Using ELF relocations for executable encryption

R. K. Lebedev; V. E. Sitnov

Geodesic

Parcourir par

Using ELF relocations for executable encryption

R. K. Lebedev ; V. E. Sitnov

Prikladnaya Diskretnaya Matematika. Supplement, no. 17 (2024), pp. 131-134.

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

A new approach to hiding the code of Linux executable files using a relocation table is proposed, which allows you to create a crypter without embedding the decryption code in the executable file. Various applications of this approach are evaluated and the respective crypter prototypes are implemented. The dangers of this approach for the reverse engineering tools IDA, Ghidra, angr, as well as for antivirus software are assessed.

Keywords: packer, malware, relocation table, ELF.
Mots-clés : crypter

@article{PDMA_2024_17_a32,
     author = {R. K. Lebedev and V. E. Sitnov},
     title = {Using {ELF} relocations for executable encryption},
     journal = {Prikladnaya Diskretnaya Matematika. Supplement},
     pages = {131--134},
     publisher = {mathdoc},
     number = {17},
     year = {2024},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDMA_2024_17_a32/}
}

TY  - JOUR
AU  - R. K. Lebedev
AU  - V. E. Sitnov
TI  - Using ELF relocations for executable encryption
JO  - Prikladnaya Diskretnaya Matematika. Supplement
PY  - 2024
SP  - 131
EP  - 134
IS  - 17
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDMA_2024_17_a32/
LA  - ru
ID  - PDMA_2024_17_a32
ER  -

%0 Journal Article
%A R. K. Lebedev
%A V. E. Sitnov
%T Using ELF relocations for executable encryption
%J Prikladnaya Diskretnaya Matematika. Supplement
%D 2024
%P 131-134
%N 17
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDMA_2024_17_a32/
%G ru
%F PDMA_2024_17_a32

R. K. Lebedev; V. E. Sitnov. Using ELF relocations for executable encryption. Prikladnaya Diskretnaya Matematika. Supplement, no. 17 (2024), pp. 131-134. http://geodesic.mathdoc.fr/item/PDMA_2024_17_a32/

Bibliographie
Cité par

[1] Chakkaravarthy S. S., Sangeetha D., Vaidehi V., “A survey on malware analysis and mitigation techniques”, Comput. Sci. Rev., 32 (2019), 1–23 | DOI | MR

[2] Ugarte-Pedrero X., Balzarotti D., Santos I., and Bringas P. G., “SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers”, IEEE Symp. Security and Privacy (San Jose, CA, USA), 2015, 659–673

[3] elf(5) — Linux manual page, , 2024 https://man7.org/linux/man-pages/man5/elf.5.html

[4] TEXTRELs (Text Relocations) and their impact on hardening techniques, 2016 https://flameeyes.blog/2016/01/16/textrels-text-relocations-and-their-impact-on-hardening-techniques/

[5] Executable and Linkable Format 101. Part 3: Relocations, 2018 https://intezer.com/blog/malware-analysis/executable-and-linkable-format-101-part-3-relocations/

[6] ELF handling for thread-local storage, 2013 http://people.redhat.com/drepper/tls.pdf

[7] GNU_IFUNC, , 2024 https://sourceware.org/glibc/wiki/GNU_IFUNC

[8] Dirty COW (CVE-2016-5195), , 2016 https://dirtycow.ninja/

[9] The Dirty Pipe Vulnerability, , 2022 https://dirtypipe.cm4all.com/

[10] VirusTotal, , 2024 https://www.virustotal.com/

[11] IDA Pro, , 2024 https://www.hex-rays.com/ida-pro/

[12] Ghidra Software Reverse Engineering Framework, , 2024 https://github.com/NationalSecurityAgency/ghidra

[13] Shoshitaishvili Y., Wang R., Salls C., et al., “SOK: (State of) The art of war: Offensive techniques in binary analysis”, IEEE Symp. Security and Privacy (San Jose, CA, USA), 2016, 138–157