Presented at
DEF CON 31 (2023),
Aug. 12, 2023, 3 p.m.
(45 minutes).
The esoteric art of patching ELF binaries has a long and fascinating history who's roots are deep within the hacking subculture; from ELF viruses to kernel rootkits. Silvio's 1997 "UNIX Viruses" paper taught us how to insert parasitic code into a page aligned text padding region. Many backdooring and hooking techniques have been revealed to us over the last 20 years-- perfect for hacking and injecting small patches and backdoors but on their own these techniques are limited, clunky and do not support the complexities of real-world patching problems in todays industry. Developers often need to fix complex bugs that exist within legacy ELF Binaries, no source code is available or the program cannot be recompiled.
Let me introduce you to Shiva. Shiva is a JIT binary patching system for ELF; A custom ELF interpreter that loads and links ELF relocatable patches at runtime. Shiva allows developers to write patches in rich C code to naturally express the rewriting of binary code at runtime, in a high level language. ELF binary patching solutions over the past two decades have been scarce; some notable research: Katana and ERESI come to mind as pioneers in the early examples of custom ELF linkers and binary patchers.
Shiva is a next-level solution that allows developers to quickly write patches in C with little to no reversing knowledge. Born out of 16 years of ELF research into virus design, binary patching, and extensive experience with writing custom linkers and loaders.
In this talk we will discuss foundations of ELF binary patching and it's close relationship with ELF linkers, loaders and even ELF virus technology. This passionate body of research is combined and imbued into Shiva to create a highly innovative and powerful product that helps bridge the gap between Developers and Reverse engineers in modern binary patching solutions for ELF. A new workflow for maintaning insecure legacy software with modular patching capabilities is on the rise!
Prepare for an indepth discussion of incredible new ELF hacking techniques and extensions. Old concepts such as userland-exec() brought back to life, and entirely new concepts such as "Linker chaining" to bring multiple dynamic linkers into a single process image. We will demonstrate complex patching scenarios, function splicing, program transformation, and even the weaponization of Shiva for writing sophisticated in-memory backdoors. Shiva; the ultimate ELF Binary hacker... aiming to solve the worlds most challenging binary patching problems today.
REFERENCES:
--Papers--
Grugq - userland execve: https://grugq.github.io/docs/ul_exec.txt
Mayhem - Cerberus ELF interface: http://phrack.org/issues/61/8.html
Silvio - UNIX Viruses and parasites: https://vxug.fakedoma.in/archive/VxHeaven/lib/vsc02.html
James Oakley & Sergey Bratus - Katana: A hot patching framework: https://ieeexplore.ieee.org/document/5438048
James Oakley & Sergey Bratus - Exploiting the hard working DWARF: https://www.cs.dartmouth.edu/~sergey/battleaxe/hackito_2011_oakley_bratus.pdf
Mlaurenzano - PEBIL (An ELF patching framework) - https://github.com/mlaurenzano/PEBIL
sd & devik - Linux on-the-fly kernel patching without LKM: phrack.org/issues/58/7.html
jbtzhm - static kernel patching - https://phrack.org/issues/60/8.html
Elfmaster - Modern ELF infection techniques of SCOP binaries (POC||GTFO: 20:07)
Elfmaster - Preloading the linker for fun and profit: https://tmpout.sh/2/6.html (This paper presents the nucleus of Shiva)
Mayhem - IA32 Advanced function hooking: http://phrack.org/issues/58/8.html
Richinseattle - Hooking the ELF loader: http://phrack.org/issues/58/8.html
Silvio - Shared library call redirection via PLT infection: http://phrack.org/issues/56/7.html
Elfmaster - Kernel instrumentation using kprobes: http://phrack.org/issues/56/7.html
Mayhem - Next generation ELF debuggers: https://www.blackhat.com/presentations/bh-europe-07/ERSI/Presentation/bh-eu-07-ersi-apr19.pdf
--A note on the illustrious tmp.0ut zine: https://tmpout.sh
The crew at tmp.0ut are a tightly formed group ELF hackers and reversing enthusiasts who are continuing to research and publish awesome ELF research on a regular basis. I highly recommend their content, and am grateful for their many new contributions keeping the spirit of ELF hacking alive. Translated into nine different languages currently.
--Source code--
https://github.com/torvalds/linux/blob/master/fs/binfmt_elf.c (Source for Linux ELF loader)
https://www.gnu.org/software/binutils (Source for for ELF /bin/ld)
https://sourceware.org/git/glibc.git (Source code for ld-linux.so)
https://github.com/elfmaster (My own ELF hacking related research)
https://github.com/elfmaster/linker_preloading_virus (My first custom ELF interpreter)
https://musl.libc.org/
https://github.com/bminor/binutils-gdb <- These GDB guys really don't get enough credit.
--Books--
Understanding the Linux kernel (Great book on kernel internals)
Learning Linux binary analysis (elfmaster)
Advanced programming in the UNIX environment (Richard Stevenson)
Turbo C (Old book from the 80s I learned C from)
Presenters:
-
Ryan O'Neill / elfmaster
- CTO at Arcana Technologies
as Ryan "ElfMaster" O'Neill
Ryan "ElfMaster" O'Neill, has been in the security scene since about 1997.
Ryan is well known for authoring the book "Learning Linux binary analysis" and for publishing many papers and technologies in the realm of binary protection, memory forensics, exploitation, security mitigations, virus design, kernel hacking and reverse engineering techniques. Ryan has been published in many of the classic journals such as Phrack, POC||GTFO, tmp.0ut and vxheaven. Much of Ryan's independent research has been published over the years on https://www.bitlackeys.org, and has many public technologies available on https://github.com/elfmaster. Ryan is also the founder of Arcana technologies https://arcana-technologies.io, a threat detection company based heavily on ELF forensics research. Ryan is currently building a new ELF binary patching system for Linux to solve the worlds hardest challenges in binary patching today.
Links:
Similar Presentations: