Week 2
Agenda
- ELF Header
- Static tools
- Basic Blocks
- Disassembly tools
ELF Header
Lets go byte by byte!
$ xxd stackoverflow | head
00000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
00000010: 0200 0300 0100 0000 3084 0408 3400 0000 ........0...4...
00000020: 8c21 0000 0000 0000 3400 2000 0900 2800 .!......4. ...(.
00000030: 2300 2200 0600 0000 3400 0000 3480 0408 #.".....4...4...
00000040: 3480 0408 2001 0000 2001 0000 0400 0000 4... ... .......
00000050: 0400 0000 0300 0000 5401 0000 5481 0408 ........T...T...
00000060: 5481 0408 1300 0000 1300 0000 0400 0000 T...............
00000070: 0100 0000 0100 0000 0000 0000 0080 0408 ................
00000080: 0080 0408 5808 0000 5808 0000 0500 0000 ....X...X.......
00000090: 0010 0000 0100 0000 0c0f 0000 0c9f 0408 ................
Not actually, thats too painful
ELF Header
#define EI_NIDENT 16
typedef struct {
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shtrndx;
} Elf32_Ehdr;$ readelf -h a.out ###Output modified slightly
Magic: 7f 45 4c 46 \x7fELF
Class: ELF32
Data: little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048430
Start of program headers: 52
Start of section headers: 8588
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 9
Size of section headers: 40 (bytes)
Number of section headers: 35
Section header string table index: 34
e_ -- elf
ph -- program header
sh -- section header
off -- offset
ent -- entry
e_shentsize ?
e_shnum ?
e_phentsize ?
e_shtrndx ?*
Section Header
TRY:
$ readelf -S /bin/bash
### modified output
[Nr] Name Type
[ 0] NULL
[ 1] .interp PROGBITS
[ 2] .note.ABI-tag NOTE
[ 3] .note.gnu.build-i NOTE
[ 4] .gnu.hash GNU_HASH
[ 5] .dynsym DYNSYM
[ 6] .dynstr STRTAB
[ 7] .gnu.version VERSYM
[ 8] .gnu.version_r VERNEED
[ 9] .rela.dyn RELA
[10] .rela.plt RELA
[11] .init PROGBITS
[12] .plt PROGBITS
[13] .plt.got PROGBITS
[14] .text PROGBITS
[15] .fini PROGBITS
[16] .rodata PROGBITS
[17] .eh_frame_hdr PROGBITS
[18] .eh_frame PROGBITS
[19] .init_array INIT_ARRAY
[20] .fini_array FINI_ARRAY
[21] .data.rel.ro PROGBITS
[22] .dynamic DYNAMIC
[23] .got PROGBITS
[24] .data PROGBITS
[25] .bss NOBITS
[26] .gnu_debuglink PROGBITS
[27] .shstrtab STRTAB What is a section header?
What are some sections that are useful to us?
.text
.got
.data
A well defined header that gives information on a section of the binary which is unstructured.
Program Header
Program headers indicates how segments required for execution are to be loaded into virtual memory.
There exists a Sections to Segment mapping that specifies which sections are part of which segments.
Radare2 does all analysis based on virtual addressing
Binary Layout
Does it matter where the Program and Section headers are in the binary?
Where must the ELF Header always exist?
Are all Section or Program headers needed?
Please read slides on Linking from Week_1 as part of your HW
Static Analysis
Static Analysis
2 .What do we want to know about a binary?
3. What else can we learn about a binary before talking about code?
1. Why Static analysis?
We want to learn as much as we can about the binary without having to run it.
This way we can save ourselves from running a malicious program, or even save time just from getting hints for other analysis!
That depends on what we are doing! But generally starting with Readelf/Strings is helpful
Static tools demo
- readelf
- strings
- objdump
- xxd
Basic Blocks & Control Flow
What is a basic block?
Basic block is a set of instructions where the only entry is the top of the block and the only exit is the end of the block.
In Binaryninja, red is false path,
green is true path,
blue is neither (sometimes greeen).
What is a basic block?
Address Opcode Instruction Operand(s)
May need change options for seeing address and opcodes in your disassembler!
Basic blocks are part of Intraprocedural scope, which means within a single function
Call Graphs
IDA can show you call graphs visually. Can be useful and depending on the type analysis is needed (interprocedural).
Disassembly tools
Binary Ninja
We can use binja to disassemble and it is the best looking one!
Has many plugins, built on python, the Sublime of disassembly
IDA
IDA is the oldest, works well on windows binaries, detects structures, colors are customizable (if you're into that)
Little harder to use, but you get more analysis tools in the background. Basically operates the same way you would Binja
Emacs of disassembly
Radare2
Originally written as a hexeditor, grew into a massive disassembler
/debugger/forensics tool all at the same time.
Really hard to use, super powerful, can do pretty much anything. CLI, no good GUI
Vim of disassembly plus a toaster&blender&knife set.
You choose
Feel free to use any disassemble you like,
I recommend learning to navigate each in case you need more than one.
Static Analysis (Cont.)
Static analysis does not stop at disassembly and reading file headers!
Symbolic execution
Data-flow Analysis
Week 2
By Drake P
Week 2
Static Analysis tools, ELF Header
