decomposed in base, indice, scale and offset.

45 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Instruction Table Generation struct insn_entry { unsigned long ret_addr; unsigned int size; char flags; char base; char idx; char scala; long offset; }; To add a minimal overhead to the program, two choices are made : Monitoring routine is written directly in assembly; No runtime intepretation of instruction is made. During th parsing phase, interesting information is cached in a table: This table can be searched using a binary search in O(log n) time.

46 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Monitor Hooking a mov 0x ,%eax 83 c0 01 add $0x1,%eax a mov %eax,0x a mov 0x ,%eax 83 c0 01 add $0x1,%eax e8 fc ff ff ff call monitor a mov %eax,0x Monitoring routine is hooked by injecting before any memory-write instruction a call to a routine called monitor ; We use a call instead of a less costly jump because, by relying on th ereturn value, it is possible to know which original instruction caused the invocation of the monitor; Due to this calls insertion, the original sections must be resized (using techniques previously seen) and relocation tables must be corrected.

47 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering References Correction Due to the insertion of instructions, references between portions of code/data are now inconsistent; We must therefore: Correct functions entry points; Correct every branch instruction Intra-segment jumps in i386 are expressed as offsets starting from the current value of eip register, when executing the instruction; To correct them, it is necessary to scan the program text a second time and apply a correction to this offest, depending on the amount of bytes inserted in the code;

48 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Dynamic Branch Correction 8b c mov 0x2c(,%edx,4),%eax ff e0 jmp *%eax 8b c mov 0x2c(,%edx,4),%eax e8 fc ff ff ff call correct_branch e jmp ?? ?? ?? ?? A particular type of branch (indirect branch, or register branch) allows to specify a branch destination by the value stored in a particular register or in a memory location; This instructions sematic depends of the actual exectuion flow: it cannot be corrected statically; These instructions are handled as memory-write instructions: they are replaced with a function call ( correct_branch ) that, using the information stored in two tables, creates a correct jump.

49 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: ?????????????

50 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi Return Value ESP CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: ?????????????

51 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw Return Value ESP monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EAX ECX EDX EBX CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: ?????????????

52 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp corrente ????????????? Return Value ESP EAX ECX EDX EBX

53 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EAX ECX EDX EBX ESP monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp originale ?????????????

54 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp originale ?????????????

55 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp originale ????????????? indirizzo eax orig. ????????????? monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EBP

56 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp originale ????????????? chiave di ricerca ????????????? indirizzo eax orig. ????????????? monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EBP

57 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: esp originale low high ????????????? chiave di ricerca ????????????? indirizzo eax orig. ????????????? monitor: push %eax push %ecx push %edx push %ebx mov %esp, %eax sub $4, %esp add $16, %eax mov %eax, (%esp) push %ebp push %esi push %edi pushfw mov 14(%esp), %ebp sub $4, %ebp mov 4(%ebp), %esi EBP monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato:

58 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: offset nella tab. low high mediano chiave di ricerca ????????????? indirizzo eax orig. ????????????? EBP monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato: monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato:

59 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: offset nella tab. low high nuovo low chiave di ricerca ????????????? indirizzo eax orig. ????????????? EBP monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato: monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato:

60 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: offset nella tab. low nuovo high mediano chiave di ricerca ????????????? indirizzo eax orig. ????????????? EBP monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato: monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato:

61 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low nuovo high offset tabella chiave di ricerca ????????????? indirizzo eax orig. ????????????? EBP monitor: xor %ebx, %ebx mov $DIM, %ecx jmp.Cerca.HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae.Trovato.Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb.HighHalf.LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb.Cerca.Trovato: monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi

62 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low - reg. indice offset tabella chiave di ricerca idx indirizzo eax orig. ????????????? EBP monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi

63 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low scala offset tabella chiave di ricerca idx * scala indirizzo eax orig. ????????????? EBP monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi

64 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low - reg. base offset tabella chiave di ricerca base + idx * scala indirizzo eax orig. ????????????? EBP monitor: lea (,%ecx,4), %edx shl $0x2, %edx movsbl insn_table+8(%edx),%eax xor %edi, %edi testb $4, %al jz.NoIndex movsbl insn_table+10(%edx),%ecx negl %ecx movl (%ebp, %ecx, 4), %edi movsbl insn_table+11(%edx),%ecx imul %ecx, %edi monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp

65 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value ESP EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low - reg. base mediano taglia bs + idx * scl + off indirizzo eax orig. ????????????? EBP monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp

66 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: campo flags low - reg. base mediano taglia bs + idx * scl + off indirizzo eax orig. ????????????? EBP monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp Size Destination memory_trace ESP

67 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: ????????????? EBP monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp Taglia Destinazione ESP monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp

68 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione monitor Return Value EAX ECX EDX EBX ESP EBP ESI EDI EFLAGS CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: eax originale ebx originale ecx originale edx originale esi originale edi originale ebp originale ????????????? EBP Taglia Destinazione ESP monitor:.NoIndex: testb $2, %al jz.NoBase movsbl insn_table+9(%edx), %ecx negl %ecx addl (%ebp, %ecx, 4), %edi.NoBase: add insn_table+12(%edx),%edi movsbl insn_table+4(%edx),%esi push %esi push %edi call dirty_mem addl $8, %esp monitor: popfw pop %edi pop %esi pop %ebp add $4, %esp pop %ebx pop %edx pop %ecx pop %eax ret

69 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution … call monitor mov %eax, i … applicazione CPU EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: eax originale ebx originale ecx originale edx originale esi originale edi originale ebp originale esp originale monitor: popfw pop %edi pop %esi pop %ebp add $4, %esp pop %ebx pop %edx pop %ecx pop %eax ret monitor: popfw pop %edi pop %esi pop %ebp add $4, %esp pop %ebx pop %edx pop %ecx pop %eax ret controllo

70 HPDCS Research Group Operating Systems II - Laurea Magistrale in Computer Engineering Executable File Summary Sorgenti C/C++ e File Header preprocessor compilerassembler Linker C/C++ Soruces and Header Files Relocatable Object File Parser & Instrumentor Instruction Table Instrumented Object File Monitoring Module


Download ppt "Dipartimento di Informatica e Sistemistica Operating Systems II - Laurea Magistrale in Computer Engineering Executable Format and Advanced Compiling Tools."

Similar presentations


Ads by Google