Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Mathieu Desnoyers Recon 2006.

Similar presentations


Presentation on theme: "Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Mathieu Desnoyers Recon 2006."— Presentation transcript:

1 Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Mathieu Desnoyers Recon 2006

2 11/20/2016Mathieu Desnoyers, Recon 20062 Plan ● Performance and behavior analysis ● LTTng/LTTV Linux Trace Toolkit ● Application in reverse engineering ● Demo ●... ● Profit!

3 11/20/2016Mathieu Desnoyers, Recon 20063 Analysis ● Performance ● Behavior

4 11/20/2016Mathieu Desnoyers, Recon 20064 Performance Analysis Tools ● Profiling tools – gprof, prof, tprof – time, top, nmon – oprofile ● Event-based performance monitoring – LTT – SystemTAP – LKST

5 11/20/2016Mathieu Desnoyers, Recon 20065 Behavior Analysis ● Complete information about program execution ● Tracers – LTT – LKST – strace – ltrace ● Debuggers – gdb

6 11/20/2016Mathieu Desnoyers, Recon 20066 Tracer ● Event : one information record with a time stamp ● Trace : Binary event log

7 11/20/2016Mathieu Desnoyers, Recon 20067 LTTng/LTTV Linux Trace Toolkit ● Tracer – Kernel – User space ● Libraries ● Programs ● Instrumentation

8 11/20/2016Mathieu Desnoyers, Recon 20068 Key Features ● Integrated modular analysis – Cool GUI – Useful text output – Plugins ● Multiple information sources ● Low impact – Performance – Behavior

9 11/20/2016Mathieu Desnoyers, Recon 20069 Application in Reverse Engineering ● Programs ● Libraries ● Drivers ● Network stack analysis ● Operating system

10 11/20/2016Mathieu Desnoyers, Recon 200610 Program Analysis ● White box – Instrument the application ● Black box – Binary only – OS interaction ● System calls (FS, network, IPC, memory,...) – Breakpoints with kprobes, SystemTAP ● Multi-threaded, multi-process ● Elude debugger detectors

11 11/20/2016Mathieu Desnoyers, Recon 200611 Live demo

12 11/20/2016Mathieu Desnoyers, Recon 200612

13 11/20/2016Mathieu Desnoyers, Recon 200613 Demo ● Anti-debugging techniques ● Virus ● Password snooping ● Skype

14 11/20/2016Mathieu Desnoyers, Recon 200614 Anti-debugging in Linux ● ptrace – Used by ● gdb ● strace ● ltrace ●.... – Attach to a process – Able to modify memory – Intercept : signals, system calls

15 11/20/2016Mathieu Desnoyers, Recon 200615 Detecting ptrace ● Linux anti-debugging techniques (fooling the debugger), Silvio Cesare, January 1999

16 11/20/2016Mathieu Desnoyers, Recon 200616 Detect gdb With Cycle Counter

17 11/20/2016Mathieu Desnoyers, Recon 200617 Replacing int3 With nop (objdump)

18 11/20/2016Mathieu Desnoyers, Recon 200618 Replacing int3 With nop (edit)

19 11/20/2016Mathieu Desnoyers, Recon 200619 Detect nop replacement

20 11/20/2016Mathieu Desnoyers, Recon 200620 Detect strace/ltrace

21 11/20/2016Mathieu Desnoyers, Recon 200621 Detect strace/ltrace (cont.)

22 11/20/2016Mathieu Desnoyers, Recon 200622 Virus Study ● Virus.Linux.RST.b – Advisory (Costin Raiu, Kaspersky Labs, Romania) ● Anti-debugging ● Infects Linux binaries ● Infects current directory, /bin ● Backdoor on the network interface

23 11/20/2016Mathieu Desnoyers, Recon 200623 Setup ● Qemu ● Linux kernel with LTTng tracer

24 11/20/2016Mathieu Desnoyers, Recon 200624 Process view

25 11/20/2016Mathieu Desnoyers, Recon 200625 Anti-debugging

26 11/20/2016Mathieu Desnoyers, Recon 200626 Open /root

27 11/20/2016Mathieu Desnoyers, Recon 200627 Modification of binary files

28 11/20/2016Mathieu Desnoyers, Recon 200628 Password Snooping ● su ● ssh – Password in clear text in the system calls

29 11/20/2016Mathieu Desnoyers, Recon 200629 Locate the Program

30 11/20/2016Mathieu Desnoyers, Recon 200630 Select Interesting Information

31 11/20/2016Mathieu Desnoyers, Recon 200631 Profit!

32 11/20/2016Mathieu Desnoyers, Recon 200632 Skype ● No ptrace detection – Could have this information with strace ● Opens ~1000 sockets ● Uses times, time, do_gettimeofday, nanosleep ● Times called in a loop (same EIP) ● Massive use of /dev/urandom

33 11/20/2016Mathieu Desnoyers, Recon 200633 Kernel RE ● System call fuzzing ● Drivers – Each undefined symbol of a kernel module can potentially be instrumented – kprobes

34 11/20/2016Mathieu Desnoyers, Recon 200634 Hardware RE ● Interrupt frequency, handler duration. ● Poll devices for state – memory read ● periodical ● when IRQ is received

35 11/20/2016Mathieu Desnoyers, Recon 200635 Conclusion ● Try it – http://ltt.polymtl.ca ● Contributions – Analysis : text and graphical plugins – Instrumentation

36 11/20/2016Mathieu Desnoyers, Recon 200636 Question ?


Download ppt "Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Mathieu Desnoyers Recon 2006."

Similar presentations


Ads by Google