The science of detecting entry point modification
When a binary is modified in some way, it is generally for the purpose of adding code to the binary and then redirecting execution flow to that code. The redirection of execution flow can happen in many places within the binary. In this particular case, we are going to examine a very common technique used when patching binaries, especially for viruses. This technique is to simply modify the entry point, which is the e_entry
member of the ELF file header.
The goal is here to determine whether or not e_entry
is holding an address that points to a location that signifies an abnormal modification to the binary.
Note
Abnormal means any modification that wasn't created by the linker itself /usr/bin/ld
whose job it is to link ELF objects together. The linker will create a binary that represents normalcy, whereas an unnatural modification often appears suspicious to the trained eye.
The quickest route to being able to detect anomalies is to first know...