Binary Analysis Cookbook E-Book

Binary Analysis Cookbook

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor:Pavan RamchandaniAcquisition Editor:Prachi BishtContent Development Editor:Ronn KurienSenior Editor: Rahul DsouzaTechnical Editor:Komal KarneCopy Editor: Safis EditingProject Coordinator:Vaidehi SawantProofreader: Safis EditingIndexer:Rekha NairProduction Designer: Nilesh Mohite

First published: September 2019

Production reference: 1190919

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78980-760-8

www.packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Michael Born is a senior security consultant for SecureSky, Inc. Michael has earned several industry certifications and has co-taught offensive-focused Python programming classes at OWASP AppSec USA, and AppSec Europe. He enjoys coding in Python, IA32, IA64, PowerShell, participating in, and designing, capture the flag (CTF) challenges, teaching and mentoring others looking to embark on a career in information security, and presenting on various information security topics at local chapters of well-known information security groups. Michael has served on the chapter board for his local OWASP chapter, is a lifetime OWASP member, and participates in the local DC402 group.

About the reviewer

Andrew Freeborn has been involved in security and IT for over 20 years across multiple industries and countries. By anticipating the latest threats with the help of research, he specializes in looking at things from the perspective of an attacker in order to identify specific threats in each organization. Andrew enjoys speaking at conferences, learning, and baking.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Binary Analysis Cookbook

Dedication

About Packt

Why subscribe?

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Get in touch

Reviews

Setting Up the Lab

Installing VirtualBox on Windows

Getting ready

How to do it...

How it works...

There's more...

See also

Installing VirtualBox on Mac

Getting ready

How to do it...

How it works...

There's more...

See also

Installing VirtualBox on Ubuntu

Getting ready

How to do it...

How it works...

There's more...

See also

Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine

Getting ready

How to do it...

How it works...

There's more...

See also

Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine

Getting ready

How to do it...

How it works...

There's more...

See also

Installing the dependencies and the tools

Getting ready

How to do it...

How it works...

There's more...

See also

Installing the code examples

Getting ready

How to do it...

How it works...

There's more...

See also

Installing the EDB Debugger

Getting ready

How to do it...

How it works...

There's more...

See also

Taking a snapshot of the virtual machines

Getting ready

How to do it...

How it works...

There's more...

See also

32-bit Assembly on Linux and the ELF Specification

Technical requirements

Differences between Intel and AT&T syntax

Getting ready

How to do it...

How it works...

There's more...

See also

Introduction to the IA-32 registers

Getting ready

How to do it...

How it works...

There's more...

See also

Introducing common IA-32 instructions

Getting ready

How to do it...

How it works...

There's more...

See also

Making IA-32 system calls on Linux

Getting ready

How to do it...

How it works...

There's more...

See also

Introducing the ELF 32-bit specification

Getting ready

How to do it...

How it works...

There's more...

See also

64-bit Assembly on Linux and the ELF Specification

Technical requirements

Introducing the IA64 registers

Getting ready

How to do it...

How it works...

There's more...

See also

Introducing common IA64 instructions

Getting ready

How to do it...

How it works...

There's more...

See also

Making IA64 system calls on Linux

Getting ready

How to do it...

How it works...

There's more...

See also

Introducing the ELF 64-bit specification

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a Binary Analysis Methodology

Technical requirements

Performing binary discovery

Getting ready

How to do it...

How it works...

There's more...

See also

Information gathering

Getting ready

How to do it...

How it works...

There's more...

See also

Static analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Iterating each step

Getting ready

How to do it...

How it works...

There's more...

See also

Automating methodology tasks

Getting ready

How to do it...

How it works...

There's more...

See also

Adapting the methodology steps

Getting ready

How to do it...

How it works...

There's more...

See also

Linux Tools for Binary Analysis

Technical requirements

Using file

Getting ready

How to do it...

How it works...

There's more...

See also

Using strings

Getting ready

How to do it...

How it works...

There's more...

See also

Using readelf

Getting ready

How to do it...

How it works...

There's more...

See also

Using nm

Getting ready

How to do it...

How it works...

There's more...

See also

Using objcopy

Getting ready

How to do it...

How it works...

There's more...

See also

Using objdump

Getting ready

How to do it...

How it works...

There's more...

See also

Using ltrace and strace

Getting ready

How to do it...

How it works...

There's more...

See also

Using data duplicator (dd)

Getting ready

How to do it...

How it works...

There's more...

See also

Using the GNU Debugger (GDB)

Getting ready

How to do it...

How it works...

There's more...

See also

Using Evan's Debugger (EDB)

Getting ready

How to do it...

How it works...

There's more...

See also

Analyzing a Simple Bind Shell

Technical requirements

Performing discovery

Getting ready

How to do it...

How it works...

There's more...

See also

Gathering information

Getting ready

How to do it...

How it works...

There's more...

See also

Performing static analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Using ltrace and strace

Getting ready

How to do it...

How it works...

There's more...

See also

Using GDB for dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Finishing dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Analyzing a Simple Reverse Shell

Technical requirements

Automating the initial phases

Getting ready

How to do it...

How it works...

There's more...

See also

Static analysis with objdump

Getting ready

How to do it...

How it works...

There's more...

See also

Editing the binary

Getting ready

How to do it...

How it works...

There's more...

See also

Using GDB TUI mode

Getting ready

How to do it...

How it works...

There's more...

See also

Continuing with dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Analyzing the execve system call

Getting ready

How to do it...

How it works...

There's more...

See also

Identifying Vulnerabilities

Technical requirements

Automating the initial phases

Getting ready

How to do it...

How it works...

There's more...

See also

Extended static analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Identifying hard coded credentials with ltrace

Getting ready

How to do it...

How it works...

There's more...

See also

Identifying hard coded credentials with a debugger

Getting ready

How to do it...

How it works...

There's more...

See also

Validating a stack-based buffer overflow

Getting ready

How to do it...

How it works...

There's more...

See also

Understanding Anti-Analysis Techniques

Technical requirements

Understanding signature detection

Getting ready

How to do it...

How it works...

There's more...

See also

Changing a binary's signature

Getting ready

How to do it...

How it works...

There's more...

See also

Confusing static analysis tools

Getting ready

How to do it...

How it works...

There's more...

See also

Encoding and decoding

Getting ready

How to do it...

How it works...

There's more...

See also

A Simple Reverse Shell With Polymorphism

Technical requirements

Automating the initial phases

Getting ready

How to do it...

How it works...

There's more...

See also

Performing static analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Using EDB for dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Analyzing deobfuscation loops

Getting ready

How to do it...

How it works...

There's more...

See also

Wrapping up dynamic analysis

Getting ready

How to do it...

How it works...

There's more...

See also

Another Book You May Enjoy

Leave a review - let other readers know what you think

Preface

Binary analysis is a fascinating topic that can take anyone on a great learning journey. To take that path, though, there has to be a beginning; there has to be an entry point for this topic. This book has been designed to be just that: a starting point for the complex world of binary analysis that will challenge you to dive deeper and to stretch your current understanding. It was my goal when starting this project to fill what I saw as a void for a point of entry into this topic and I intentionally wanted to make a book that was a beginner-friendly stepping stone into other books, white papers, and research on this topic that go much deeper in what they teach.

Who this book is for

Whether you are new to binary analysis, somewhat familiar with the topic, or work as a penetration tester or systems engineer, this book will give you the skills to build upon your current knowledge. If you've always wanted to learn Intel assembly, gain good foundational debugging skills, or see whether there are alternatives to GNU debugger (GDB), then this book is for you. We cover all of these topics, touch on some Python scripting to aid with analysis, show you GUI-based alternatives to GDB, and give you insights into the tools to use for your analysis tasks. This hands-on approach will help anyone who desires to improve their knowledge.

What this book covers

Chapter 1, Setting Up the Lab, explains how to set up a test lab for working through the recipes in this book.

Chapter 2, 32-Bit Assembly on Linux and the ELF Specification, will introduce 32-bit Intel assembly on Linux and the ELF specification for 32-bit systems.

Chapter 3, 64-Bit Assembly on Linux and the ELF Specification, will introduce 64-bit Intel assembly on Linux and the ELF specification for 64-bit systems.

Chapter 4, Creating a Binary Analysis Methodology, explains how to establish a fundamental analysis methodology and situations where some steps may be skipped.

Chapter 5, Linux Tools for Binary Analysis, will introduce you to common tools used in binary analysis.

 Chapter 6, Analyzing a Simple Bind Shell, reinforces the skills gained in the previous chapter by having you analyze a 32-bit bind shell binary.

Chapter 7, Analyzing a Simple Reverse Shell, enhances your understanding of the skills and tools you have been learning about by teaching you how to analyze a 64-bit reverse shell.

Chapter 8, Identifying Vulnerabilities, includes recipes using the tools and skills learned in previous chapters to identify basic vulnerabilities in binaries.

Chapter 9, Understanding Anti-Analysis Techniques, has recipes that reinforce basic anti-analysis techniques and how to overcome them.

Chapter 10,A Simple Reverse Shell with Polymorphism, takes you through an obfuscated reverse shell analysis.

Appendix,Dynamic Taint Analysis: The 30,000 FT View, presents a very high-level and basic understanding of binary instrumentation and dynamic taint analysis. This chapter will serve as a jumping-off point into other binary analysis books that look deeper into the topic. It's freely available online for our readers and here is the link: https://static.packt-cdn.com/downloads/Dynamic_Taint_Analysis_the_30000_Foot_View.pdf.

To get the most out of this book

The reader must have a basic understanding of Linux on both 32-bit and 64-bit systems, along with a basic understanding of virtualization. Familiarity with the Linux command line and scripting languages such as Bash and Python respectively would be helpful but is not necessary. Familiarity with raw socket connections would also be helpful.

A system with at least 8 GB of RAM is recommended; 16 GB or more would be even better. Sufficient hard drive space to hold the code and two virtual machines is also necessary – as is a willingness to learn!

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

Support

tab.

Click on

Code Downloads

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Binary-Analysis-Cookbook. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781789807608_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Save this program as ~/bac/Binary_Analysis_Cookbook/Chapter_02/32-bit/ch02-helloworld.asm."

A block of code is set as follows:

; MUL examples mul edi mul bx mul cl

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

; MUL examples mul edi

mul bx

mul cl

Any command-line input or output is written as follows:

$ apt-cache show virtualbox

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "In the new window that is displayed, click on Next > to begin the installation process."

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit packt.com.

Setting Up the Lab

Learning how to analyze ELF binaries is by no means a simple topic to digest. Like most subjects within the world of information security, it helps to have the correct tools at the ready in order to streamline the process for any undertaking. So, before we just dive into dissecting and analyzing ELF binaries on Linux, we need to make sure we have the appropriate environment set up to do so. This means we'll need to set up the operating systems and associated tools we will use throughout this book. Since the focus of this book is on Linux and its available tools, we will make sure to only use tools that are open source or that are available natively. I could have easily skipped this chapter entirely; however, I believe it's important for you, the reader, to understand how and where to acquire the tools that will be used throughout the examples that are presented within each chapter. For the sake of simplicity, we will use Ubuntu 16.04 LTS extensively throughout this book, partly due to the fact it is still supported, but also because it is the last LTS build of Ubuntu that makes both a 32-bit and 64-bit version available for both the Desktop and Server versions.

If you're more familiar with CentOS, you are free to use that distribution if you prefer, but the examples in this book will solely use Ubuntu 16.04, and it is your responsibility to adjust the examples as necessary for CentOS. For the most part, the only examples you'll need to adjust are the recipes for installing the tools because CentOS uses a different package manager than Ubuntu. Finally, if you are well-versed in setting up VirtualBox and virtual machines, I designed this chapter so you could skip ahead to the tools installation section once you've installed VirtualBox and the Ubuntu 16.04 LTS Desktop 32-bit and 64-bit virtual machines.

In this chapter, we will cover the following recipes:

Installing VirtualBox on Windows

Installing VirtualBox on Mac

Installing VirtualBox on Ubuntu

Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine

Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine

Installing the dependencies and the tools

Installing the code examples

Installing the EDB debugger

Taking a snapshot of the virtual machines

Installing VirtualBox on Windows

The widespread access of virtualization software makes it an easy choice for setting up a lab, whether for at-home practice or for at-work research purposes. Since we want to use freely available tools and software, VirtualBox was an easy decision when choosing virtualization software. It works on many host operating systems and has come a long way in terms of usability and stability since its earlier versions.

We will use VirtualBox 6.0 to host our Ubuntu 16.04 LTS virtual machines, which we will configure later and use extensively throughout each chapter. This recipe will get you started installing VirtualBox 6.0 on a Windows host. If you're not using Windows as your host operating system, skip ahead to the recipe for either Mac or Linux.

To perform the recipes in this book, and to install the lab and necessary tools, you'll need the following:

A laptop or a desktop computer with internet access

An Intel processor capable of virtualization

As a minimum, 8 GB of system RAM, though 16 GB of RAM is ideal

As a minimum, 20 GB of free hard drive space, though 40 GB of free hard drive space is ideal

Either Windows, Linux, or Mac

Getting ready

You can obtain a copy of VirtualBox 6.0 from https://www.virtualbox.org/wiki/Downloads. Make sure to download the appropriate installer for Windows.

How to do it...

Use the following instructions to install VirtualBox on a host running Windows as the primary operating system:

Once the VirtualBox 6.0 installer has been downloaded, double-click the VirtualBox 6.0 setup executable.

In the new window that displays, click on

Next >

 to begin the installation process.

In the

Custom Setup

window, 

you are free to change the installation location to somewhere outside of the default; otherwise,

leave the defaults as they are and click 

Next >

. 

In the next step, leave the defaults checked, unless you have a specific reason not to, and click 

Next >

.

The next setup window will warn you about temporarily disconnecting your network connection. Choose 

Yes

 to continue the installation process.

In the 

Ready to Install

window, click 

Install

.

Once the installation process starts, you may be prompted by Windows' 

User Account Control

 to allow installation to continue. When this window appears, click 

Yes

.

You may also get another 

Windows Security

 window asking whether you want to trust software from Oracle and install the drivers on the host. Check the box that says 

Always trust software from "Oracle Corporation"

 and click 

Install

.

Finally, once the installation process is complete, a new window will appear, asking whether you want to 

Start Oracle VM VirtualBox 6.0.0 after installation

. Check this checkbox and click 

Finish

.

Now that VirtualBox 6.0 is installed, we're ready to install and configure the Ubuntu 16.04 LTS virtual machines. Your

Oracle VM VirtualBox Manager

window should resemble the following screenshot:

How it works...

We began by downloading the appropriate installer for Windows from the VirtualBox website. Once that finished downloading, we executed the installation script and navigated through the installation prompts, filling out the appropriate installation information or accepted the default installation configuration for our Windows host.

There's more...

With VirtualBox installed on Windows, you are free to adjust some of the advanced features, such as creating a private, host-only network under the VirtualBox preferences menu, adjusting the Default Machine Folder settings for storing virtual machine files, how often VirtualBox checks for updates, tweaking the display settings, or installing any extension packs if you plan to use some of the development features of VirtualBox. There are many more options that can be configured to accommodate the needs of your working environment.

See also

If this is the only host that you're going to install VirtualBox 6.0 on, please feel free to skip ahead to the Ubuntu 16.04 LTS installation for both the 32-bit and 64-bit virtual machines. Otherwise, move on to the appropriate installation instructions for either Mac or Linux.

Installing VirtualBox on Mac

Mac is just one of the operating systems on which VirtualBox runs, and the following instructions will help you to install VirtualBox on that operating system. Everyone has different tastes and comfort levels with various operating systems, so I wanted to make sure I covered the installation instructions for the three major operating systems. 

In this recipe, we'll install VirtualBox 6.0 on a Mac host. Follow these instructions if you plan to use Mac as your host operating system; otherwise, skip ahead to the Installing VirtualBox on Ubuntu recipe or view the previous recipe to install VirtualBox 6.0 on a Windows host.

Getting ready

Download a copy of VirtualBox 6.0 from https://www.virtualbox.org/wiki/Downloads. Make sure to download the appropriate installer for Mac, which should come in the form of a .dmgfile.

How to do it...

The following instructions will guide you through the VirtualBox installation process on a host running on a Mac. These instructions were performed on Mac 10.13.6 without any issue:

Once downloaded, double-click on the VirtualBox disk image file to start the installation process.

The disk image will get mounted to the filesystem, and a new window will be displayed. Double-click on the 

VirtualBox.pkg

icon beneath the 

1 Double click on this icon:

 text.

A new window will be displayed and may warn you about installing VirtualBox. Click on 

Continue

.

Following this warning, the installation window will display information about the version of VirtualBox. Click on 

Continue

 to continue the installation process.

The next window will allow us to change the destination folder or location of the VirtualBox installation. The default option is fine here unless you have specific needs for your own setup. Click 

Change Install Location...

 if you need to select a new location for the VirtualBox files; otherwise, click 

Install

.

You may get a prompt asking you to provide an administrator user's credentials. Do so, and then click 

Install Software

.

The next window displays information indicating that the installation is complete. As long as there are no errors, VirtualBox will be installed successfully. To proceed, click on 

Close

.

One final window may appear, asking whether you would like to keep the downloaded disk image file for VirtualBox. It's up to you how you proceed, but I recommend holding on to the downloaded VirtualBox disk image file for a little bit in case you need to go through these instructions again for some reason.

Once you're finished, you should now have the VirtualBox application in the location you chose in 

step 4

.

As long as everything during the installation process went smoothly, you are ready to move on to the Ubuntu 16.04 LTS 32-bit and 64-bit virtual machine creation instructions. Otherwise, if you plan to install VirtualBox on other hosts, feel free to navigate to the appropriate instructions for either Windows or Linux.

How it works...

This recipe installed VirtualBox on your Mac, preparing you for configuring virtual machines in the examples in this book. During the installation process, the necessary files and libraries that help VirtualBox to run were installed on your hard drive so that when you're ready to move on to installing the Ubuntu 16.04 LTS Desktop 32-bit and 64-bit virtual machines, you will be able to do so.

There's more...

If you need to install VirtualBox on another system with a different operating system for whatever reason, feel free to jump into the installation instructions for Windows or Ubuntu Linux. Otherwise, I designed this chapter so that you can skip to the recipes that are appropriate for your lab. When you're ready, skip ahead to the Ubuntu 16.04 LTS Desktop 32-bit virtual machine installation instructions.

See also

More information about VirtualBox and some of its features have been documented at https://www.virtualbox.org/wiki.

Installing VirtualBox on Ubuntu

When installing VirtualBox on Ubuntu, you may be able to get away with using the aptitude package manager for installation. When I was doing some testing while writing these instructions, the current version of VirtualBox in the Ubuntu Xenial repositories was version 5.x. That just won't do for our needs.

Getting ready

In the event you are curious to see what version would get installed via aptitude, you can query aptitude directly via the following Terminal command:

$ apt-cache show virtualbox

The following screenshot shows the output I received when testing on Ubuntu 16.04 LTS Desktop and using Ubuntu 18.04 LTS as my host operating system:

Unfortunately, this won't work for our needs since we want to make sure VirtualBox 6.0 is installed. Therefore, we'll have to navigate through the VirtualBox website to download the appropriate installation package, which, in my case, is for Ubuntu 16.04. You can download VirtualBox 6.0 for Ubuntu from https://download.virtualbox.org/virtualbox/6.0.0/virtualbox-6.0_6.0.0-127566~Ubuntu~xenial_amd64.deb.

If, by chance, you're running Ubuntu 18.04 LTS as your host operating system, download VirtualBox from the following location: https://download.virtualbox.org/virtualbox/6.0.0/virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb.

Once downloaded, we are ready to install VirtualBox on Ubuntu Linux.

How to do it...

Use the following instructions to install VirtualBox on a host that's running Ubuntu as the primary operating system:

Once the appropriate installation file has been downloaded, launch a Terminal and navigate to the location of the downloaded VirtualBox installation package. In my case, that would be 

~/Downloads

: 

For Ubuntu 16.04 LTS

$ cd Downloads/

$ sudo dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~xenial_amd64.deb

For Ubuntu 18.04 LTS

$ cd Downloads/

$ sudo dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb

Verify that the installation worked correctly by starting VirtualBox. A simple Terminal command will do the trick:

$ virtualbox

Once VirtualBox has finished loading, navigate to 

Help

|

About VirtualBox

.

A new window will display, indicating the version of VirtualBox. As long as we see that VirtualBox 6.0 is present and there were no errors during installation, we're ready to install and configure the virtual machines we will use throughout the examples in this book.

How it works...

After downloading the appropriate installation package, we used dpkg, part of Ubuntu's built-in package manager, to install the VirtualBox 6.0 package. This puts us in a great position so that we can move on to installing two different virtual machines: a 32-bit virtual machine and a 64-bit virtual machine. Both are necessary so that we can work through the examples that are presented in later chapters.

There's more...

We're not limited to installing VirtualBox 6.0 on just one operating system. If you want to set up more than one lab, say, on a desktop and a laptop, feel free to jump back to the previous recipes for installing VirtualBox 6.0 on Windows or Mac. If you do so, you'll need to run through the virtual machine creation recipes and need to install the tools, dependencies, and code examples on all of the hosts you'll use for a lab.

See also

For more information about VirtualBox and for alternate installation steps, or for additional information on some of the features that are available, consult the wiki at https://www.virtualbox.org/wiki.

Installing a 32-bit Ubuntu 16.04 LTS Desktop virtual machine

Congratulations! If you've made it this far, then you're ready to begin installing and configuring our first virtual machine. For this recipe, we'll use the 32-bit Desktop version of Ubuntu 16.04 LTS. 

In this recipe, we will work through the steps for configuring a virtual machine based on the Ubuntu 16.04 LTS Desktop 32-bit architecture. Learning about binary analysis on a 32-bit system will help us to transition much more smoothly when we dive into binaries on a 64-bit system.

Getting ready

Download the 32-bit Ubuntu 16.04 LTS Desktop ISO from the following location: http://releases.ubuntu.com/xenial/.

We've chosen Ubuntu 16.04 LTS because it is the last LTS release to contain a 32-bit image, which we will need to work through some of the 32-bit examples in later chapters.

How to do it...

The following instructions will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 32-bit as a virtual machine in the newly installed VirtualBox:

Launch the VirtualBox application if it's not open already.

Once the application has launched, click on the 

New

 icon to begin configuring a new virtual machine.

A new window called

Name and operating system

 will appear, asking you to provide a name, virtual machine folder location, type, and version. Name the virtual machine

BAC32

, choose a 

Machine Folder:

 location according to your storage requirements, choose 

Linux

 from the 

Type:

 drop-down, and choose 

Ubuntu (32-bit)

 from the 

Version:

 drop-down. Once complete, click on 

Continue

.

In the 

Memory size

 window, set the memory size (RAM) options as appropriate for your hardware and click

Continue

. I used 2,048 MB, but leaving the default 1,024 MB setting should be sufficient for what we need.

In the 

Hard disk

, keep the

Create a virtual hard disk now

 option selected and click

Create

.

A new window will appear titled 

Hard disk file type

. Since, at some point in the future, we may need to switch to another virtualization platform, such as VMware Workstation, we will select 

VMDK (Virtual Machine Disk)

 and click 

Create

.

 For the 

Storage on physical hard disk

 window, we will select the 

Dynamically allocated

 option and click 

Continue

.

In the 

File location and size

 window, choose the size of the virtual hard drive according to your storage restrictions and then click 

Create

. I typically use 40 GB for my virtual machines in my lab and usually never fill that space. Since we selected the 

Dynamically allocated

 option in the previous step, this setting will allow us up to the amount we configure but will not use it all at once.

Now, we will return to the

Oracle VM VirtualBox Manager

window, where we will see our newly created virtual machine. Make sure 

BAC32

 is highlighted along the left-hand side, and then click 

Settings

.

The general settings window will be displayed. From here, click on the 

Storage

 icon (marked

1.

in the following screenshot). Underneath

Controller: IDE

 along the left-hand side, there will be a CD icon with the words 

Empty

(marked

2.

in the following screenshot). Click on that and a new subsection of the current window will appear along the right-hand side called 

Attributes

. Next to the 

Optical Drive

 drop-down, click the blue CD icon (marked

3.

):

In the pop-up menu that appears, select the 

Choose Virtual Optical Disk File

 option.

A file selection window will appear. Navigate to the Ubuntu 16.04 Desktop 32-bit ISO file we downloaded previously, select it, and click 

Open

.

In the 

Storage

 settings window, click 

OK

 to accept the configuration.

In the 

Oracle VM VirtualBox Manager

 window, highlight the 

BAC32

 virtual machine along the left-hand side and click 

Start

. The virtual machine will boot into the Ubuntu ISO.

From here, follow the installation prompts within the virtual machine to install Ubuntu Desktop 16.04 LTS 32-bit. During the installation process, you'll see a prompt requesting you to set a hostname. In order to make it easier to see which virtual machine we're using, set the hostname to 

bac32

. At the end of the installation process, Ubuntu will ask you to hit 

Enter

 to reboot. Do so. Once rebooted, you'll have a working virtual machine.

How it works...

This recipe installs the necessary files and configurations so that you can run a 32-bit version of Ubuntu 16.04 LTS Desktop as a virtual machine. We will use this virtual machine to work through the 32-bit recipes that are presented throughout this book.

There's more...

When you first launch into this virtual machine, you may notice that the display is incredibly small compared to the resolution of your monitor. That's because the VirtualBox Guest Additions haven't been installed. If you plan on altering the resolution of your Ubuntu virtual machines, and you want to enable copy/paste between virtual machines and your host operating system, feel free to install the Guest Additions. In the virtual machine menu bar, select Devices | Insert Guest Additions CD Image... and follow the installation prompts.

See also

If you'd like to install additional virtual machines for general curiosity, all you need is the ISO for whatever operating system you want to run as a virtual machine. Microsoft Windows offers free trials of its server software at https://www.microsoft.com/en-us/cloud-platform/windows-server-trial. Alternatively, you can install additional versions of Ubuntu by downloading the appropriate ISO file from http://releases.ubuntu.com/. CentOS, which is essentially Red Hat Linux and is available at https://wiki.centos.org/Download. All of these operating systems can run as virtual machines in VirtualBox. I recommend experimenting with various Linux operating systems and see which one you gravitate toward the most. If you ever want to work through binary analysis against the Windows PE format, using the various available trial versions of Microsoft Windows is the way to go, especially on a budget for a home lab.

Installing a 64-bit Ubuntu 16.04 LTS Desktop virtual machine

Machines that support 64-bit operations are the norm nowadays, so it makes sense that we cover 64-bit binary analysis more extensively in this book. In order to do so, though, we need a viable virtual machine to work through the examples that will be presented in later chapters.

The following recipe will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 64-bit as a virtual machine in VirtualBox. This virtual machine will get used extensively when we work through all of the 64-bit recipes that will be presented in later chapters.

Getting ready

Using a browser, download the 64-bit Ubuntu 16.04 LTS Desktop ISO file from the following location: http://releases.ubuntu.com/xenial/.

How to do it...

The following instructions will guide you through creating and configuring Ubuntu 16.04 LTS Desktop 64-bit as a virtual machine in the newly installed VirtualBox:

Open VirtualBox if it's not already open.

Once the application launches, click on the 

New

icon to begin configuring a new virtual machine.

A new window called

Name and operating system

 will appear, asking you to provide a name, virtual machine folder location, type, and version. Name the virtual machine

BAC64

, choose a 

Machine Folder

location according to your storage needs, choose 

Linux

from the 

Type:

drop-down menu, and choose 

Ubuntu (64-bit)

from the 

Version:

drop-down menu. Once complete, click on 

Continue

.

In the 

Memory size

window, set the memory size (RAM) options appropriate for your hardware, and click

Continue

. I used 4,096 MB since this will be a 64-bit virtual machine. You are welcome to increase this amount if your own host can support it, but I wouldn't configure this setting to any lower than 4,096 MB.

In the 

Hard disk

, keep the 

Create a virtual hard disk now

option selected and click

Create

.

A new window will appear titled 

Hard disk file type

. Since, at some point in the future, we may need to switch to another virtualization platform, such as VMware Workstation, we will select

VMDK (Virtual Machine Disk)

 and click 

Create

.

 For the

Storage on physical hard disk

window, we will select the 

Dynamically allocated

option and click 

Continue

.

In the 

File location and size

window, choose the size of the virtual hard drive according to your storage restrictions and then click 

Create

. I typically use 40 GB for my virtual machines in my lab and usually never fill that space. Since we selected the 

Dynamically allocated

option in the previous step, this setting will allow us up to the amount we configure but will not use it all at once.

Now, we will return to the

Oracle VM VirtualBox Manager

window, where we will see our newly created virtual machine. Make sure 

BAC64

is highlighted along the left-hand side, and then click 

Settings

.

The general settings window will be displayed. From here, click on the 

Storage

icon (marked

1.

in the following screenshot). Underneath the words 

Controller: IDE

 along the left-hand side, there will be a CD icon with the words 

Empty 

(marked

2.

in the following screenshot). Click on that and a new subsection of the current window will appear along the right-hand side called 

Attributes

. Next to the 

Optical Drive:

drop-down, click the blue CD icon (marked

3.

):

In the pop-up menu that appears, select the 

Choose Virtual Optical Disk File

option.

A file selection window will appear. Navigate to the Ubuntu 16.04 Desktop 64-bit ISO file we downloaded previously, select it, and click 

Open

.

In the 

Storage

settings window, click 

OK

to accept the configuration.

Back inside the 

Oracle VM VirtualBox Manager

window, highlight the 

BAC64

virtual machine we just created along the left-hand side of the window and click the 

Start 

icon. This will start the virtual machine and will boot into the Ubuntu ISO.

Follow the installation prompts within the virtual machine to install Ubuntu Desktop 16.04 LTS 64-bit. The default options are sufficient enough for this book. When you're prompted to set the hostname for the installation, name it

bac64

. This will help us to discern which virtual machine we need to use for the examples later in this book. At the end of the installation process, Ubuntu will ask you to hit 

Enter

to reboot. Do so. Once rebooted, you'll have a working virtual machine. 

How it works...

After acquiring the correct Ubuntu 16.04 LTS Desktop 64-bit ISO file, we told VirtualBox we wanted to create and configure a new virtual machine. VirtualBox presented various configuration options, to which we responded with the correct settings to install a 64-bit version of Ubuntu Linux as the operating system for the virtual machine. VirtualBox took those settings and guided us through the rest of the configuration options for naming the virtual machine, what size to configure the virtual hard drive at, how much virtual RAM we wanted VirtualBox to provision for this virtual machine, where to store the files associated with this virtual machine, and finally, to configure which ISO file to use for installing Ubuntu 16.04 LTS Desktop 64-bit. After all of that, we launched the virtual machine in order to actually work through the installation process for Ubuntu itself. Now, we have a working 64-bit Ubuntu virtual machine and are ready to install the tools and dependencies, along with the code examples for this book.

There's more...

If you plan on altering the resolution of this virtual machine, and you want to enable copy/paste between this virtual machine and your host operating system, feel free to install the Guest Additions. In the virtual machine menu bar, select Devices | Insert Guest Additions CD Image... and follow the installation prompts.

See also

There are many more operating systems you can install as virtual machines in VirtualBox. Windows, other Linux distributions, and virtual appliances are all available and are only limited by your research needs. I happen to like to run Windows Desktop as a virtual machine for research purposes, along with Kali Linux when I perform penetration assessments. Having both as virtual machines allows me to quickly revert back to previously saved snapshots, which we will cover later in this chapter, in order to start from a clean slate for the next penetration assessment I need to perform. I recommend doing this so that you always have a clean virtual machine to revert back to in the event something goes wrong while you're analyzing binaries or upgrading the operating system.

Installing the dependencies and the tools

Whenever we need to perform a task, our success largely depends on having the right tools. Whether it's woodworking, cleaning a house, cooking a meal, or binary analysis, making sure we have what we need will help us to work toward a completed task. The following instructions will need to be performed on both the 32-bit and 64-bit Ubuntu virtual machines. If you decided to use CentOS instead of Ubuntu, the instructions for installing the necessary tools so that you can work through the examples in this book will differ.

This recipe will walk us through installing the command-line tools we'll use in later chapters, as well as the dependencies we'll need before compiling another tool from the source in a later recipe.

Getting ready

To work through this recipe, we need to have our newly created virtual machines powered on. If your Ubuntu 32-bit and 64-bit virtual machines are powered off, power them on, wait until they both finish booting, log in, and start a Terminal program in each. Once that's complete, you are ready to follow this recipe on both virtual machines.

How to do it...

The majority of the tools we will use are installed via the command line, while others we will have to install manually by compiling the source code. With that said, however, we will need to install the dependencies before we can compile the source code. Please make sure to run these instructions on both of the virtual machines we created earlier:

Once the Terminal application is running, we'll run the following commands on both virtual machines to make sure the operating systems on each are up to date:

$ sudo apt update && sudo apt full-upgrade -y

Once the upgrade process finishes, in the same Terminal, we will run the following one-liner, which will install the tools and the dependencies that are needed for the EDB Debugger tool we will compile from the source later. Make sure this command is typed on one line, without pressing 

Enter

until after the

-y

:

$ sudo apt install build-essential libemu-dev graphviz gdb python libgraphviz-dev cmake libboost-dev libqt5xmlpatterns5-dev qtbase5-dev qt5-default libqt5svg5-dev libcapstone-dev pkg-config hexedit nasm git libtool autoconf -y

As long as there were no errors, we're ready to install the code examples and EDB Debugger, which happens to be one of my favorite open source debuggers on Linux.

How it works...

By issuing these commands within the Terminal, we instructed Ubuntu to download updates and upgrade the system with fresh installations for each item that needed updating. Then, once that was finished, we instructed Ubuntu to install the various dependencies and missing tools. The -y argument instructed Ubuntu that yes, we wanted to go ahead and proceed with the upgrade, and acknowledged how much disk space the upgrade would require.

There's more...

The Terminal application is a widely used application that, by default in Ubuntu, is configured to use the Bourne again shell (Bash). Other shell programs exist and if you're a fan of dash (sh) or Z Shell (zsh), you can configure the Terminal application to use one of those by default. For the purposes of this book, though, we'll use Bash to run command-line tools.

See also

If you're interested in seeing all of that Bash is capable of, you can view the man page by issuing the following command in a Terminal session:

$ man bash

To view the capabilities of sh, run the following command in a Terminal session:

$ man sh

By default, zsh isn't installed on Ubuntu 16.04 LTS. To install it, run the following command in a Terminal session:

$ sudo apt install zsh -y

Then, if you want to see common arguments or functionality, you can run the following command in a Terminal session to view the man page for zsh:

$ man zsh

Finally, we can see what additional command-line arguments are available to the aptitude package manager by running the following command within an active Terminal session:

$ man apt

Installing the code examples

This book wouldn't serve us well if we didn't have code examples to use for the recipes that are presented in later chapters. Thankfully, Packt hosts all of the code on their own GitHub repository, which will make it easier for us to retrieve the examples. This recipe will include instructions on how to retrieve the code we'll use in later recipes.

In this recipe, we'll return to a Terminal session to run some command-line utilities that will clone the code examples from my GitHub repository that I created for the purposes of this book. We will have to perform the instructions in this recipe on both the 32-bit and 64-bit Ubuntu Desktop virtual machines we created earlier in this chapter.

Getting ready

Once again, we'll need to have the Terminal application running in both of our virtual machines if it's not already. Go ahead and open it up so we can work through this recipe. Once it's open on both virtual machines, you can proceed to work through the following instructions. Remember, run these commands on both Ubuntu virtual machines.

How to do it...

Run the following commands in a Terminal as a non-root user on both the 32-bit and 64-bit Ubuntu virtual machines we created earlier in this chapter:

$ cd ~/

$ mkdir ~/bac

$ cd bac

$ git clone https://www.github.com/PacktPublishing/Binary-Analysis-Cookbook

How it works...

In the previous recipe, we installed git as one of our command-line tools so that we could use it in this recipe. We start by using the cd command to change directories to the current user's home directory, we use the mkdir command to make a new directory called bac, change directories into bac using cd