Detecting entry point modification techniques
Program entry point, namely e_entry member variables ELF file header, the purpose is to detect whether e_entry store a pointer to mark the binary file is abnormally modified address
Other forms of flow control detection hijacking
Describes two concepts: (GOT / PTL)
Global offset table ( Global offset table.GOT). GOT each entry contains global data object referenced by the object module. The compiler also generates GOT Each entry in a relocation record. When loading, dynamic linker relocates GOT Each entry in, that it contains the correct absolute address. PIC code implemented in code referenced by indirect GOT each global variable so that the code should be simple references to data becomes complicated, it must be added to give the appropriate entry GOT content finger command. Read-only references to the data are also the same token, it is, together with IC compiled code than the average code overhead. If a elf executable files need to call any defined function in the shared library, it will have its own GOT and PLT (procedure linkage table, procedure linkage table). The interaction between these two sections can be achieved late binding (lazy binging), this approach will address the binding process postponed until the first call to the function. In order to achieve the delay bound, the GOT head three entries are special: the GOT [
0 ] contains the segment address .dynamic, .dynamic dynamic linker segment contains the information for the address binding process, such as the position of the symbol and relocation information; the GOT [ . 1 ] includes the identification of the dynamic linker; the GOT [ 2 ] entry point retard binding code including the dynamic linker. Address of a global variable or a function of other modules of the present GOT entry to reference. PLT is a 16-byte (32-bit platform) table object code sequence appears in the form of an array. Which PLT [ 0] Is a special entry, it jumps to perform dynamic linker; each function is defined in the shared library and called in this module has an entry in the PLT, the PLT [ . 1 ] starts. Module will call the function to the corresponding entry in the PLT performed rows, these entries consists of three instructions. The first instruction is a jump to the address stored in GOT value. A second instruction corresponding to the function ID pushed onto the stack, the third instruction to jump to PLT [O] called dynamic linker analytic function address and the real address is stored in the function table corresponding GOT heads. The first address of the called function GOT stored in the corresponding entry in the corresponding entry in the PLT value of the second instruction address, the function is called after the first. GOT entry value in it is really a function of the address. Therefore, when the first call overhead is relatively large. But then each call will cost an instruction and an indirect memory reference.
Modify .ctors / .init_array Festival
Analysis: .ctors section holds an array to store the address, these addresses are a function pointer .init section initialization code calls. Function pointer is configured to create a function
number (constructor executed before main () function). Which means that the code can be parasitic on .ctors function pointer table to modify, point to the code injected into binary, that is what we call
The constructor routine should always be stored in the .text section of text in a particular segment location. but part belongs to the scope of the text segment .text section is not a text segment. If .ctors section stored function
pointer to a location other than the .text section, which is very suspicious