Table Of Content“Andriesse is an expert in binary analysis, capable of Practical
P
r
explaining even the most complicated concepts in a
c
t
simple terms without dumbing things down.” i
c
a
Binary Analysis
— Herbert Bos, professor of system and network security l
B
i
n
Modern malware can increasingly obfuscate Build custom disassembly tools with a
itself and thwart analysis, and we need more Capstone
r
sophisticated methods to raise that dark y
Use binary instrumentation to circumvent
curtain of knowledge—binary analysis can
common anti-analysis tricks A Build Your Own Linux Tools
help. The goal of binary analysis is to deter-
mine the true properties of binary programs to Apply taint analysis to detect control n
understand what they really do. While reverse a
hijacking and data leak attacks for Binary Instrumentation,
engineering and disassembly are critical first l
steps, there is much more to be learned. Use symbolic execution to build automatic y
s
exploitation tools Analysis, and Disassembly
Written for security engineers and hackers, i
s
this hands-on guide tackles the fascinating Exercises at the end of each chapter help you
topics of binary analysis and instrumentation. go from understanding basic assembly to per-
(Working knowledge of C/C++ is recom mended, forming sophisticated binary analysis and
and a crash course on x86-64 is included.) instrumentation. Practical Binary Analysis I
n
Once you’ve reviewed the basic concepts and will help you reach expert-level proficiency. s
trB
binary formats, you’ll analyze binaries using uu
techniques like the GNU/Linux binary analy- About the Author menild Y
sis toolchain, disassembly, and code injection. taou
You’ll then implement profiling tools with Pin, Dennis Andriesse has a PhD in system and net- tior O
nw
build your own dynamic taint analysis tools work security and uses binary analysis daily in , An
with libdft, and more. Learn how to: his research. He is one of the main contributors naly Linu
Ploaardsee rE wLFi tahn ldib PbEf dbinaries and build a binary ttoh aPta dthefAernmdso ra, gaa cionnstt rcooln-fltorowl- flinotweg hriitjayc skyisntge m sis, ax Too
Modify ELF binaries with techniques like athttea actktsa scukc dhe avse lRoOpPe.r As inndvroielvsesed wina tsh ael stoa koendeo owf n nd Dls fo
parasitic code injection and hex editing of the GameOver Zeus P2P botnet. isar B
sseminary
b
ly
THE FINEST IN GEEK ENTERTAINMENT™ Andriesse
www.nostarch.com
Price: $49.95 ($65.95 CDN)
Shelve In: ComPuterS/SeCurIty
Dennis Andriesse
Foreword by Herbert Bos
Practical Binary analysis
P r a c t i c a l
B i n a r y
a n a l y s i s
Build your Own linux tools
for Binary instrumentation,
analysis, and Disassembly
by Dennis Andriesse
San Francisco
Practical Binary analysis. Copyright © 2019 by Dennis Andriesse.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN-10: 1-59327-912-4
ISBN-13: 978-1-59327-912-7
Publisher: William Pollock
Production Editor: Riley Hoffman
Cover Illustration: Rick Reese
Interior Design: Octopod Studios
Developmental Editor: Annie Choi
Technical Reviewers: Thorsten Holz and Tim Vidas
Copyeditor: Kim Wimpsett
Compositor: Riley Hoffman
Proofreader: Paula L. Fleming
For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900; info@nostarch.com
www.nostarch.com
Library of Congress Cataloging-in-Publication Data
Names: Andriesse, Dennis, author.
Title: Practical binary analysis : build your own Linux tools for binary
instrumentation, analysis, and disassembly / Dennis Andriesse.
Description: San Francisco : No Starch Press, Inc., [2019] | Includes index.
Identifiers: LCCN 2018040696 (print) | LCCN 2018041700 (ebook) | ISBN
9781593279134 (epub) | ISBN 1593279132 (epub) | ISBN 9781593279127 (print)
| ISBN 1593279124 (print)
Subjects: LCSH: Disassemblers (Computer programs) | Binary system
(Mathematics) | Assembly languages (Electronic computers) | Linux.
Classification: LCC QA76.76.D57 (ebook) | LCC QA76.76.D57 A53 2019 (print) |
DDC 005.4/5--dc23
LC record available at https://lccn.loc.gov/2018040696
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners. Rather
than use a trademark symbol with every occurrence of a trademarked name, we are using the names only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any
liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or
indirectly by the information contained in it.
For Noortje and Sietse
about the author
Dennis Andriesse has a PhD in system and network security and uses
binary analysis daily in his research. He is one of the main contributors to
PathArmor, a control-flow integrity system that defends against control-
flow hijacking attacks such as ROP. Andriesse was also one of the attack
developers involved in the takedown of the GameOver Zeus P2P botnet.
about the technical reviewers
Thorsten Holz is a professor in the Faculty of Electrical Engineering
and Information Technology at Ruhr-University Bochum, Germany. His
research interests include technical aspects of secure systems with a focus on
systems security. Currently, his work concentrates on reverse engineering,
automated vulnerability detection, and studying the latest attack vectors.
Tim Vidas is a student of hacking. Over the years, Tim has led the DARPA
CGC infrastructure team, championed innovation at Dell Secureworks, and
overseen CERT’s research group for digital forensics. He has a PhD from
Carnegie Mellon, many conference badges (some are black), and an Erdos-
Bacon number of 4-3. Mostly, Tim just enjoys being a father and husband.
BRIEF CONTENTS
ForewordbyHerbertBos............................................................. xvii
Preface............................................................................. xxi
Acknowledgments................................................................... xxiii
Introduction......................................................................... 1
PARTI:BINARYFORMATS
Chapter1:AnatomyofaBinary...................................................... 11
Chapter2:TheELFFormat ........................................................... 31
Chapter3:ThePEFormat: ABriefIntroduction......................................... 57
Chapter4:BuildingaBinaryLoaderUsinglibbfd....................................... 67
PARTII:BINARYANALYSISFUNDAMENTALS
Chapter5:BasicBinaryAnalysisinLinux.............................................. 89
Chapter6:DisassemblyandBinaryAnalysisFundamentals..............................115
Chapter7:SimpleCodeInjectionTechniquesforELF ...................................155
PARTIII:ADVANCEDBINARYANALYSIS
Chapter8:CustomizingDisassembly..................................................191
Chapter9:BinaryInstrumentation.....................................................223
Chapter10:PrinciplesofDynamicTaintAnalysis.......................................265
Chapter11:PracticalDynamicTaintAnalysiswithlibdft ................................279
Chapter12:PrinciplesofSymbolicExecution ..........................................309
Chapter13:PracticalSymbolicExecutionwithTriton ...................................333
PARTIV:APPENDIXES
AppendixA:ACrashCourseonx86Assembly ........................................373
AppendixB:ImplementingPT_NOTEOverwritingUsinglibelf............................391
AppendixC:ListofBinaryAnalysisTools..............................................413
AppendixD:FurtherReading.........................................................417
Index...............................................................................421