Download presentation
Presentation is loading. Please wait.
Published byMartina Harrison Modified over 8 years ago
1
Tracing for Hardware, Driver and Binary Reverse Engineering in Linux Mathieu Desnoyers Recon 2006
2
11/20/2016Mathieu Desnoyers, Recon 20062 Plan ● Performance and behavior analysis ● LTTng/LTTV Linux Trace Toolkit ● Application in reverse engineering ● Demo ●... ● Profit!
3
11/20/2016Mathieu Desnoyers, Recon 20063 Analysis ● Performance ● Behavior
4
11/20/2016Mathieu Desnoyers, Recon 20064 Performance Analysis Tools ● Profiling tools – gprof, prof, tprof – time, top, nmon – oprofile ● Event-based performance monitoring – LTT – SystemTAP – LKST
5
11/20/2016Mathieu Desnoyers, Recon 20065 Behavior Analysis ● Complete information about program execution ● Tracers – LTT – LKST – strace – ltrace ● Debuggers – gdb
6
11/20/2016Mathieu Desnoyers, Recon 20066 Tracer ● Event : one information record with a time stamp ● Trace : Binary event log
7
11/20/2016Mathieu Desnoyers, Recon 20067 LTTng/LTTV Linux Trace Toolkit ● Tracer – Kernel – User space ● Libraries ● Programs ● Instrumentation
8
11/20/2016Mathieu Desnoyers, Recon 20068 Key Features ● Integrated modular analysis – Cool GUI – Useful text output – Plugins ● Multiple information sources ● Low impact – Performance – Behavior
9
11/20/2016Mathieu Desnoyers, Recon 20069 Application in Reverse Engineering ● Programs ● Libraries ● Drivers ● Network stack analysis ● Operating system
10
11/20/2016Mathieu Desnoyers, Recon 200610 Program Analysis ● White box – Instrument the application ● Black box – Binary only – OS interaction ● System calls (FS, network, IPC, memory,...) – Breakpoints with kprobes, SystemTAP ● Multi-threaded, multi-process ● Elude debugger detectors
11
11/20/2016Mathieu Desnoyers, Recon 200611 Live demo
12
11/20/2016Mathieu Desnoyers, Recon 200612
13
11/20/2016Mathieu Desnoyers, Recon 200613 Demo ● Anti-debugging techniques ● Virus ● Password snooping ● Skype
14
11/20/2016Mathieu Desnoyers, Recon 200614 Anti-debugging in Linux ● ptrace – Used by ● gdb ● strace ● ltrace ●.... – Attach to a process – Able to modify memory – Intercept : signals, system calls
15
11/20/2016Mathieu Desnoyers, Recon 200615 Detecting ptrace ● Linux anti-debugging techniques (fooling the debugger), Silvio Cesare, January 1999
16
11/20/2016Mathieu Desnoyers, Recon 200616 Detect gdb With Cycle Counter
17
11/20/2016Mathieu Desnoyers, Recon 200617 Replacing int3 With nop (objdump)
18
11/20/2016Mathieu Desnoyers, Recon 200618 Replacing int3 With nop (edit)
19
11/20/2016Mathieu Desnoyers, Recon 200619 Detect nop replacement
20
11/20/2016Mathieu Desnoyers, Recon 200620 Detect strace/ltrace
21
11/20/2016Mathieu Desnoyers, Recon 200621 Detect strace/ltrace (cont.)
22
11/20/2016Mathieu Desnoyers, Recon 200622 Virus Study ● Virus.Linux.RST.b – Advisory (Costin Raiu, Kaspersky Labs, Romania) ● Anti-debugging ● Infects Linux binaries ● Infects current directory, /bin ● Backdoor on the network interface
23
11/20/2016Mathieu Desnoyers, Recon 200623 Setup ● Qemu ● Linux kernel with LTTng tracer
24
11/20/2016Mathieu Desnoyers, Recon 200624 Process view
25
11/20/2016Mathieu Desnoyers, Recon 200625 Anti-debugging
26
11/20/2016Mathieu Desnoyers, Recon 200626 Open /root
27
11/20/2016Mathieu Desnoyers, Recon 200627 Modification of binary files
28
11/20/2016Mathieu Desnoyers, Recon 200628 Password Snooping ● su ● ssh – Password in clear text in the system calls
29
11/20/2016Mathieu Desnoyers, Recon 200629 Locate the Program
30
11/20/2016Mathieu Desnoyers, Recon 200630 Select Interesting Information
31
11/20/2016Mathieu Desnoyers, Recon 200631 Profit!
32
11/20/2016Mathieu Desnoyers, Recon 200632 Skype ● No ptrace detection – Could have this information with strace ● Opens ~1000 sockets ● Uses times, time, do_gettimeofday, nanosleep ● Times called in a loop (same EIP) ● Massive use of /dev/urandom
33
11/20/2016Mathieu Desnoyers, Recon 200633 Kernel RE ● System call fuzzing ● Drivers – Each undefined symbol of a kernel module can potentially be instrumented – kprobes
34
11/20/2016Mathieu Desnoyers, Recon 200634 Hardware RE ● Interrupt frequency, handler duration. ● Poll devices for state – memory read ● periodical ● when IRQ is received
35
11/20/2016Mathieu Desnoyers, Recon 200635 Conclusion ● Try it – http://ltt.polymtl.ca ● Contributions – Analysis : text and graphical plugins – Instrumentation
36
11/20/2016Mathieu Desnoyers, Recon 200636 Question ?
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.