Status Updates From Learning Linux Binary Analysis

better ABRT/SEGV core dumps via ExtendedCoreFileSnapshot (ECFS)

ECFS exams:
・process cloaking: Saruman injects complete, dyn linked PIE executable into exist. process addr space (ftpd, sshd,…) w own thread
・Azazel
・extract parasite
・valid PLT/GOT

Kernel:
・brief chapters on detecting sys_call_table infection, intr handler patch, fun trampoline, debug register rootkit, kprobe, VFS rootkit, infected driver
・taskverse

・anti-debug: detect emulator(!), false disassembly, crypto, ctrl flow integrity, self-ptrace
・identify ctrl flow hijack: entry point, .ctors/.init_array, plt/got hooks, function trampolines
・id parasite code: position indep. code, direct syscalls, int3, atypical compiler code
・id (reverse) text padding
・mem forensics: /proc/$pid/maps, stack,…
・id .so injection: __libc_dlopen_mode, ptrace, vdso
・core files, eu-readelf

nice read so far:
- basic tools: readelf, objdump, gdb, ...
- Linux ELF "Executable and Linkable Format": file types, headers, symbols, relocations, dynamic linking, talks both 32 and 64 bit;
I watch https://www.youtube.com/playlist?list... in parallel (see ELF)
- process tracing (ptrace)
- ELF viruses: infection methods, anti-debugging

many C and assembler (GAS syntax) code examples