Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learning Linux Binary Analysis

You're reading from   Learning Linux Binary Analysis Learning Linux Binary Analysis

Arrow left icon
Product type Paperback
Published in Feb 2016
Publisher Packt
ISBN-13 9781782167105
Length 282 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Ryan "elfmaster" O'Neill Ryan "elfmaster" O'Neill
Author Profile Icon Ryan "elfmaster" O'Neill
Ryan "elfmaster" O'Neill
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. The Linux Environment and Its Tools FREE CHAPTER 2. The ELF Binary Format 3. Linux Process Tracing 4. ELF Virus Technology – Linux/Unix Viruses 5. Linux Binary Protection 6. ELF Binary Forensics in Linux 7. Process Memory Forensics 8. ECFS – Extended Core File Snapshot Technology 9. Linux /proc/kcore Analysis Index

Useful devices and files

Linux has many files, devices, and /proc entries that are very helpful for the avid hacker and reverse engineer. Throughout this book, we will be demonstrating the usefulness of many of these files. Here is a description of some of the commonly used ones throughout the book.

/proc/<pid>/maps

/proc/<pid>/maps file contains the layout of a process image by showing each memory mapping. This includes the executable, shared libraries, stack, heap, VDSO, and more. This file is critical for being able to quickly parse the layout of a process address space and is used more than once throughout this book.

/proc/kcore

The /proc/kcore is an entry in the proc filesystem that acts as a dynamic core file of the Linux kernel. That is, it is a raw dump of memory that is presented in the form of an ELF core file that can be used by GDB to debug and analyze the kernel. We will explore /proc/kcore in depth in Chapter 9, Linux /proc/kcore Analysis.

/boot/System.map

This file is available on almost all Linux distributions and is very useful for kernel hackers. It contains every symbol for the entire kernel.

/proc/kallsyms

The kallsyms is very similar to System.map, except that it is a /proc entry that means that it is maintained by the kernel and is dynamically updated. Therefore, if any new LKMs are installed, the symbols will be added to /proc/kallsyms on the fly. The /proc/kallsyms contains at least most of the symbols in the kernel and will contain all of them if specified in the CONFIG_KALLSYMS_ALL kernel config.

/proc/iomem

The iomem is a useful proc entry as it is very similar to /proc/<pid>/maps, but for all of the system memory. If, for instance, you want to know where the kernel's text segment is mapped in the physical memory, you can search for the Kernel string and you will see the code/text segment, the data segment, and the bss segment:

  $ grep Kernel /proc/iomem
  01000000-016d9b27 : Kernel code
  016d9b28-01ceeebf : Kernel data
  01df0000-01f26fff : Kernel bss

ECFS

Extended core file snapshot (ECFS) is a special core dump technology that was specifically designed for advanced forensic analysis of a process image. The code for this software can be found at https://github.com/elfmaster/ecfs. Also, Chapter 8, ECFS – Extended Core File Snapshot Technology, is solely devoted to explaining what ECFS is and how to use it. For those of you who are into advanced memory forensics, you will want to pay close attention to this.

You have been reading a chapter from
Learning Linux Binary Analysis
Published in: Feb 2016
Publisher: Packt
ISBN-13: 9781782167105
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime