Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE...
Transcript of Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE...
![Page 2: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/2.jpg)
About
Ï Romain Thomas - Security engineer at Quarkslab
Ï Working on various topics: Android, (de)obfuscation, softwareprotection and reverse engineering
Ï Author of LIEF
![Page 3: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/3.jpg)
Executable Formats
Executable Formats: Overview
![Page 4: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/4.jpg)
Executable Formats
Ï First layer of information when analysing a binary
Ï Provide metadata1 used by the operating system to load the binary.
1entrypoint, libraries, ...
![Page 5: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/5.jpg)
Executable Formats
Ï First layer of information when analysing a binary
Ï Provide metadata1 used by the operating system to load the binary.
1entrypoint, libraries, ...
![Page 6: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/6.jpg)
Executable Formats
Ï OSX / iOS: Mach-O
Ï Linux: ELF
Ï Windows: PE
Ï Android: ELF, OAT
![Page 7: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/7.jpg)
Executable Formats
Why modify formats ?
![Page 8: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/8.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 9: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/9.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 10: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/10.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 11: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/11.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 12: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/12.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 13: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/13.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 14: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/14.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 15: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/15.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 16: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/16.jpg)
Executable Formats
More privileged areaUserland
Format Loader Kernel
Perform relocationsLoad shared libraries Create ProcessMap contentSet permissions
Change segments / sections permissions
Add shared libraries
Disable ASLR
![Page 17: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/17.jpg)
Executable Formats
LIEF: Library to Instrument Executable Formats
![Page 18: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/18.jpg)
LIEF
Ï One library to deal with ELF, PE, Mach-O
Ï Core in C++
Ï Bindings for different languages: Python, C 2, . . .
Ï Enable modification on these formats
Ï User friendly API
2C binding is not as mature as Python and C++
![Page 19: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/19.jpg)
Executable Formats
Parser
ELF Binary ObjectPE Binary Object
Mach-O Fat Binary ObjectOAT Binary Object
DEX File ObjectVDEX File ObjectART File Object
Abstract Binary
Builder
Information extractionInformation adding. . .
![Page 20: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/20.jpg)
Executable Formats
import lief
target = lief.parse("ELF/PE/Mach-O/OAT")
print(target.entrypoint)
![Page 21: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/21.jpg)
Executable Formats
import lief
target = lief.parse("ELF/PE/Mach-O/OAT")
for section in target.sections:print(section.virtual_address)process(section.content)
![Page 22: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/22.jpg)
Executable Formats
import lief
target = lief.parse("some.exe")
target.tls.callbacks.append(0x....)
target.write("new.exe")
![Page 23: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/23.jpg)
Executable Formats
import lief
target = lief.parse(...)
section = lief.ELF.Section(".text2")section.content = [0x90] * 0x1000
target += section
target.write("new.elf")
![Page 24: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/24.jpg)
Executable Formats
Next parts introduce interesting modifications on formats:
Ï Hooking
Ï Exporting hidden functions
Ï Code injection through shared libraries
![Page 25: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/25.jpg)
PE Hooking
PE Hooking
![Page 26: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/26.jpg)
PE Hooking
Regarding to PE files, LIEF enables to rebuild the import tableelsewhere in the binary so that one can add new functions, new libraries
or patch the Import Address Table.
![Page 27: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/27.jpg)
Example
Figure – Original IAT
![Page 28: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/28.jpg)
Example
The following code patch the IAT entry of __acrt_iob_func with atrampoline to the function 0x140008000
pe = lief.parse("some.exe")pe.hook_function("__acrt_iob_func", 0x140008000)
builder = lief.PE.Builder(pe)builder.build_imports(True).patch_imports(True)builder.build()builder.write("hooked.exe")
![Page 29: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/29.jpg)
Example
![Page 30: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/30.jpg)
Example
Figure – Original IAT patched with trampoline functions
![Page 31: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/31.jpg)
Example
Figure – Trampoline for non-hookedfunction Figure – Trampoline for hooked
function
![Page 32: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/32.jpg)
Example
This method only works if accesses to the IAT are performed with callinstructions. Especially it doesn’t if there is lea on the original IAT
Limitations
![Page 33: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/33.jpg)
ELF Hooking
Regarding to ELF files, hooking can be done with a patch of the plt/got.
![Page 34: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/34.jpg)
ELF plt/got
1
23
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: 0x400486...
![Page 35: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/35.jpg)
ELF plt/got
1
23
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: 0x400486...
![Page 36: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/36.jpg)
ELF plt/got
1
23
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: 0x400486...
![Page 37: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/37.jpg)
ELF plt/got
1
23
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: 0x400486...
![Page 38: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/38.jpg)
ELF plt/got
Figure – Relocations associated with plt/got
![Page 39: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/39.jpg)
ELF plt/got
import liefelf = lief.parse("some_elf")
elf.patch_pltgot("memcmp", 0xAAAAAAAA)
elf.write("elf_modified")
![Page 40: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/40.jpg)
ELF plt/got
1
2
3
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: XXXXXX <memcmp@hook>...
.hook
...XXXXXX: memcmp hooked...
https://lief.quarkslab.com/recon18/demo1
![Page 41: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/41.jpg)
ELF plt/got
1
2
3
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: XXXXXX <memcmp@hook>...
.hook
...XXXXXX: memcmp hooked...
https://lief.quarkslab.com/recon18/demo1
![Page 42: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/42.jpg)
ELF plt/got
1
2
3
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: XXXXXX <memcmp@hook>...
.hook
...XXXXXX: memcmp hooked...
https://lief.quarkslab.com/recon18/demo1
![Page 43: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/43.jpg)
ELF plt/got
1
2
3
.text...400637: jmp 400480 <memcmp@plt>...
.plt
...400480: jmp 201028 <memcmp@got>400486: push 0x240048b: jmp 400450 <.plt>...
.got
...201028: XXXXXX <memcmp@hook>...
.hook
...XXXXXX: memcmp hooked...
https://lief.quarkslab.com/recon18/demo1
![Page 44: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/44.jpg)
Exporting Functions
Exporting Functions
![Page 45: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/45.jpg)
Idea
![Page 46: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/46.jpg)
Idea
![Page 47: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/47.jpg)
Example
int main(int argc, char argv[]) {
if (COMPLICATED CONDITION) {fuzz_me(argv[1]);
}
return 0;}
![Page 48: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/48.jpg)
Example
![Page 49: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/49.jpg)
Example
Figure – Original Symbol Table
![Page 50: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/50.jpg)
Example
import lieftarget = lief.parse("target")
target.add_exported_function(0x63A, "to_fuzz")
target.write("target_modified")
![Page 51: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/51.jpg)
Example
![Page 52: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/52.jpg)
Example
Figure – New Symbol Table
![Page 53: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/53.jpg)
Example
typedef void(*fnc_t)(const char*);
// Access with dlopen / dlsymvoid* hdl = dlopen("./target_modified", RTLD_LAZY);fnc_t to_fuzz = (fnc_t)dlsym(hdl, "to_fuzz");
to_fuzz(TO FEED);
https://lief.quarkslab.com/recon18/demo2
![Page 54: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/54.jpg)
Code injection
Code injection through shared libraries
![Page 55: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/55.jpg)
Context
Different techniques exist to inject code:
Ï Using environment variables: LD_PRELOAD,DYLD_INSERT_LIBRARIES, . . .
Ï Using operating system API: WriteProcessMemory, ptrace, . . .
Ï Using custom kernel drivers
Ï Using executable formats
![Page 56: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/56.jpg)
Context
Depending on the scenario, methods can be suitable or not. Next partshows a method based on shared libraries and executable formats toleverage code injection.
![Page 57: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/57.jpg)
Linked Libraries - Loading
More privileged areaUserland
Format Loader Kernel
Execute: my_constructor()
New library: libexample.so
![Page 58: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/58.jpg)
Injection process
1. Declare a constructor
__attribute__((constructor))void my_constructor(void) {
printf("Run payload\n");}
gcc -fPIC -shared libexample.c -o libexample.sogcc -fPIC -shared libexample.c -o libexample.dylib
![Page 59: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/59.jpg)
Injection process
2. Add a dependency
import lief# ELFelf = lief.parse("/usr/bin/ssh")elf.add_library("libexample.so")elf.write("ssh_modified")
# Mach-Omacho = lief.parse("/bin/ls")macho.add_library("/Users/romain/libexample.dylib")macho.write("ls_modified")
# PE: Not implemented yet
![Page 62: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/62.jpg)
Frida & LIEF
Frida & LIEF: Frida injection in an Androidapplication
![Page 63: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/63.jpg)
Frida & LIEF
Using the techniques previously described, we can use Frida on an APKhaving at least one native library without root privileges.
![Page 64: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/64.jpg)
Frida & LIEF
Figure – Original APK
Figure – APK embedding Frida
![Page 65: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/65.jpg)
Frida & LIEF
Figure – Original APK
Figure – APK embedding Frida
![Page 66: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/66.jpg)
Frida & LIEF
Figure – Original native library
![Page 67: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/67.jpg)
Frida & LIEF
Figure – Modified native library
![Page 68: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/68.jpg)
Frida & LIEFlibgadget.config.so
"interaction": {"type": "script","path": "/data/local/tmp/myscript.js","on_change": "reload"
}
/data/local/tmp/myscript.js
Java.perform(function () {var Log = Java.use("android.util.Log");var tag = "frida-lief";Log.v(tag, "I'm in the process!");
Process.enumerateModules({onMatch: function (module) {
Log.v(tag, "Module: " + module.name);},onComplete: function () {}
});});
![Page 70: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/70.jpg)
Format modification
Such modifications on formats are not new34.
However, it’s implemented in LIEF with a new approach that doesn’t relyon replacing existing entries, using padding, removing entries, . . .
3Mayem Phrack #614https://github.com/Tyilo/insert_dylib
![Page 71: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/71.jpg)
Format modification
Instead, it keeps a consistent state of the format:
Ï Export trieÏ Symbol hash tablesÏ RelocationsÏ Symbol versionsÏ Rebase opcodesÏ . . .
![Page 72: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/72.jpg)
What’s next
LIEF 0.9 comes with new formats related to Android:
Ï OAT
Ï VDEX
Ï DEX
Ï ART
Modification of these formats is not available yet but further version willsupport it.
![Page 73: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/73.jpg)
What’s next
How Samsung Secures Your Wallet & How To Break It - Black Hat 2017
Tencent’s Xuanwu Lab
![Page 74: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/74.jpg)
What’s next
Inside Android’s SafetyNet Attestation: Attack and Defense - Ekoparty2017
Collin Mulliner
![Page 75: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/75.jpg)
What’s next
Next version will also include support for Mach-O modifications:
Ï Add unlimited number of Load commands
Ï Add libraries
Ï Change signature
Ï . . .
![Page 76: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/76.jpg)
Thank You
https://lief.quarkslab.com
https://github.com/lief-project/LIEF
@LIEF_Project - @rh0main
![Page 77: Static instrumentation based on executable file …...ExecutableFormats Parser ELF Binary Object PE Binary Object Mach-O Fat Binary Object OAT Binary Object DEX File Object VDEX File](https://reader034.fdocuments.net/reader034/viewer/2022042414/5f2f04766d331105360cccd3/html5/thumbnails/77.jpg)