490 likes | 505 Views
https://www.flickr.com/photos/55810025@N06/5205904395 (CCBY-SA 2.0). The Backdoor Foundry: A Toolchain for Building Application Specific Implants Evan Jensen REcon June 28 th , 201 9. Life of a Binary. Source Code. Compile. Assembly. Assemble. Object. Link. Binary. Load. Module.
E N D
https://www.flickr.com/photos/55810025@N06/5205904395 (CCBY-SA 2.0)
The Backdoor Foundry: A Toolchain for Building Application Specific Implants Evan Jensen REcon June 28th, 2019
Life of a Binary Source Code Compile Assembly Assemble Object Link Binary Load Module
Possible Life of a Binary Source Code Compile Assembly Assemble Object Link Binary Load Module
Motivation • Modify / upgrade / improve / re-purpose existing software • Write modifications in high level languages • Remove or alter functionality • Stuff
Introduction • Education • Bachelor’s in CS, NYU-Poly • Teaching • Trainings at BU, NYU, RPI, MIT, and West Point • Lincoln Laboratory • Cyber System Assessments Group • CTF Team Lab RATs • Facebook • Red-team • Tufts University • Instructor for Software Reverse-Engineering, Spring 2019 • Boston Cybernetics Institute • Co-founder and CTO
Boston Cybernetics Institute • Public benefit corporation (PBC) founded 2017 • Mission: Provide cybersecurity training and research in support of national defense • Located at 30 JFK St, Cambridge (Harvard Square) • Public and Private Classes: • Malware Analysis • Reverse-Engineering • Vulnerability Assessment • Embedded Systems • Contact • Boston-Cyber.Eventbrite.com • www.BostonCyber.org • @BosCybernetics 6
Outline • Introduction • Background • Goals • Related Work • My Approach • Conclusion
Background: Life of a Binary Source Code Compile Assembly Assemble Object Link Binary Static Binary Instrumentation (SBI) Load Dynamic Binary Instrumentation (DBI) Examples: Pin Tools, Dynamo Rio, Valgrind Module
Background: Life of a Binary Source Code Compile Assembly Assemble Object Link Binary Static Binary Instrumentation (SBI) Load Dynamic Binary Instrumentation (DBI) Examples: Pin Tools, Dynamo Rio, Valgrind Module
Background: Life of a Binary Source Code Compile Assembly Assemble Object Link Binary • Static Binary Instrumentation (SBI) • Binary Translation / Re-Writing / Re-compilation • Code Injection (static) • Patching • File Infection • Packers / Protectors / Crypters • Binders / Joiners / Self-Extracting Installers Load Module
Background: SBI Types • Packer / Cryptors • Compress and/or encrypt binary with unpacking stub • Binary Translation / Re-writing / Re-compilation • Lift binary to intermediate language • Add in additional code • Repackage binary • Infection/Injection • Embed code into existing executable • May preserve original functionality of program • Patching / Editing / Modification • General purpose binary modification • Usually performed manually • Binders/ Joiners / Self-Extracting Installer • Used legitimately for installs and portable software • Also used by malware • Often entire executable is embedded into another • Second executable is run as independent process during execution
Outline • Introduction • Background • Goals • Related Work • My Approach • Conclusion
Goals • Extend functionality of arbitrary executable files • Added functionality written in high level language • Extensions can be written by anyone with a programming background • Original program code unmodified (modify metadata only) • Support any compiler that emits “relocatable objects”
Outline • Introduction • Background • Goals • Related Work • My Approach • Conclusion
Related Work: SBI Tools Heavy Syntax Modification • Packers / Protectors / Crypters • https://github.com/droberson/ELFcrypt • https://github.com/arisada/midgetpack • SBI / Binary Translation / Re-writing/ Re-compilation • https://github.com/utds3lab/multiverse • https://github.com/GaloisInc/renovate • https://github.com/wmliang/pe-afl • https://github.com/trailofbits/mcsema • https://diablo.elis.ugent.be/ • https://github.com/s3team/uroboros • File Infection • https://github.com/oblique/elf-infector • https://github.com/NullByteGTK/ELF-Infector • https://github.com/secretsquirrel/the-backdoor-factoryhttps://github.com/damotou/ElfInject • https://0x00sec.org/t/elfun-file-injector/410 • https://github.com/mfaerevaag/elfinjector • Patching / Editor / Modification • https://github.com/BR903/ELFkickers • https://github.com/cea-sec/miasm • https://github.com/NixOS/patchelf • https://github.com/lief-project/LIEF • Binder / Joiner / Self-extracting Installer • https://sourceforge.net/projects/sevenzip/files/7-Zip/ • https://packetstormsecurity.com/files/14654/SilkRope.zip.html • https://upx.github.io/ Light Syntax Modification
Related Work: Publications • Cesare, S. (2000, May). Shared Library Call Redirection Via Elf PLT Infection. Phrack. Retrieved from http://phrack.org/issues/56/7.html#article • Mayhem. (2003, August). The Cerberus ELF Interface. Phrack. Retrieved from http://phrack.org/issues/61/8.html#article • Gerrits, D., Gabriëls, R., & Kooijmans, P. (2007). An ELF virus prototype. Retrieved from http://dirkgerrits.com/publications/elf-virus.pdf • Kwan, M. (2012). Detouring program execution in binary applications MEng Final Report. Retrieved from https://www.doc.ic.ac.uk/teaching/distinguished-projects/2012/m.kwan .pdf • Andriesse, D. (2019). Simple Code Injection Techniques for Elf. In Practical Binary Analysis (pp. 155–187). No Starch Press.
Existing Precedent: AIX’s Linker • From the man page of AIX’s ld • “The ld command can relink a program without requiring that you list all input object files again. For example, if one object file from a large program has changed, you can relink the program by listing the new object file and the old program on the command line, along with any shared libraries required by the program.” - https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.cmds3/ld.htm#ld__a09493d1
Outline • Introduction • Background • Goals • Related Work • My Approach • Conclusion
Reference ELF File Infector Target-ELF ELF Header Program Header Table Program Header Table Code Code Data Sections’ names Section Header Table Program Header Table
My Approach • Create extension-ELF by “partially linking” source code • Extend the “ELF program header” and relocate it if necessary • Perform static relocations for extension-ELF • Insert code and data from the now “relocated elf” • Collect unapplied static relocations and make dynamic relocations • Create and insert new dynamic relocations • Alter program metadata to acquire control flow
Creation of a new .init_array record • Called before main by the dynamic linker (.init)
X86 Without Relocation 0: 31 edxorebp,ebp 2: 5e pop esi 3: 89 e1 movecx,esp 5: 83 e4 f0 and esp,0xfffffff0 8: 50 push eax 9: 54 push esp a: 52 push edx b: e8 23 00 00 00 call 33 <_start+0x33> 10: 81 c3 02 00 00 00 add ebx,0x2 16: 8d 83 00 00 00 00 lea eax,[ebx+0x0] 1c: 50 push eax 1d: 8d 83 00 00 00 00 lea eax,[ebx+0x0] 23: 50 push eax 24: 51 push ecx 25: 56 push esi 26: 8b 83 00 00 00 00 moveax,DWORD PTR [ebx+0x0] 2c: 50 push eax 2d: e8 fc ffffff call 2e <_start+0x2e> 32: f4 hlt 33: 8b 1c 24 movebx,DWORD PTR [esp] 36: c3 ret
Common Types of Relocation (glibc/sysdeps/i386/dl-machine.h)
Dynamic Table Parsed Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libstdc++.so.6] 0x00000001 (NEEDED) Shared library: [libm.so.6] 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1] 0x00000001 (NEEDED) Shared library: [libc.so.6] 0x0000000c (INIT) 0x8049000 0x00000019 (INIT_ARRAY) 0x804bebc 0x0000001b (INIT_ARRAYSZ) 8 (bytes) 0x00000005 (STRTAB) 0x8048300 0x00000006 (SYMTAB) 0x8048240 0x0000000a (STRSZ) 384 (bytes) 0x0000000b (SYMENT) 16 (bytes) 0x00000003 (PLTGOT) 0x804c000 0x00000002 (PLTRELSZ) 56 (bytes) 0x00000014 (PLTREL) REL 0x00000017 (JMPREL) 0x8048510 0x00000011 (REL) 0x80484f8 0x00000012 (RELSZ) 24 (bytes) 0x00000013 (RELENT) 8 (bytes) 0x6ffffffe (VERNEED) 0x8048498 0x6fffffff (VERNEEDNUM) 2 0x6ffffff0 (VERSYM) 0x8048480
Release • Couple of bugs to squash • Code clean up • ~2 weeks
Summary • Completed Work • Inject compiled C into arbitrary applications • Prepend control flow through variety of methods • Add ELF relocatable objects with flexibility for shared libraries • Future Work • Extend to other binary formats, e.g. Mach-O, PE • Extend to other architectures, e.g. ARM, PowerPC, MIPS • Contact Info • ejensen@BostonCybernetics.org • @JensenSec
Tampered Section Header • All data still present on disk • IDA coerced into not displaying the full insert
DBI • Dynamic Binary Instrumentation (DBI) • https://github.com/caps-tum/dbrew • http://deniable.org/reversing/binary-instrumentation (primer) • https://github.com/google/syzygy (works on PE, requires PDB) • https://github.com/gamozolabs/applepie (hypervisor for fuzzing)
ELF Header Parsed: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x80490c0 Start of program headers: 52 (bytes into file) Start of section headers: 15208 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 11 Size of section headers: 40 (bytes) Number of section headers: 31 Section header string table index: 30
ELF Header Raw: typedef struct { unsigned char e_ident[(16)]; Elf32_Half e_type; Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; } Elf32_Ehdr;
“Program” Header Parsed: Type Offset VirtAddrPhysAddrFileSizMemSizFlg Align PHDR 0x000034 0x08048034 0x08048034 0x00160 0x00160 R 0x4 INTERP 0x000194 0x08048194 0x08048194 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x00548 0x00548 R 0x1000 LOAD 0x001000 0x08049000 0x08049000 0x003f8 0x003f8 R E 0x1000 LOAD 0x002000 0x0804a000 0x0804a000 0x002d0 0x002d0 R 0x1000 LOAD 0x002ebc 0x0804bebc 0x0804bebc 0x00174 0x00214 RW 0x1000 DYNAMIC 0x002ef4 0x0804bef4 0x0804bef4 0x00108 0x00108 RW 0x4
“Program” Header Raw: typedef struct { Elf32_Word p_type; Elf32_Off p_offset; Elf32_Addr p_vaddr; Elf32_Addr p_paddr; Elf32_Word p_filesz; Elf32_Word p_memsz; Elf32_Word p_flags; Elf32_Word p_align; } Elf32_Phdr;
Section Headers Parsed(some removed) [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 1] .interp PROGBITS 08048194 000194 000013 00 A 0 0 1 [ 3] .hash HASH 080481c8 0001c8 000044 04 A 5 0 4 [ 5] .dynsym DYNSYM 08048240 000240 0000c0 10 A 6 1 4 [ 6] .dynstr STRTAB 08048300 000300 000180 00 A 0 0 1 [10] .rel.plt REL 08048510 000510 000038 08 AI 5 24 4 [12] .plt PROGBITS 08049030 001030 000080 04 AX 0 0 16 [14] .text PROGBITS 080490c0 0010c0 000322 00 AX 0 0 16 [22] .dynamic DYNAMIC 0804bef4 002ef4 000108 08 WA 6 0 4 [24] .got.plt PROGBITS 0804c000 003000 000028 04 WA 0 0 4 [25] .data PROGBITS 0804c028 003028 000008 00 WA 0 0 4 [26] .bss NOBITS 0804c040 003030 000090 00 WA 0 0 32 [28] .symtab SYMTAB 00000000 00305c 000580 10 29 50 4 [29] .strtab STRTAB 00000000 0035dc 00048c 00 0 0 1 [30] .shstrtab STRTAB 00000000 003a68 0000ff 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), p (processor specific)
Section Header Raw typedef struct { Elf32_Word sh_name; Elf32_Word sh_type; Elf32_Word sh_flags; Elf32_Addr sh_addr; Elf32_Off sh_offset; Elf32_Word sh_size; Elf32_Word sh_link; Elf32_Word sh_info; Elf32_Word sh_addralign; Elf32_Word sh_entsize; } Elf32_Shdr;
Section to Segment Mapping: Segment Sections... 00 01 .interp 02 .interp .hash .dynsym .dynstr .rel.plt 03 .plt .text 05 .data .bss 06 .dynamic 10 .dynamic .got
Relocation Table Parsed Relocation section '.rel.text' at offset 0x2a0 contains 5 entries: Offset Info Type Sym.Value Sym. Name 00000012 0000100a R_386_GOTPC 00000000 _GLOBAL_OFFSET_TABLE_ 00000018 00000a09 R_386_GOTOFF 00000000 __libc_csu_fini 0000001f 00000d09 R_386_GOTOFF 00000000 __libc_csu_init 00000028 00000e2b R_386_GOT32X 00000000 main 0000002e 00001204 R_386_PLT32 00000000 __libc_start_main
Relocation Record Raw typedef struct { Elf32_Addr r_offset; Elf32_Word r_info; } Elf32_Rel;
Symbol Record Raw typedef struct { Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size; unsigned char st_info; unsigned char st_other; Elf32_Section st_shndx; } Elf32_Sym;
Dynamic Record Raw typedef struct { Elf32_Sword d_tag; union { Elf32_Word d_val; Elf32_Addr d_ptr; } d_un; } Elf32_Dyn;
ELF Format (/usr/include/elf.h) • Normal Executable (ET_EXEC, no file extension) • Relocatable Object (ET_REL, extension .o) • Core Files (ET_CORE, just named “core”) • Shared Objects (ET_DYN, extension .so)
Background: Life of a Binary Source Code Compile Assembly Assemble Object Link Binary Load Module