You're reading from Learning Linux Binary Analysis Learning Linux Binary Analysis

Product type Paperback

Published in Feb 2016

Publisher Packt

ISBN-13 9781782167105

Length 282 pages

Edition 1st Edition

Languages

Tools

Linux

Concepts

Data Analysis

Author (1):

Ryan "elfmaster" O'Neill

View More author details

Table of Contents (11) Chapters

Preface

1. The Linux Environment and Its Tools FREE CHAPTER

2. The ELF Binary Format

3. Linux Process Tracing

4. ELF Virus Technology – Linux/Unix Viruses

5. Linux Binary Protection

6. ELF Binary Forensics in Linux

7. Process Memory Forensics

8. ECFS – Extended Core File Snapshot Technology

9. Linux /proc/kcore Analysis

Index

Useful devices and files

Linux has many files, devices, and /proc entries that are very helpful for the avid hacker and reverse engineer. Throughout this book, we will be demonstrating the usefulness of many of these files. Here is a description of some of the commonly used ones throughout the book.

/proc/<pid>/maps

/proc/<pid>/maps file contains the layout of a process image by showing each memory mapping. This includes the executable, shared libraries, stack, heap, VDSO, and more. This file is critical for being able to quickly parse the layout of a process address space and is used more than once throughout this book.

/proc/kcore

The /proc/kcore is an entry in the proc filesystem that acts as a dynamic core file of the Linux kernel. That is, it is a raw dump of memory that is presented in the form of an ELF core file that can be used by GDB to debug and analyze the kernel. We will explore /proc/kcore in depth in Chapter 9, Linux /proc/kcore Analysis.

/boot/System.map

This file is available on almost all Linux distributions and is very useful for kernel hackers. It contains every symbol for the entire kernel.

/proc/kallsyms

The kallsyms is very similar to System.map, except that it is a /proc entry that means that it is maintained by the kernel and is dynamically updated. Therefore, if any new LKMs are installed, the symbols will be added to /proc/kallsyms on the fly. The /proc/kallsyms contains at least most of the symbols in the kernel and will contain all of them if specified in the CONFIG_KALLSYMS_ALL kernel config.

/proc/iomem

The iomem is a useful proc entry as it is very similar to /proc/<pid>/maps, but for all of the system memory. If, for instance, you want to know where the kernel's text segment is mapped in the physical memory, you can search for the Kernel string and you will see the code/text segment, the data segment, and the bss segment:

  $ grep Kernel /proc/iomem
  01000000-016d9b27 : Kernel code
  016d9b28-01ceeebf : Kernel data
  01df0000-01f26fff : Kernel bss

ECFS

Extended core file snapshot (ECFS) is a special core dump technology that was specifically designed for advanced forensic analysis of a process image. The code for this software can be found at https://github.com/elfmaster/ecfs. Also, Chapter 8, ECFS – Extended Core File Snapshot Technology, is solely devoted to explaining what ECFS is and how to use it. For those of you who are into advanced memory forensics, you will want to pay close attention to this.