Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learning Linux Binary Analysis

You're reading from   Learning Linux Binary Analysis Learning Linux Binary Analysis

Arrow left icon
Product type Paperback
Published in Feb 2016
Publisher Packt
ISBN-13 9781782167105
Length 282 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Ryan "elfmaster" O'Neill Ryan "elfmaster" O'Neill
Author Profile Icon Ryan "elfmaster" O'Neill
Ryan "elfmaster" O'Neill
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. The Linux Environment and Its Tools FREE CHAPTER 2. The ELF Binary Format 3. Linux Process Tracing 4. ELF Virus Technology – Linux/Unix Viruses 5. Linux Binary Protection 6. ELF Binary Forensics in Linux 7. Process Memory Forensics 8. ECFS – Extended Core File Snapshot Technology 9. Linux /proc/kcore Analysis Index

Examining an infected process using ECFS


Before we show the effectiveness of ECFS with a real-world example, it would be helpful to have a little background of the method of infection that we will use from a hacker's perspective. It is often very useful for a hacker to be able to incorporate anti-forensic techniques into their workflow on compromised systems so that their programs, especially the ones that serve as backdoors and such, can remain hidden to the untrained eye.

One such technique is to perform process cloaking. This is the act of running a program inside of an existing process, ideally inside of a process that is known to be benign but persistent, such as ftpd or sshd. The Saruman anti-forensics exec (http://www.bitlackeys.org/#saruman) allows an attacker to inject a complete, dynamically linked PIE executable into an existing process address space and run it.

It uses a thread injection technique so that the injected program can run simultaneously with the host program. This particular...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at AU $24.99/month. Cancel anytime