Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Analyzing an ELF File

Overview of ELF Files

  • ELF (Executable and Linkable Format) files are the native executable files for Linux systems.

  • Basic Linux usage skills are useful for analyzing ELF files.

Tools for Dynamic Analysis

  1. strace:

    • Traces system calls made by a process.

    • Useful for monitoring API calls directed at the system.

  2. ltrace:

    • Traces library calls made by a process.

    • Monitors user API calls.

  3. gdb (GNU Debugger):

    • Debugs programs and can be used to inspect and control the execution of a program.

  4. IDA Free:

    • Used for disassembling and decompiling ELF files.

    • The Hex-Rays decompiler feature is cloud-based and requires an internet connection.

Steps for Analysis

  1. Initial File Identification:

    • Open a terminal and identify the file type using:

      bashCopy codefile RE_Linux
    • Check for strings within the sample using:

      bashCopy codestrings RE_Linux
    • Generate file hashes for indicators of compromise (IOCs) using:

      bashCopy codemd5sum RE_Linux
      sha256sum RE_Linux
  2. Set File Permissions:

    • Add execute permissions if not already set:

      bashCopy codechmod +x RE_Linux
  3. Dynamic Analysis Using strace and ltrace:

    • Run the sample with ltrace:

      bashCopy codeltrace ./RE_Linux
    • Run the sample with strace:

      bashCopy codestrace ./RE_Linux
    • ltrace shows user API calls, while strace logs system calls and provides detailed insights into how the sample interacts with the system.

  4. Disassembly and Debugging with IDA Free:

    • Open the sample in IDA Free.

    • Set a breakpoint at the start of the main function.

    • Start debugging and step through the code using:

      • F8: Step Over

      • F7: Step Into

  5. Handling Cloud-Based Decompiler:

    • Internet Connection: Ensure that FakeNet is turned off to avoid any unintended execution of malware code while connected to the internet.

    • Restart DNS Service: If necessary, restart the DNS service to reconfigure network settings:

      bashCopy codesudo systemctl restart systemd-resolved
    • Decompile: In IDA Free, go to View > Open Subview > Generate Pseudo Code to see the Decompiled source.

  6. Snapshot and Restore:

    • Take a snapshot of the VM state before running the sample to preserve the environment.

Summary

  • Commands: file, strings, md5sum, sha256sum, chmod, ltrace, strace

  • Tools: IDA Free, strace, ltrace

  • Key Points: Use IDA Free for disassembly and decompilation, strace and ltrace for dynamic analysis, and be cautious with cloud-based decompilers.

These steps and tools will help you analyze and understand the behavior of ELF files in a Linux environment.

PreviousSetting Up and Configuring FakeNet in REMnuxNextAnalyzing ASPX Webshells

Last updated 9 months ago