diff --git a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/sol/README.md b/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/sol/README.md deleted file mode 100644 index c62c08f1..00000000 --- a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/sol/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Easy to Spot Solution - -The easies way to find the flag is by using the `strings` tool, as the flag is stored in plaintext in a variable. diff --git a/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/README.md new file mode 100644 index 00000000..ce874ff2 --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/README.md @@ -0,0 +1,6 @@ +# Easy to Spot + +It's an easy challenge. +Really. + +If you're having difficulties solving this exercise, go through [this](../../../reading/static-analysis.md) reading material. diff --git a/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/solution/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/solution/README.md new file mode 100644 index 00000000..102034dd --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/solution/README.md @@ -0,0 +1,3 @@ +# Easy to Spot Solution + +The easiest way to find the flag is by using the `strings` tool, as the flag is stored in plaintext in a variable. diff --git a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/sol/sol.sh b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/solution/sol.sh similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/easy-to-spot/sol/sol.sh rename to chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/solution/sol.sh diff --git a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/public/easy b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/easy similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/easy-to-spot/public/easy rename to chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/easy diff --git a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/src/Makefile b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/src/Makefile similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/easy-to-spot/src/Makefile rename to chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/src/Makefile diff --git a/chapters/binary-introduction/binary-analysis/drills/easy-to-spot/src/easy.c b/chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/src/easy.c similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/easy-to-spot/src/easy.c rename to chapters/binary-introduction/binary-analysis/drills/tasks/easy-to-spot/support/src/easy.c diff --git a/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/README.md new file mode 100644 index 00000000..5379659d --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/README.md @@ -0,0 +1,6 @@ +# Ghidra Killer + +Some people just hate the people that use decompilers. +One of those people left you a binary, to investigate. + +If you're having difficulties solving this exercise, go through [this](../../../reading/dynamic-analysis.md) reading material. diff --git a/chapters/binary-introduction/binary-analysis/drills/ghidra-killer/sol/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/solution/README.md similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/ghidra-killer/sol/README.md rename to chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/solution/README.md diff --git a/chapters/binary-introduction/binary-analysis/drills/ghidra-killer/public/ghidra_killer b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/ghidra_killer similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/ghidra-killer/public/ghidra_killer rename to chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/ghidra_killer diff --git a/chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/Makefile b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/Makefile similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/Makefile rename to chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/Makefile diff --git a/chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/flag b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/flag similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/flag rename to chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/flag diff --git a/chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/ghidra_killer.c b/chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/ghidra_killer.c similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/ghidra-killer/src/ghidra_killer.c rename to chapters/binary-introduction/binary-analysis/drills/tasks/ghidra-killer/support/src/ghidra_killer.c diff --git a/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/README.md new file mode 100644 index 00000000..6fb25d45 --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/README.md @@ -0,0 +1,5 @@ +# Packaging is Important + +Someone delivered you a mysterious package. + +If you're having difficulties solving this exercise, go through [this](../../../reading/static-analysis.md) reading material. diff --git a/chapters/binary-introduction/binary-analysis/drills/packaging-is-important/sol/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/solution/README.md similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/packaging-is-important/sol/README.md rename to chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/solution/README.md diff --git a/chapters/binary-introduction/binary-analysis/drills/packaging-is-important/public/delivery b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/delivery similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/packaging-is-important/public/delivery rename to chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/delivery diff --git a/chapters/binary-introduction/binary-analysis/drills/packaging-is-important/src/Makefile b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/src/Makefile similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/packaging-is-important/src/Makefile rename to chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/src/Makefile diff --git a/chapters/binary-introduction/binary-analysis/drills/packaging-is-important/src/packet.c b/chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/src/packet.c similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/packaging-is-important/src/packet.c rename to chapters/binary-introduction/binary-analysis/drills/tasks/packaging-is-important/support/src/packet.c diff --git a/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/README.md new file mode 100644 index 00000000..afdfb47c --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/README.md @@ -0,0 +1,6 @@ +# Spaghetti + +Someone felt like cooking today. +Can you find the flag? + +If you're having difficulties solving this exercise, go through [this](../../../reading/static-analysis.md) reading material. diff --git a/chapters/binary-introduction/binary-analysis/drills/spaghetti/sol/README.md b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/solution/README.md similarity index 90% rename from chapters/binary-introduction/binary-analysis/drills/spaghetti/sol/README.md rename to chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/solution/README.md index b403fe53..a0b9ed5c 100644 --- a/chapters/binary-introduction/binary-analysis/drills/spaghetti/sol/README.md +++ b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/solution/README.md @@ -9,4 +9,4 @@ In this task, you must use `Ghidra` to follow the function-call graph, to find t The function call sequence, that ends with `fn11()` is the following: `fn37()` -> `fn28()` -> `fn30()` -> `fn11()`. -`fn37()` is called by enetring the `38` number. +`fn37()` is called by entering the `38` number. diff --git a/chapters/binary-introduction/binary-analysis/drills/spaghetti/public/spaghetti b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/spaghetti similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/spaghetti/public/spaghetti rename to chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/spaghetti diff --git a/chapters/binary-introduction/binary-analysis/drills/spaghetti/src/Makefile b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/Makefile similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/spaghetti/src/Makefile rename to chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/Makefile diff --git a/chapters/binary-introduction/binary-analysis/drills/spaghetti/src/flag b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/flag similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/spaghetti/src/flag rename to chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/flag diff --git a/chapters/binary-introduction/binary-analysis/drills/spaghetti/src/spaghetti.c b/chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/spaghetti.c similarity index 100% rename from chapters/binary-introduction/binary-analysis/drills/spaghetti/src/spaghetti.c rename to chapters/binary-introduction/binary-analysis/drills/tasks/spaghetti/support/src/spaghetti.c diff --git a/chapters/binary-introduction/binary-analysis/reading/dynamic-analysis.md b/chapters/binary-introduction/binary-analysis/reading/dynamic-analysis.md new file mode 100644 index 00000000..d903b0fb --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/reading/dynamic-analysis.md @@ -0,0 +1,29 @@ +# Dynamic Analysis + +Dynamic analysis means observing the behaviour of the binary, while it is running. +This is performed by tracing or sandboxing. + +Tracing is the process during which various checkpoints are placed in the code, that send alerts when the execution has reached them. +Generally, the context (registers, stack, variables) is also displayed. + +Sandboxing is a more complex process, in which you isolate a binary in a virtual machine (usually), run it and observe the changes made on the system: modified files, network traffic, etc. + +Today, we are going to explore tracing. + +## strace + +`strace` shows system calls performed by a binary application. +That means opening any kind of file, reading and writing into files, `mprotect`s and other things. +It is useful to find out if the program does any changes to the system itself, or if it writes in some files. + +## ltrace + +`ltrace` shows calls to dynamic library functions, along with system calls. +It is similar to `strace`. + +## gdb + +GDB is the most powerful dynamic analysis tool available to the regular user. +It allows executing the code instruction by instruction, inspecting memory areas, changing memory areas, jumping to other pieces of code, that weren't executed normally. +GDB is best used when the user has knowledge about assembly language, which will be presented in the last 2 sessions. +For this session, GDB isn't required. diff --git a/chapters/binary-introduction/binary-analysis/reading/introduction.md b/chapters/binary-introduction/binary-analysis/reading/introduction.md new file mode 100644 index 00000000..c170b614 --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/reading/introduction.md @@ -0,0 +1,9 @@ +# Introduction + +Today's session aims to give you some tools to analyze a binary, in order to determine what that binary does and if it can hurt your system. + +## Reminders + +- code can't just be run; +it needs to be compiled and linked, becoming an executable +- the value of most symbols is placed in the binary file, in sections, and can be observed without actually running the executable diff --git a/chapters/binary-introduction/binary-analysis/reading/README.md b/chapters/binary-introduction/binary-analysis/reading/static-analysis.md similarity index 50% rename from chapters/binary-introduction/binary-analysis/reading/README.md rename to chapters/binary-introduction/binary-analysis/reading/static-analysis.md index a659a90e..7de8d3ec 100644 --- a/chapters/binary-introduction/binary-analysis/reading/README.md +++ b/chapters/binary-introduction/binary-analysis/reading/static-analysis.md @@ -1,46 +1,28 @@ ---- -linkTitle: 09. Binary Analysis -type: docs -weight: 10 ---- - -# Binary Analysis - -## Reminders - -- code can't just be run; -it needs to be compiled and linked, becoming an executable -- the value of most symbols is placed in the binary file, in sections, and can be observed without actually running the executable - -## Introduction - -Today's session aims to give you some tools to analyze a binary, in order to determine what that binary does and if it can hurt your system. - -## Static Analysis +# Static Analysis Static analysis implies investigating the binary without running it. This means looking into the effective binary file for strings, symbols, interesting addresses and so on. -### strings +## strings `strings` is used to find strings in a binary file - very intuitive. It is the most basic static analysis tool available. Before any other more complex analysis takes place, a `strings` can find many hidden secrets. -### file +## file `file` is another useful tool, not only for binary analysis. It should be used before any investigation, to make sure that the binary is a binary file, and not an archive. It also shows if the executable is statically-linked (lots of strings, functions) or dynamically-linked. -#### Counter-measures +### Counter-measures For `file` there is no counter-measure to hide the data that would be found by it. For `strings`, one way to counter it is to encrypt / obfuscate important data. But keep in mind that the codified content will be visible, and can be deciphered. That's why they are, almost always, used first when analysing a binary. -### nm +## nm `nm` is used to find **symbols** - variable names, function names, and their addresses. It also shows where these symbols are placed: text (T or t), rodata (R or r), bss (B or b), etc. @@ -51,90 +33,31 @@ Capital-letter symbols are global, meaning they can be referenced from other obj Example: `object1.o` has a global symbol named `global_var`. `object2.o` can use `global_var`, if `object1.o` and `object2.o` are linked together. -#### Counter-measures: Strip +### Counter-measures: Strip `strip` removes all symbols from a binary file. If a binary is stripped, `nm` becomes useless. -### objdump +## objdump `objdump` is a disassembler. It takes binary files and transforms them to hexadecimal values and, where possible, assembly language. It is useful in many cases: when we want to explore the sections of a program, when we want to see what a specific function does, or when we want to make sure that the binary won't crash more complex analysis tools (!). `objdump` is a fast way to turn a binary file into more accessible format. -#### Counter-measures +### Counter-measures `objdump` is pretty good at what it must do. It becomes less helpful if the binary is large, with multiple functions that call each other and we have a hard time understanding the flow of the application. That's why it is a bad idea, generally, to break down real-life applications with `objdump`. -### Ghidra +## Ghidra `Ghidra` is a decompiler: it turns a binary file back into C code. It also does function analysis, meaning it constructs a tree of function calls. It is the best tool to understand what a binary does, without running it. -#### Counter-measures +### Counter-measures Unorthodox code, self-changing code, polymorphic code and other measures were taken by various people to counter Ghidra. [This talk](https://www.youtube.com/watch?v=HlUe0TUHOIc&ab_channel=DEFCONConference) by Christopher Domas is one of the best examples of measures taken to counter Ghidra and other decompilers. - -## Dynamic Analysis - -Dynamic analysis means observing the behaviour of the binary, while it is running. -This is performed by tracing or sandboxing. - -Tracing is the process during which various checkpoints are placed in the code, that send alerts when the execution has reached them. -Generally, the context (registers, stack, variables) is also displayed. - -Sandboxing is a more complex process, in which you isolate a binary in a virtual machine (usually), run it and observe the changes made on the system: modified files, network traffic, etc. - -Today, we are going to explore tracing. - -### strace - -`strace` shows system calls performed by a binary application. -That means opening any kind of file, reading and writing into files, `mprotect`s and other things. -It is useful to find out if the program does any changes to the system itself, or if it writes in some files. - -### ltrace - -`ltrace` shows calls to dynamic library functions, along with system calls. -It is similar to `strace`. - -### gdb - -GDB is the most powerful dynamic analysis tool available to the regular user. -It allows executing the code instruction by instruction, inspecting memory areas, changing memory areas, jumping to other pieces of code, that weren't executed normally. -GDB is best used when the user has knowledge about assembly language, which will be presented in the last 2 sessions. -For this session, GDB isn't required. - -## Summary - -- Static analysis is the investigation of a binary file without actually running it. -It means disassembling, decompiling the executable, or directly reading the actual contents of the executable. -- Static analysis is performed with tools like `strings`, `file`, `nm`, `Ghidra`. -- Dynamic analysis the investigation of an executable while it is running -- Dynamic analysis is performed using tools like `strace`, `ltrace`, `gdb`. - -## Activities - -### Challenge: Easy to Spot - -It's an easy challenge. -Really. - -### Challenge: Packaging is Important - -Someone delivered you a mysterious package. - -### Challenge: Ghidra Killer - -Some people just hate the people that use decompilers. -One of those people left you a binary, to investigate. - -### Challenge: Spaghetti - -Someone felt like cooking today. -Can you find the flag? diff --git a/chapters/binary-introduction/binary-analysis/reading/summary.md b/chapters/binary-introduction/binary-analysis/reading/summary.md new file mode 100644 index 00000000..29da11d7 --- /dev/null +++ b/chapters/binary-introduction/binary-analysis/reading/summary.md @@ -0,0 +1,7 @@ +# Summary + +- Static analysis is the investigation of a binary file without actually running it. +It means disassembling, decompiling the executable, or directly reading the actual contents of the executable. +- Static analysis is performed with tools like `strings`, `file`, `nm`, `Ghidra`. +- Dynamic analysis the investigation of an executable while it is running +- Dynamic analysis is performed using tools like `strace`, `ltrace`, `gdb`. diff --git a/config.yaml b/config.yaml index 184446a4..bfd98c8a 100644 --- a/config.yaml +++ b/config.yaml @@ -100,10 +100,10 @@ docusaurus: - Tasks: path: tasks/ subsections: - - Empty Files/: empty-files/README.md - - Find us if you can/: find-us-if-you-can/README.md - - Not your doge/: not-your-doge/README.md - - Surgical precision/: surgical-precision/README.md + - Empty Files/: empty-files/README.md + - Find us if you can/: find-us-if-you-can/README.md + - Not your doge/: not-your-doge/README.md + - Surgical precision/: surgical-precision/README.md - Demystifying the Web: - Explaining the Internet: path: chapters/demystifying-web/explaining-the-internet/ @@ -233,7 +233,17 @@ docusaurus: - Binary Analysis: path: chapters/binary-introduction/binary-analysis/ subsections: - - Reading: reading/README.md + - Reading: + - Introduction: reading/introduction.md + - Static Analysis: reading/static-analysis.md + - Dynamic Analysis: reading/dynamic-analysis.md + - Summary: reading/summary.md + - Drills: + - Tasks: + - Easy to spot/: drills/tasks/easy-to-spot/README.md + - Ghidra killer/: drills/tasks/ghidra-killer/README.md + - Packaging is important/: drills/tasks/packaging-is-important/README.md + - Spaghetti/: drills/tasks/spaghetti/README.md - Assembly Language: path: chapters/binary-introduction/assembly-language/ extra: