Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Binary Analysis Cookbook
Binary Analysis Cookbook

Binary Analysis Cookbook: Actionable recipes for disassembling and analyzing binaries for security risks

eBook
$17.99 $26.99
Paperback
$38.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Binary Analysis Cookbook

Setting Up the Lab

Learning how to analyze ELF binaries is by no means a simple topic to digest. Like most subjects within the world of information security, it helps to have the correct tools at the ready in order to streamline the process for any undertaking. So, before we just dive into dissecting and analyzing ELF binaries on Linux, we need to make sure we have the appropriate environment set up to do so. This means we'll need to set up the operating systems and associated tools we will use throughout this book. Since the focus of this book is on Linux and its available tools, we will make sure to only use tools that are open source or that are available natively. I could have easily skipped this chapter entirely; however, I believe it's important for you, the reader, to understand how and where to acquire the tools that will be used throughout the examples that are presented within each chapter. For the sake of simplicity, we will use Ubuntu 16.04 LTS extensively throughout this book, partly due to the fact it is still supported, but also because it is the last LTS build of Ubuntu that makes both a 32-bit and 64-bit version available for both the Desktop and Server versions.

If you're more familiar with CentOS, you are free to use that distribution if you prefer, but the examples in this book will solely use Ubuntu 16.04, and it is your responsibility to adjust the examples as necessary for CentOS. For the most part, the only examples you'll need to adjust are the recipes for installing the tools because CentOS uses a different package manager than Ubuntu. Finally, if you are well-versed in setting up VirtualBox and virtual machines, I designed this chapter so you could skip ahead to the tools installation section once you've installed VirtualBox and the Ubuntu 16.04 LTS Desktop 32-bit and 64-bit virtual machines.

In this chapter, we will cover the following recipes:

  • Installing VirtualBox on Windows
  • Installing VirtualBox on Mac
  • Installing VirtualBox on Ubuntu
  • Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine
  • Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine
  • Installing the dependencies and the tools
  • Installing the code examples
  • Installing the EDB debugger
  • Taking a snapshot of the virtual machines

Installing VirtualBox on Windows

The widespread access of virtualization software makes it an easy choice for setting up a lab, whether for at-home practice or for at-work research purposes. Since we want to use freely available tools and software, VirtualBox was an easy decision when choosing virtualization software. It works on many host operating systems and has come a long way in terms of usability and stability since its earlier versions.

We will use VirtualBox 6.0 to host our Ubuntu 16.04 LTS virtual machines, which we will configure later and use extensively throughout each chapter. This recipe will get you started installing VirtualBox 6.0 on a Windows host. If you're not using Windows as your host operating system, skip ahead to the recipe for either Mac or Linux.

To perform the recipes in this book, and to install the lab and necessary tools, you'll need the following:

  • A laptop or a desktop computer with internet access
  • An Intel processor capable of virtualization
  • As a minimum, 8 GB of system RAM, though 16 GB of RAM is ideal
  • As a minimum, 20 GB of free hard drive space, though 40 GB of free hard drive space is ideal
  • Either Windows, Linux, or Mac

Getting ready

How to do it...

Use the following instructions to install VirtualBox on a host running Windows as the primary operating system:

  1. Once the VirtualBox 6.0 installer has been downloaded, double-click the VirtualBox 6.0 setup executable.
  2. In the new window that displays, click on Next > to begin the installation process.
  3. In the Custom Setup window, you are free to change the installation location to somewhere outside of the default; otherwise, leave the defaults as they are and click Next >.
  4. In the next step, leave the defaults checked, unless you have a specific reason not to, and click Next >.
  5. The next setup window will warn you about temporarily disconnecting your network connection. Choose Yes to continue the installation process.
  6. In the Ready to Install window, click Install.
  7. Once the installation process starts, you may be prompted by Windows' User Account Control to allow installation to continue. When this window appears, click Yes.
  8. You may also get another Windows Security window asking whether you want to trust software from Oracle and install the drivers on the host. Check the box that says Always trust software from "Oracle Corporation" and click Install.
  9. Finally, once the installation process is complete, a new window will appear, asking whether you want to Start Oracle VM VirtualBox 6.0.0 after installation. Check this checkbox and click Finish.
  1. Now that VirtualBox 6.0 is installed, we're ready to install and configure the Ubuntu 16.04 LTS virtual machines. Your Oracle VM VirtualBox Manager window should resemble the following screenshot:

How it works...

We began by downloading the appropriate installer for Windows from the VirtualBox website. Once that finished downloading, we executed the installation script and navigated through the installation prompts, filling out the appropriate installation information or accepted the default installation configuration for our Windows host.

There's more...

With VirtualBox installed on Windows, you are free to adjust some of the advanced features, such as creating a private, host-only network under the VirtualBox preferences menu, adjusting the Default Machine Folder settings for storing virtual machine files, how often VirtualBox checks for updates, tweaking the display settings, or installing any extension packs if you plan to use some of the development features of VirtualBox. There are many more options that can be configured to accommodate the needs of your working environment.

See also

If this is the only host that you're going to install VirtualBox 6.0 on, please feel free to skip ahead to the Ubuntu 16.04 LTS installation for both the 32-bit and 64-bit virtual machines. Otherwise, move on to the appropriate installation instructions for either Mac or Linux.

For more information on VirtualBox 6.0 or for additional installation techniques, you can refer to the wiki at https://www.virtualbox.org/wiki.

Installing VirtualBox on Mac

Mac is just one of the operating systems on which VirtualBox runs, and the following instructions will help you to install VirtualBox on that operating system. Everyone has different tastes and comfort levels with various operating systems, so I wanted to make sure I covered the installation instructions for the three major operating systems.

In this recipe, we'll install VirtualBox 6.0 on a Mac host. Follow these instructions if you plan to use Mac as your host operating system; otherwise, skip ahead to the Installing VirtualBox on Ubuntu recipe or view the previous recipe to install VirtualBox 6.0 on a Windows host.

Getting ready

How to do it...

The following instructions will guide you through the VirtualBox installation process on a host running on a Mac. These instructions were performed on Mac 10.13.6 without any issue:

  1. Once downloaded, double-click on the VirtualBox disk image file to start the installation process.
  1. The disk image will get mounted to the filesystem, and a new window will be displayed. Double-click on the VirtualBox.pkg icon beneath the 1 Double click on this icon: text.
  2. A new window will be displayed and may warn you about installing VirtualBox. Click on Continue.
  3. Following this warning, the installation window will display information about the version of VirtualBox. Click on Continue to continue the installation process.
  4. The next window will allow us to change the destination folder or location of the VirtualBox installation. The default option is fine here unless you have specific needs for your own setup. Click Change Install Location... if you need to select a new location for the VirtualBox files; otherwise, click Install.
  5. You may get a prompt asking you to provide an administrator user's credentials. Do so, and then click Install Software.
  6. The next window displays information indicating that the installation is complete. As long as there are no errors, VirtualBox will be installed successfully. To proceed, click on Close.
  7. One final window may appear, asking whether you would like to keep the downloaded disk image file for VirtualBox. It's up to you how you proceed, but I recommend holding on to the downloaded VirtualBox disk image file for a little bit in case you need to go through these instructions again for some reason.
  8. Once you're finished, you should now have the VirtualBox application in the location you chose in step 4.

As long as everything during the installation process went smoothly, you are ready to move on to the Ubuntu 16.04 LTS 32-bit and 64-bit virtual machine creation instructions. Otherwise, if you plan to install VirtualBox on other hosts, feel free to navigate to the appropriate instructions for either Windows or Linux.

How it works...

This recipe installed VirtualBox on your Mac, preparing you for configuring virtual machines in the examples in this book. During the installation process, the necessary files and libraries that help VirtualBox to run were installed on your hard drive so that when you're ready to move on to installing the Ubuntu 16.04 LTS Desktop 32-bit and 64-bit virtual machines, you will be able to do so.

There's more...

If you need to install VirtualBox on another system with a different operating system for whatever reason, feel free to jump into the installation instructions for Windows or Ubuntu Linux. Otherwise, I designed this chapter so that you can skip to the recipes that are appropriate for your lab. When you're ready, skip ahead to the Ubuntu 16.04 LTS Desktop 32-bit virtual machine installation instructions.

See also

Installing VirtualBox on Ubuntu

When installing VirtualBox on Ubuntu, you may be able to get away with using the aptitude package manager for installation. When I was doing some testing while writing these instructions, the current version of VirtualBox in the Ubuntu Xenial repositories was version 5.x. That just won't do for our needs.

Getting ready

In the event you are curious to see what version would get installed via aptitude, you can query aptitude directly via the following Terminal command:

$ apt-cache show virtualbox

The following screenshot shows the output I received when testing on Ubuntu 16.04 LTS Desktop and using Ubuntu 18.04 LTS as my host operating system:

Unfortunately, this won't work for our needs since we want to make sure VirtualBox 6.0 is installed. Therefore, we'll have to navigate through the VirtualBox website to download the appropriate installation package, which, in my case, is for Ubuntu 16.04. You can download VirtualBox 6.0 for Ubuntu from https://download.virtualbox.org/virtualbox/6.0.0/virtualbox-6.0_6.0.0-127566~Ubuntu~xenial_amd64.deb.

If, by chance, you're running Ubuntu 18.04 LTS as your host operating system, download VirtualBox from the following location: https://download.virtualbox.org/virtualbox/6.0.0/virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb.

Once downloaded, we are ready to install VirtualBox on Ubuntu Linux.

How to do it...

Use the following instructions to install VirtualBox on a host that's running Ubuntu as the primary operating system:

  1. Once the appropriate installation file has been downloaded, launch a Terminal and navigate to the location of the downloaded VirtualBox installation package. In my case, that would be ~/Downloads:
For Ubuntu 16.04 LTS

$ cd Downloads/
$ sudo dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~xenial_amd64.deb


For Ubuntu 18.04 LTS


$ cd Downloads/
$ sudo dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb
  1. Verify that the installation worked correctly by starting VirtualBox. A simple Terminal command will do the trick:
$ virtualbox
  1. Once VirtualBox has finished loading, navigate to Help | About VirtualBox.
  2. A new window will display, indicating the version of VirtualBox. As long as we see that VirtualBox 6.0 is present and there were no errors during installation, we're ready to install and configure the virtual machines we will use throughout the examples in this book.

How it works...

After downloading the appropriate installation package, we used dpkg, part of Ubuntu's built-in package manager, to install the VirtualBox 6.0 package. This puts us in a great position so that we can move on to installing two different virtual machines: a 32-bit virtual machine and a 64-bit virtual machine. Both are necessary so that we can work through the examples that are presented in later chapters.

There's more...

We're not limited to installing VirtualBox 6.0 on just one operating system. If you want to set up more than one lab, say, on a desktop and a laptop, feel free to jump back to the previous recipes for installing VirtualBox 6.0 on Windows or Mac. If you do so, you'll need to run through the virtual machine creation recipes and need to install the tools, dependencies, and code examples on all of the hosts you'll use for a lab.

See also

For more information about VirtualBox and for alternate installation steps, or for additional information on some of the features that are available, consult the wiki at https://www.virtualbox.org/wiki.

Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine

Congratulations! If you've made it this far, then you're ready to begin installing and configuring our first virtual machine. For this recipe, we'll use the 32-bit Desktop version of Ubuntu 16.04 LTS.

In this recipe, we will work through the steps for configuring a virtual machine based on the Ubuntu 16.04 LTS Desktop 32-bit architecture. Learning about binary analysis on a 32-bit system will help us to transition much more smoothly when we dive into binaries on a 64-bit system.

Getting ready

Download the 32-bit Ubuntu 16.04 LTS Desktop ISO from the following location: http://releases.ubuntu.com/xenial/.

We've chosen Ubuntu 16.04 LTS because it is the last LTS release to contain a 32-bit image, which we will need to work through some of the 32-bit examples in later chapters.

How to do it...

The following instructions will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 32-bit as a virtual machine in the newly installed VirtualBox:

  1. Launch the VirtualBox application if it's not open already.
  2. Once the application has launched, click on the New icon to begin configuring a new virtual machine.
  3. A new window called Name and operating system will appear, asking you to provide a name, virtual machine folder location, type, and version. Name the virtual machine BAC32, choose a Machine Folder: location according to your storage requirements, choose Linux from the Type: drop-down, and choose Ubuntu (32-bit) from the Version: drop-down. Once complete, click on Continue.
  4. In the Memory size window, set the memory size (RAM) options as appropriate for your hardware and click Continue. I used 2,048 MB, but leaving the default 1,024 MB setting should be sufficient for what we need.
  5. In the Hard disk, keep the Create a virtual hard disk now option selected and click Create.
  6. A new window will appear titled Hard disk file type. Since, at some point in the future, we may need to switch to another virtualization platform, such as VMware Workstation, we will select VMDK (Virtual Machine Disk) and click Create.
  7. For the Storage on physical hard disk window, we will select the Dynamically allocated option and click Continue.
  8. In the File location and size window, choose the size of the virtual hard drive according to your storage restrictions and then click Create. I typically use 40 GB for my virtual machines in my lab and usually never fill that space. Since we selected the Dynamically allocated option in the previous step, this setting will allow us up to the amount we configure but will not use it all at once.
  1. Now, we will return to the Oracle VM VirtualBox Manager window, where we will see our newly created virtual machine. Make sure BAC32 is highlighted along the left-hand side, and then click Settings.
  2. The general settings window will be displayed. From here, click on the Storage icon (marked 1. in the following screenshot). Underneath Controller: IDE along the left-hand side, there will be a CD icon with the words Empty (marked 2. in the following screenshot). Click on that and a new subsection of the current window will appear along the right-hand side called Attributes. Next to the Optical Drive drop-down, click the blue CD icon (marked 3.):
  1. In the pop-up menu that appears, select the Choose Virtual Optical Disk File option.
  2. A file selection window will appear. Navigate to the Ubuntu 16.04 Desktop 32-bit ISO file we downloaded previously, select it, and click Open.
  3. In the Storage settings window, click OK to accept the configuration.
  4. In the Oracle VM VirtualBox Manager window, highlight the BAC32 virtual machine along the left-hand side and click Start. The virtual machine will boot into the Ubuntu ISO.
  1. From here, follow the installation prompts within the virtual machine to install Ubuntu Desktop 16.04 LTS 32-bit. During the installation process, you'll see a prompt requesting you to set a hostname. In order to make it easier to see which virtual machine we're using, set the hostname to bac32. At the end of the installation process, Ubuntu will ask you to hit Enter to reboot. Do so. Once rebooted, you'll have a working virtual machine.

How it works...

This recipe installs the necessary files and configurations so that you can run a 32-bit version of Ubuntu 16.04 LTS Desktop as a virtual machine. We will use this virtual machine to work through the 32-bit recipes that are presented throughout this book.

There's more...

When you first launch into this virtual machine, you may notice that the display is incredibly small compared to the resolution of your monitor. That's because the VirtualBox Guest Additions haven't been installed. If you plan on altering the resolution of your Ubuntu virtual machines, and you want to enable copy/paste between virtual machines and your host operating system, feel free to install the Guest Additions. In the virtual machine menu bar, select Devices | Insert Guest Additions CD Image... and follow the installation prompts.

See also

If you'd like to install additional virtual machines for general curiosity, all you need is the ISO for whatever operating system you want to run as a virtual machine. Microsoft Windows offers free trials of its server software at https://www.microsoft.com/en-us/cloud-platform/windows-server-trial. Alternatively, you can install additional versions of Ubuntu by downloading the appropriate ISO file from http://releases.ubuntu.com/. CentOS, which is essentially Red Hat Linux and is available at https://wiki.centos.org/Download. All of these operating systems can run as virtual machines in VirtualBox. I recommend experimenting with various Linux operating systems and see which one you gravitate toward the most. If you ever want to work through binary analysis against the Windows PE format, using the various available trial versions of Microsoft Windows is the way to go, especially on a budget for a home lab.

Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine

Machines that support 64-bit operations are the norm nowadays, so it makes sense that we cover 64-bit binary analysis more extensively in this book. In order to do so, though, we need a viable virtual machine to work through the examples that will be presented in later chapters.

The following recipe will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 64-bit as a virtual machine in VirtualBox. This virtual machine will get used extensively when we work through all of the 64-bit recipes that will be presented in later chapters.

Getting ready

Using a browser, download the 64-bit Ubuntu 16.04 LTS Desktop ISO file from the following location: http://releases.ubuntu.com/xenial/.

Why 32-bit as well as 64-bit? The answer is simple. When I was diving into the subject of learning Intel assembly on Linux a few years ago, I immediately experienced the benefits of learning 32-bit first, before taking on 64-bit. Besides, once we start covering analysis in 64-bit, you may need to recall some of those 32-bit registers. Assembly is particular about the processor and operating system you're running. Because of the differences in 32-bit assembly and 64-bit assembly on Linux, we'll need both operating system architectures and a processor that supports both.

How to do it...

The following instructions will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 64-bit as a virtual machine in the newly installed VirtualBox:

  1. Open VirtualBox if it's not already open.
  2. Once the application launches, click on the New icon to begin configuring a new virtual machine.
  1. A new window called Name and operating system will appear, asking you to provide a name, virtual machine folder location, type, and version. Name the virtual machine BAC64, choose a Machine Folder location according to your storage needs, choose Linux from the Type: drop-down menu, and choose Ubuntu (64-bit) from the Version: drop-down menu. Once complete, click on Continue.
  2. In the Memory size window, set the memory size (RAM) options appropriate for your hardware, and click Continue. I used 4,096 MB since this will be a 64-bit virtual machine. You are welcome to increase this amount if your own host can support it, but I wouldn't configure this setting to any lower than 4,096 MB.
  3. In the Hard disk, keep the Create a virtual hard disk now option selected and click Create.
  4. A new window will appear titled Hard disk file type. Since, at some point in the future, we may need to switch to another virtualization platform, such as VMware Workstation, we will select VMDK (Virtual Machine Disk) and click Create.
  5. For the Storage on physical hard disk window, we will select the Dynamically allocated option and click Continue.
  6. In the File location and size window, choose the size of the virtual hard drive according to your storage restrictions and then click Create. I typically use 40 GB for my virtual machines in my lab and usually never fill that space. Since we selected the Dynamically allocated option in the previous step, this setting will allow us up to the amount we configure but will not use it all at once.
  7. Now, we will return to the Oracle VM VirtualBox Manager window, where we will see our newly created virtual machine. Make sure BAC64 is highlighted along the left-hand side, and then click Settings.
  1. The general settings window will be displayed. From here, click on the Storage icon (marked 1. in the following screenshot). Underneath the words Controller: IDE along the left-hand side, there will be a CD icon with the words Empty (marked 2. in the following screenshot). Click on that and a new subsection of the current window will appear along the right-hand side called Attributes. Next to the Optical Drive: drop-down, click the blue CD icon (marked 3.):
  1. In the pop-up menu that appears, select the Choose Virtual Optical Disk File option.
  2. A file selection window will appear. Navigate to the Ubuntu 16.04 Desktop 64-bit ISO file we downloaded previously, select it, and click Open.
  3. In the Storage settings window, click OK to accept the configuration.
  4. Back inside the Oracle VM VirtualBox Manager window, highlight the BAC64 virtual machine we just created along the left-hand side of the window and click the Start icon. This will start the virtual machine and will boot into the Ubuntu ISO.
  1. Follow the installation prompts within the virtual machine to install Ubuntu Desktop 16.04 LTS 64-bit. The default options are sufficient enough for this book. When you're prompted to set the hostname for the installation, name it bac64. This will help us to discern which virtual machine we need to use for the examples later in this book. At the end of the installation process, Ubuntu will ask you to hit Enter to reboot. Do so. Once rebooted, you'll have a working virtual machine.

How it works...

After acquiring the correct Ubuntu 16.04 LTS Desktop 64-bit ISO file, we told VirtualBox we wanted to create and configure a new virtual machine. VirtualBox presented various configuration options, to which we responded with the correct settings to install a 64-bit version of Ubuntu Linux as the operating system for the virtual machine. VirtualBox took those settings and guided us through the rest of the configuration options for naming the virtual machine, what size to configure the virtual hard drive at, how much virtual RAM we wanted VirtualBox to provision for this virtual machine, where to store the files associated with this virtual machine, and finally, to configure which ISO file to use for installing Ubuntu 16.04 LTS Desktop 64-bit. After all of that, we launched the virtual machine in order to actually work through the installation process for Ubuntu itself. Now, we have a working 64-bit Ubuntu virtual machine and are ready to install the tools and dependencies, along with the code examples for this book.

There's more...

If you plan on altering the resolution of this virtual machine, and you want to enable copy/paste between this virtual machine and your host operating system, feel free to install the Guest Additions. In the virtual machine menu bar, select Devices | Insert Guest Additions CD Image... and follow the installation prompts.

See also

There are many more operating systems you can install as virtual machines in VirtualBox. Windows, other Linux distributions, and virtual appliances are all available and are only limited by your research needs. I happen to like to run Windows Desktop as a virtual machine for research purposes, along with Kali Linux when I perform penetration assessments. Having both as virtual machines allows me to quickly revert back to previously saved snapshots, which we will cover later in this chapter, in order to start from a clean slate for the next penetration assessment I need to perform. I recommend doing this so that you always have a clean virtual machine to revert back to in the event something goes wrong while you're analyzing binaries or upgrading the operating system.

Installing the dependencies and the tools

Whenever we need to perform a task, our success largely depends on having the right tools. Whether it's woodworking, cleaning a house, cooking a meal, or binary analysis, making sure we have what we need will help us to work toward a completed task. The following instructions will need to be performed on both the 32-bit and 64-bit Ubuntu virtual machines. If you decided to use CentOS instead of Ubuntu, the instructions for installing the necessary tools so that you can work through the examples in this book will differ.

This recipe will walk us through installing the command-line tools we'll use in later chapters, as well as the dependencies we'll need before compiling another tool from the source in a later recipe.

Getting ready

To work through this recipe, we need to have our newly created virtual machines powered on. If your Ubuntu 32-bit and 64-bit virtual machines are powered off, power them on, wait until they both finish booting, log in, and start a Terminal program in each. Once that's complete, you are ready to follow this recipe on both virtual machines.

How to do it...

The majority of the tools we will use are installed via the command line, while others we will have to install manually by compiling the source code. With that said, however, we will need to install the dependencies before we can compile the source code. Please make sure to run these instructions on both of the virtual machines we created earlier:

  1. Once the Terminal application is running, we'll run the following commands on both virtual machines to make sure the operating systems on each are up to date:
$ sudo apt update && sudo apt full-upgrade -y
If you're following these instructions for the 64-bit version of Ubuntu, you may see a prompt requesting you to upgrade to Ubuntu 18.04 LTS. You can ignore this for now as we want to make sure we keep Ubuntu 16.04 LTS instead.
  1. Once the upgrade process finishes, in the same Terminal, we will run the following one-liner, which will install the tools and the dependencies that are needed for the EDB Debugger tool we will compile from the source later. Make sure this command is typed on one line, without pressing Enter until after the -y:
$ sudo apt install build-essential libemu-dev graphviz gdb python libgraphviz-dev cmake libboost-dev libqt5xmlpatterns5-dev qtbase5-dev qt5-default libqt5svg5-dev libcapstone-dev pkg-config hexedit nasm git libtool autoconf -y

As long as there were no errors, we're ready to install the code examples and EDB Debugger, which happens to be one of my favorite open source debuggers on Linux.

How it works...

By issuing these commands within the Terminal, we instructed Ubuntu to download updates and upgrade the system with fresh installations for each item that needed updating. Then, once that was finished, we instructed Ubuntu to install the various dependencies and missing tools. The -y argument instructed Ubuntu that yes, we wanted to go ahead and proceed with the upgrade, and acknowledged how much disk space the upgrade would require.

There's more...

The Terminal application is a widely used application that, by default in Ubuntu, is configured to use the Bourne again shell (Bash). Other shell programs exist and if you're a fan of dash (sh) or Z Shell (zsh), you can configure the Terminal application to use one of those by default. For the purposes of this book, though, we'll use Bash to run command-line tools.

See also

If you're interested in seeing all of that Bash is capable of, you can view the man page by issuing the following command in a Terminal session:

$ man bash

To view the capabilities of sh, run the following command in a Terminal session:

$ man sh

By default, zsh isn't installed on Ubuntu 16.04 LTS. To install it, run the following command in a Terminal session:

$ sudo apt install zsh -y

Then, if you want to see common arguments or functionality, you can run the following command in a Terminal session to view the man page for zsh:

$ man zsh

Finally, we can see what additional command-line arguments are available to the aptitude package manager by running the following command within an active Terminal session:

$ man apt

Installing the code examples

This book wouldn't serve us well if we didn't have code examples to use for the recipes that are presented in later chapters. Thankfully, Packt hosts all of the code on their own GitHub repository, which will make it easier for us to retrieve the examples. This recipe will include instructions on how to retrieve the code we'll use in later recipes.

In this recipe, we'll return to a Terminal session to run some command-line utilities that will clone the code examples from my GitHub repository that I created for the purposes of this book. We will have to perform the instructions in this recipe on both the 32-bit and 64-bit Ubuntu Desktop virtual machines we created earlier in this chapter.

Getting ready

Once again, we'll need to have the Terminal application running in both of our virtual machines if it's not already. Go ahead and open it up so we can work through this recipe. Once it's open on both virtual machines, you can proceed to work through the following instructions. Remember, run these commands on both Ubuntu virtual machines.

How to do it...

Run the following commands in a Terminal as a non-root user on both the 32-bit and 64-bit Ubuntu virtual machines we created earlier in this chapter:

$ cd ~/
$ mkdir ~/bac
$ cd bac
$ git clone https://www.github.com/PacktPublishing/Binary-Analysis-Cookbook

How it works...

In the previous recipe, we installed git as one of our command-line tools so that we could use it in this recipe. We start by using the cd command to change directories to the current user's home directory, we use the mkdir command to make a new directory called bac, change directories into bac using cd, and then issue the git clone command to pull down the code for this book from my repository on GitHub. This particular tool reaches out to a Git server and clones the remote repository to your local hard drive.

There's more...

If you're unfamiliar with Git, there are many ways to use Git beyond just for cloning repositories onto our systems. We can also use Git to create repositories for our code on places such as GitHub or GitLab or, if your organization has a private Git server, for accessing/creating repositories on that server. Personally, I use GitHub for housing code that I use when teaching Python classes at conferences, and for scripts that I develop on the fly for penetration testing that I may need again. There was a time when I used my GitHub account to host a repository that stored a custom tool, I wrote to quickly install all of the custom tools I use across many other repositories when provisioning a new virtual machine for penetration assessments. A purist might poke fun at people who, like me, use GitHub as more of an easily accessible place to house code or scripts and not a full-blown open-source project, but I'm OK with that. It works well for me and I encourage you to use Git the way that works best for you.

If you decide to use GitHub or GitLab sometime in the future, whether for work or for personal use, make sure you understand the security implications of doing so. As a penetration tester, I love nothing more than finding usernames and passwords on publicly available repositories. GitHub and GitLab keep a running record of all of the commits and changes to the code stored in the repository. If a developer accidentally commits a username, password, or other sensitive data to the repository, malicious individuals can and will use that information against whatever organization employs that developer. The same goes for personal use. GitHub allows its users to configure SSH keys for authorized access to their accounts. Be sure to use a public SSH key when configuring SSH authentication and not a private SSH key.

See also

If you're curious about any of the command-line utilities we used in this recipe, you can always refer to their man pages by issuing the following command in a Terminal session:

$ man <utility name>

Replace <utility name> with the name of the utility, such as cd, git, or mkdir.

    Installing the EDB Debugger

    I first learned about Evan Teran's EDB Debugger (appropriately referred to as the Evan Debugger) when studying for a hands-on penetration testing certification. I instantly fell in love with the user interface and usability. EDB Debugger is licensed under the GNU General Public License v2.0 (GPL v2.0). I hope you enjoy using this tool as much as I do.

    The EDB Debugger is a GUI-based debugger capable of performing static and dynamic analysis of binaries, similar to the GNU Debugger (GDB). The only difference is that GDB doesn't have a GUI like the EDB Debugger. I plan on teaching both tools in later chapters, so we'll retrieve the source code for the EDB Debugger and will use this recipe to compile it.

    Getting ready

    If the 32-bit and 64-bit Ubuntu virtual machines aren't running, go ahead and start them both now. Once they are running, log into both of them if needed, and start the Terminal application within each virtual machine. Once the Terminal is running, you can work through this recipe. We've already installed the dependencies for this tool in Installing the dependencies and the tools recipe earlier in this chapter, so we can move right along and compile this tool from the source.

    How to do it...

    Perform the following steps:

    1. Using the open Terminal application, type the following commands:
    $ cd ~/bac
    $ git clone --recursive https://github.com/eteran/edb-debugger.git
    1. If there are no errors when cloning the EDB Debugger source code, we'll compile the source code by issuing the following Terminal commands:
    $ cd ~/bac/edb-debugger
    $ mkdir build
    $ cd build
    $ cmake ..
    $ make
    1. Wait for the compilation process to finish. As long as there are no errors, you should see the edb binary in the build directory we just created. For the sake of ease of use, we can create a symbolic link to the edb binary in /usr/local/bin. To do that, we need to issue the following Terminal command:
    $ sudo ln -s ~/bac/edb-debugger/build/edb /usr/local/bin/
    1. As long as there were no errors, you should be able to run edb from any directory from a Terminal:
    $ edb
    1. If the binary ran correctly, we should see the EDB Debugger start window, as shown in the following screenshot:

    How it works...

    We started off by changing our current working directory to ~/bac, which we created in the previous recipe. Once our current working directory was changed, we used Git to clone the EDB Debugger source code from its repository on GitHub. Next, we followed the developer's instructions by making a build directory inside the edb-debugger directory, changing our current working directory into that build directory, running cmake against the primary edb-debugger directory, denoted by the .. in the cmake command, and finally, running make to compile the code from the developer's supplied makefile.

    Once the compilation process was completed, we created a symbolic link to the binary in the build directory inside the /usr/local/bin directory on our virtual machines. Last, but not least, we verified that the compilation process went well by actually running the binary from our active Terminal session. If you get the same start window as I did, you're ready to move on to the next recipe. Just as a reminder, you need to perform this recipe on both the 32-bit and 64-bit Ubuntu virtual machines.

    There's more...

    When we retrieved the source code using Git, the --recursive flag also retrieved all of the submodules and plugins that are available from the developers repository. I encourage you to read the wiki about the available plugins: https://github.com/eteran/edb-debugger/wiki.

    See also

    While I would love to write an entire book on this tool, the developer already has a great wiki for us so that we can learn how to use the EDB Debugger. Visit https://github.com/eteran/edb-debugger/wiki if you want to get insight into how to use some of the features of this great tool work. We'll cover some of this functionality in later chapters as it pertains to looking for buffer overflow vulnerabilities in ELF binaries written in C.

    Taking a snapshot of the virtual machines

    There comes a time in nearly every research project I undertake where I need to revert my system, and I usually forget to take a snapshot of a clean virtual machine build. The following instructions will help you to take a snapshot of each of the Ubuntu Desktop virtual machines we configured earlier in this chapter. That way we have a restore point if we need it.

    Getting ready

    If the VirtualBox application is closed, open it and wait for the Oracle VM VirtualBox Manager window to appear. Once you have that window open on your desktop, you are ready to proceed.

    How to do it...

    To take a snapshot of each virtual machine, perform the steps below.

    1. On the left-hand side of the Oracle VM VirtualBox Manager window, click and highlight the virtual machine you want to snapshot. Then, click on the Settings icon in the top menu area of that window.
    2. In the Settings window, click on General | Advanced.
    3. Under the Snapshot Folder: drop-down, make sure the default location is sufficient for your storage restrictions and requirements. If it's not, change the setting to a location that's appropriate for your needs and click OK:
    1. Start the virtual machine for which you want to create a snapshot.
    2. Once the virtual machine is running, bring it into focus. Then, from the top toolbar menu items, click and select Machine | Take Snapshot.
    3. In the Snapshot window, provide a name for the snapshot and a description, and then click OK. Make sure the name and description clearly communicate this is a fresh, up-to-date state for the virtual machine.
    4. Repeat these steps for the other Ubuntu Desktop virtual machine.

    How it works...

    By working through this recipe, we configured the location where VirtualBox will store snapshots of virtual machines, we saved a snapshot of the 32-bit and 64-bit Ubuntu Desktop virtual machines we configured earlier in this chapter, and we gave each a name and description that will indicate that the snapshot is a fresh configuration of each virtual machine.

    There's more...

    Using the snapshot feature within VirtualBox allows you to save and restore various states of the virtual machines along the way. If you always want to have a fresh, up-to-date virtual machine, you can continually take snapshots after every time you perform an update or upgrade the operating system within the virtual machine. Snapshots are a great way to keep a backup of a virtual machine as well, in the event an upgrade to the operating system causes a significant error that makes it more time-consuming to recover. From a binary analysis perspective, we may encounter seriously malicious binaries from time to time, and it's always good to have a working virtual machine state to return to. As a matter of fact, and not that I want to give away the rest of this book, but we may see a destructive binary in later chapters and will need a snapshot to which we can revert.

    See also

    For more information on VirtualBox or for a user guide for some of the more advanced features that weren't covered in this chapter, open a browser and navigate to https://www.virtualbox.org/wiki/Documentation.

    Now that we have a clean slate to which we can return if needed, we can move on to the next chapter. In Chapter 2, 32-Bit Assembly on Linux and the ELF Specification, and Chapter 3, 64-Bit Assembly on Linux and the ELF Specification, we will work through recipes that will help us to understand, or learn for the first time, the finer details of 32-bit and 64-bit Intel assembly as it pertains to Linux and to study the ELF binary specification in detail. If you're already an expert on 32-bit and 64-bit Intel assembly on Linux and with the ELF specification, please feel free to move on to Chapter 4, Creating a Binary Analysis Methodology. However, I encourage you to read through Chapter 2, 32-Bit Assembly on Linux and the ELF Specification, and Chapter 3, 64-Bit Assembly on Linux and the ELF Specification, as I intend to cover as much practical information on those topics as possible while skipping some of the information that doesn't pertain to the examples presented in this book.

    Left arrow icon Right arrow icon
    Download code icon Download Code

    Key benefits

    • Adopt a methodological approach to binary ELF analysis on Linux
    • Learn how to disassemble binaries and understand disassembled code
    • Discover how and when to patch a malicious binary during analysis

    Description

    Binary analysis is the process of examining a binary program to determine information security actions. It is a complex, constantly evolving, and challenging topic that crosses over into several domains of information technology and security. This binary analysis book is designed to help you get started with the basics, before gradually advancing to challenging topics. Using a recipe-based approach, this book guides you through building a lab of virtual machines and installing tools to analyze binaries effectively. You'll begin by learning about the IA32 and ELF32 as well as IA64 and ELF64 specifications. The book will then guide you in developing a methodology and exploring a variety of tools for Linux binary analysis. As you advance, you'll learn how to analyze malicious 32-bit and 64-bit binaries and identify vulnerabilities. You'll even examine obfuscation and anti-analysis techniques, analyze polymorphed malicious binaries, and get a high-level overview of dynamic taint analysis and binary instrumentation concepts. By the end of the book, you'll have gained comprehensive insights into binary analysis concepts and have developed the foundational skills to confidently delve into the realm of binary analysis.

    Who is this book for?

    This book is for anyone looking to learn how to dissect ELF binaries using open-source tools available in Linux. If you’re a Linux system administrator or information security professional, you’ll find this guide useful. Basic knowledge of Linux, familiarity with virtualization technologies and the working of network sockets, and experience in basic Python or Bash scripting will assist you with understanding the concepts in this book

    What you will learn

    • Traverse the IA32, IA64, and ELF specifications
    • Explore Linux tools to disassemble ELF binaries
    • Identify vulnerabilities in 32-bit and 64-bit binaries
    • Discover actionable solutions to overcome the limitations in analyzing ELF binaries
    • Interpret the output of Linux tools to identify security risks in binaries
    • Understand how dynamic taint analysis works

    Product Details

    Country selected
    Publication date, Length, Edition, Language, ISBN-13
    Publication date : Sep 20, 2019
    Length: 396 pages
    Edition : 1st
    Language : English
    ISBN-13 : 9781789807608
    Category :
    Tools :

    What do you get with a Packt Subscription?

    Free for first 7 days. $19.99 p/m after that. Cancel any time!
    Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
    Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
    Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
    Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
    Subscribe now
    View plans & pricing

    Product Details

    Publication date : Sep 20, 2019
    Length: 396 pages
    Edition : 1st
    Language : English
    ISBN-13 : 9781789807608
    Category :
    Tools :

    Packt Subscriptions

    See our plans and pricing
    Modal Close icon
    $19.99 billed monthly
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Simple pricing, no contract
    $199.99 billed annually
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Choose a DRM-free eBook or Video every month to keep
    Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
    Feature tick icon Exclusive print discounts
    $279.99 billed in 18 months
    Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
    Feature tick icon Constantly refreshed with 50+ new titles a month
    Feature tick icon Exclusive Early access to books as they're written
    Feature tick icon Solve problems while you work with advanced search and reference features
    Feature tick icon Offline reading on the mobile app
    Feature tick icon Choose a DRM-free eBook or Video every month to keep
    Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
    Feature tick icon Exclusive print discounts

    Frequently bought together


    Stars icon
    Total $ 142.97
    Mastering Reverse Engineering
    $48.99
    Binary Analysis Cookbook
    $38.99
    Mastering Malware Analysis
    $54.99
    Total $ 142.97 Stars icon

    Table of Contents

    11 Chapters
    Setting Up the Lab Chevron down icon Chevron up icon
    32-bit Assembly on Linux and the ELF Specification Chevron down icon Chevron up icon
    64-bit Assembly on Linux and the ELF Specification Chevron down icon Chevron up icon
    Creating a Binary Analysis Methodology Chevron down icon Chevron up icon
    Linux Tools for Binary Analysis Chevron down icon Chevron up icon
    Analyzing a Simple Bind Shell Chevron down icon Chevron up icon
    Analyzing a Simple Reverse Shell Chevron down icon Chevron up icon
    Identifying Vulnerabilities Chevron down icon Chevron up icon
    Understanding Anti-Analysis Techniques Chevron down icon Chevron up icon
    A Simple Reverse Shell With Polymorphism Chevron down icon Chevron up icon
    Another Book You May Enjoy Chevron down icon Chevron up icon

    Customer reviews

    Rating distribution
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    (1 Ratings)
    5 star 100%
    4 star 0%
    3 star 0%
    2 star 0%
    1 star 0%
    jsamuel Nov 06, 2019
    Full star icon Full star icon Full star icon Full star icon Full star icon 5
    A great product that gets right into the code! Most of the time, when I am doing a Capture the Flag or competition that involves reversing, I will just run a strings file as a "Hail Mary" to hopefully pull the flag. It rarely works.This book did an excellent job of stepping me through reviewing, understanding, and tweaking code to understand what goes on behind the scenes. The chapters are broken in up to slowly ramp up the more challenging items. Each section has code examples for homework and a follow-up discussion. This is perfect for my learning style.If you are thinking about getting into the field or are already a veteran this should be right on your bookshelf next to Practical Malware Analysis!
    Amazon Verified review Amazon
    Get free access to Packt library with over 7500+ books and video courses for 7 days!
    Start Free Trial

    FAQs

    What is included in a Packt subscription? Chevron down icon Chevron up icon

    A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

    How can I cancel my subscription? Chevron down icon Chevron up icon

    To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

    What are credits? Chevron down icon Chevron up icon

    Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

    What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

    Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

    Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

    If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

    Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

    We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

    When we publish the book, the code files will also be available to download from the Packt website.

    How accurate is the publication date? Chevron down icon Chevron up icon

    The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

    How will I know when new chapters are ready? Chevron down icon Chevron up icon

    We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

    I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

    Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

    How is Early Access delivered? Chevron down icon Chevron up icon

    Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

    How do I buy Early Access content? Chevron down icon Chevron up icon

    Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

    What is Early Access? Chevron down icon Chevron up icon

    Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.