Scribd
Upload
62 views17 pages

ELF Binary Obfuscation

This document summarizes ELF binary obfuscation techniques. It discusses the ELF file format including headers, sections, segments, and address space layout randomization. It then covers the 0Pack obfuscator which breaks debuggers by setting the entry point to NULL, forcing them to find the real entry in the symbol table. The document details how 0Pack overwrites bytes using relocation entries with non-zero addends to redirect execution. In the end, it inserts a jmp back to the original entry point after executing shellcode.

Uploaded by

Fabrizio Curcio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views17 pages

ELF Binary Obfuscation

This document summarizes ELF binary obfuscation techniques. It discusses the ELF file format including headers, sections, segments, and address space layout randomization. It then covers the 0Pack obfuscator which breaks debuggers by setting the entry point to NULL, forcing them to find the real entry in the symbol table. The document details how 0Pack overwrites bytes using relocation entries with non-zero addends to redirect execution. In the end, it inserts a jmp back to the original entry point after executing shellcode.

Uploaded by

Fabrizio Curcio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

ELF Binary Obfuscation

Index


ELF Structure

Overview

ELF Header

Sections & Segments

ASLR

Dynamic Relocations

0Pack

The beginnings

0Pack in action

So what happened?

First idea

Solution

0Pack inner workings

2
Overview

3 Img: https://github.com/corkami/pics/blob/master/binary/elf101/elf101-64.svg
ELF Header

4 Code: https://code.woboq.org/userspace/glibc/elf/elf.h.html *Program header is a linked list


Sections & Segments
Segments


Equals to one or more memory pages


Permissions located in
program header table

Sections

Purely optional


Metadata to divide a segment


Can be loaded into memory
but doesn’t have to

5 Img: https://upload.wikimedia.org
Address Space Layout Randomization

Randomized base
addresses of shared
libraries and
segments of the
binary and stack

6 Img: http://www.daniloaz.com/en/differences-between-aslr-kaslr-and-karl/
Address Space Layout Randomization

7
Dynamic Relocations

Normal x64 relocation struct ●


Relocations patch the
binary on load time


Many different relocation
types exists

Relocation struct with addend



Only a few ever get used


The other ones are mostly
unknown

8 More info: Oracle relocation list


Dynamic Relocations

Note: Upper 4 bytes of r_info are the index, the lower 4 bytes are for the type

9 Img: Relocation Cheat Sheet


The beginnings

My goal:
Building a simple ELF obfuscator for ASLR binaries...

Which led to:


Oh nooo,
My debugger broke ( 。◕‿◕。 )

10
0Pack in action

11 0Pack Github Repository


So what happened here?

They parse
Debugger checks if
the symbol table
Entrypoint is 0 entrypoint is If true
to locate the main
NULL
function

Sets the
entrypoint
to the main
function

The debugger
sets the breakpoint at
the wrong address!

12 Img: http://www.embeddedlinux.org
So how do we get a working executable out of this?

Execution now
starts here

13
First idea
ELF Header seen as code
0x7f45 => jg 0x47


ELF magic translates to indirect
jump


Jumps into program header


Change program header value to
another jump?

14
Solution

Writes the
Symbol value + Addend
to the target location

The symbol value can be set


to 0
Relocation struct with addend

Relocations now
can overwrite any bytes!

15 ELF ABI: https://refspecs.linuxfoundation.org


0Pack inner workings

(*) Append code that


Set first segment
Set entrypoint to 0 erases shellcode after
to RWX
Execution

Append a relative jmp


to original entrypoint

Convert shellcode to
R_X86_64_64
Relocations

16 * Not yet implemented in the poc


Any Questions?

17

You might also like