Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
Basic tips

Finding ELF format

readelf -h hotplug
└─$ xxd -c 1 -l 6 hotplug
00000000: 7f .
00000001: 45 E
00000002: 4c L
00000003: 46 F
00000004: 01 .
00000005: 01 .
If the last line (the sixed byte) is 01, according to ELF format, 01 is little endian and 02 is big endian.

Create file image with rootFS from scratch

dd if=/dev/zero of=myimage.img bs=1M count=500
mkdir -p MountPoint
mkfs.ext2 myimage.img
mount -t ext2 -o loop myimage.img MountPoint
cp rootfs.tar MountPoint
cd MountPoint
tar -xvf rootfs.tar
df -h
umount MountPoint
dd if=myimage.img bs=1k | gzip -v9 > rootfs.gz

DD

dd bs=1 skip=THEOFFSET count=THELENGTH if=INPUTFILENAME of=OUTPUTFILENAME
file output # to check ;)
To cut the "Linux kernel version 2.6.36" we need to do:
  • Get the skip offset: 3163712
  • Get the count size: 3226456 - 3163712 = 62.744
dd if=1C bs=1 skip=3163712 count=62744 of=kernel_out
file kernel_out
kernel_out: DIY-Thermocam raw data (Lepton 3.x), scale 7417-5248, spot sensor temperature 0.000000,
cat kernel_out | strings | less

cpio unpacking

cpio -idm — no-absolute-filenames < cpio
Reversing Firmware
Medium

OverlayFS

sudo docker run --privileged=true --name=firmware -p 2221:22 -p 8888:80 -p 4443:443 -p 2223:23 -it 8d319a850335
cd /tmp
mkdir lower upper workdir overlay
mount -t overlay -o lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/workdir none /tmp/overlay
e.g.:
mount -t overlay -o lowerdir=/tmp/firmwarefs,upperdir=/,workdir=/tmp/workdir none /tmp/overlay
chroot /tmp/overlay /bin/sh
OverlayFS | Programster's Blog

sasquatch

Since file doesn't recognize it, the vendor probably used a custom SquashFS magic signature. I expect that unsquashfs is also giving you an error about not being able to find a valid superblock.
Give sasquatch a try; it's a modified version of unsquashfs that attempts to support such vendor hacks.
GitHub - devttys0/sasquatch
GitHub

GDB server

target:> gdbserver localhost:2000 /bin/httpd
or
target:> ./gdbserver-7.12-mips-be-stripped localhost:5555 /bin/httpd
host :> gdb /bin/httpd
(gdb) target remote 127.0.0.1:2000
continue
stepi
next
disas "function"
GitHub - hugsy/gdb-static: Public repository of static GDB and GDBServer
GitHub

Trace apps with qemu-mipsel-static

sudo apt-get install qemu qemu-user qemu-user-static
sudo apt-get install gdb-multiarch
sudo apt-get install 'binfmt*'
$ sudo apt-get install libc6-mipsel-cross # For MIPS-EL
$ sudo apt-get install libc6-armhf-armel-cross # For ARM
$ sudo apt-get install gcc-4.4-mipsel-linux-gnu # For MIPS-EL on Ubuntu 14.04
$ sudo apt-get install gcc-mipsel-linux-gnu # For MIPS-EL on Ubuntu 16.04
$ sudo apt-get install gcc-arm-linux-gnueabihf # For ARM
$ sudo mkdir /etc/qemu-binfmt
$ sudo ln -s /usr/mipsel-linux-gnu /etc/qemu-binfmt/mipsel # MIPSEL
$ sudo ln -s /usr/arm-linux-gnueabihf /etc/qemu-binfmt/arm # ARM
---execution---------
qemu-mipsel -strace ./myelf
or
qemu-mipsel-static -strace ./myelf
------GDB--------
$ qemu-mipsel -g 12345 ./a.out &
or
./qemu-mipsel-static -g 12345 /bin/httpd
$ gdb-multiarch ./a.out
(gdb) set arch mips
The target architecture is assumed to be mips
(gdb) set endian little
The target is assumed to be little endian
(gdb) target remote localhost:12345
Remote debugging using localhost:12345
(gdb) info functions
Non-debugging symbols:
0x00407360 _init
0x004073f0 _ftext
0x004075a0 CheckWanType
0x004078ac check_dhcpc
0x00407d80 CheckPPPOE
0x00407ed0 random_xid
0x004082bc send_discover
0x00408754 udhcp_checksum
0x00408884 get_raw_packet
0x00408c60 parsePacket
0x004096c8 printErr
0x004097f8 computeTCPChecksum
0x0040a100 sendPADT
0x0040a874 pktLogErrs
0x0040bca0 discovery
0x0040c020 openInterface
0x0040c3e4 sendPacket
0x0040c498 receivePacket
(...)
Cross debugging for ARM / MIPS ELF with QEMU/toolchain
Reverse Engineering Stack Exchange

Mips binaries

GitHub - darkerego/mips-binaries: Various binaries for the mips architecture.
GitHub
gdb-static-cross/prebuilt at master · stayliv3/gdb-static-cross
GitHub
Mobile - Previous
Resources
Next - IoT / Reverse / Firmware
Reverse IoT devices
Last modified 11mo ago
Copy link
Outline
Finding ELF format
Create file image with rootFS from scratch
DD
cpio unpacking
OverlayFS
sasquatch
GDB server
Trace apps with qemu-mipsel-static
Mips binaries