What are these executables and how do they work? Why is that importance and what to do about it? Lets answer these questions!

1. A Dive Into
ELF Binaries
Null Mumbai
12rd
Jan 2019
By Bhashit Pandya

2. Who am I
● Information Security Consultant
● Scriptologist
● Not a bug hunter!!
● Explorer

3. Today we will:
● ask, why to understand them?
● know about executable files.
● peep into the internals.
● see, how to read and analyse it.
● check out some tools.

4. Its a Saturday morning!!!

5. I knew..

6. Motivation
● What if you encounter a linux bin?
● What if you are given a file to reverse and
patch the file?
● What if you have a software to crack?
● What if you know that this file is vulnerable
which can grant you a root access?

7. What are executables?
● Not a simple text files.
● Complied and linked against the syscall or
WinAPI.
● Has relocatable tables.
● Number of sections to define itself.
What are some binary file formats?

8. ELF Binary
● Initially developed by Unix System
Laboratories for ABI support for unix os.
● Named as System V Release 4 (SVR4)
● Quickly adopted by different vendors of unix
systems because of its support for
endiannesses and address size.
● Independent of CPU and instruction sets.
● In 1999, it was chosen as a standard binary
file format

9. ELF Binary Format
● It is just one of the binary format.
● Short abbrevation for Executable and Linkable
Format.
● Mostly linux executables are in ELF Format.
How to detect them? Will See..

10. ELF Structure
ELF Header
Section Headers
Program Headers
Symbol Table*
readelf -a <file>
About
Linking and
relocation
mmap()
Debuging purpose

12. It Worked!!

13. Volunteers Required
1.Candidate
2.Security Guard
3.Hiring Manager

14. ELF Parsing
1. Examine ELF Header {load_elf_binary()}
2. Loops into Program Header entries to check
for an interpreter and executable stack.
3. Initialize Program headers attributes to a
new program.
4. {flush_old_exec()} It clears up state in the
kernel that refers to prev program.
5. Location of the executable file for the
program is updated at /proc/pid/exe
6. Thread name is created using
{_set_task_comm()}
7. Kernel Memory tracking structure is
created.

15. ELF Parsing (Cont..)
1. Code loops through PT_LOAD seg and
maps to process addr space.
2.Additional pages are also being loaded such
as virtual dynamic shared object (vDSO) and
empty page for backward compatibility
reasons.
3.Security attributes are being added.
4.Final preparation for running is to setup the
rest of the stack {create_elf_tables()}

16. Loading ELF
● Check format information of ELF Header.
● Read the ELF Program Header.
● Map all the values of PT_LOAD segment into
new program memory.
● Leave space for interpreter BSS segment
(object or statically allocated var).

17. Basically Loading ELF
● Base Address
● It helps the code to load into memory.
● When ESP values are assigned to base
address, the execution of the program starts.
● The code segment of the ELF File is loaded
into the memory to execute.

18. Patching The Imported
Calls!
1. Most programs are dynamically linked.
(shared libs are to be located and linked in
run-time.)
2. The ELF Handler write ELF Interpreter
filename to a new space.
3. Loads the ELF program into memory.
4. ELF Interpreter take care of the linkage
program from the user space and resolves
the program undefined symbols.
5. The interpreter starts the execution of the
new program itself. (AT_ENTRY which holds
the entry point of text seg. which was set
during preparation)

19. Patching the calls
● Execution begins with ELF interpreter.
● Finds the linkage requirements.
● Loads those shared libs.
● Resolves the undefined symbols.
● Starts the execution of the new program.

20. Resources
Reversing and Exploiting Resources
● Infecting the Procedure Linkage Table.
● http://phrack.org/issues/56/7.html
● More about ELF
● https://smshaker.files.wordpress.com/2008/0
1/reveng-02.pdf

21. Thank you!