Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
Basic tips

Finding ELF format

1
readelf -h hotplug
2
3
└─$ xxd -c 1 -l 6 hotplug
4
00000000: 7f .
5
00000001: 45 E
6
00000002: 4c L
7
00000003: 46 F
8
00000004: 01 .
9
00000005: 01 .
Copied!
If the last line (the sixed byte) is 01, according to ELF format, 01 is little endian and 02 is big endian.

Create file image with rootFS from scratch

1
dd if=/dev/zero of=myimage.img bs=1M count=500
2
mkdir -p MountPoint
3
mkfs.ext2 myimage.img
4
mount -t ext2 -o loop myimage.img MountPoint
5
6
cp rootfs.tar MountPoint
7
cd MountPoint
8
tar -xvf rootfs.tar
9
df -h
10
11
umount MountPoint
12
dd if=myimage.img bs=1k | gzip -v9 > rootfs.gz
Copied!

DD

1
dd bs=1 skip=THEOFFSET count=THELENGTH if=INPUTFILENAME of=OUTPUTFILENAME
2
file output # to check ;)
Copied!
To cut the "Linux kernel version 2.6.36" we need to do:
  • Get the skip offset: 3163712
  • Get the count size: 3226456 - 3163712 = 62.744
1
dd if=1C bs=1 skip=3163712 count=62744 of=kernel_out
2
file kernel_out
3
kernel_out: DIY-Thermocam raw data (Lepton 3.x), scale 7417-5248, spot sensor temperature 0.000000,
4
5
cat kernel_out | strings | less
Copied!

cpio unpacking

1
cpio -idm — no-absolute-filenames < cpio
Copied!
Reversing Firmware
Medium

OverlayFS

1
sudo docker run --privileged=true --name=firmware -p 2221:22 -p 8888:80 -p 4443:443 -p 2223:23 -it 8d319a850335
2
3
cd /tmp
4
mkdir lower upper workdir overlay
5
6
mount -t overlay -o lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/workdir none /tmp/overlay
7
8
e.g.:
9
mount -t overlay -o lowerdir=/tmp/firmwarefs,upperdir=/,workdir=/tmp/workdir none /tmp/overlay
10
chroot /tmp/overlay /bin/sh
Copied!
OverlayFS | Programster's Blog

sasquatch

Since file doesn't recognize it, the vendor probably used a custom SquashFS magic signature. I expect that unsquashfs is also giving you an error about not being able to find a valid superblock.
Give sasquatch a try; it's a modified version of unsquashfs that attempts to support such vendor hacks.
GitHub - devttys0/sasquatch
GitHub

GDB server

1
target:> gdbserver localhost:2000 /bin/httpd
2
or
3
target:> ./gdbserver-7.12-mips-be-stripped localhost:5555 /bin/httpd
4
5
host :> gdb /bin/httpd
6
(gdb) target remote 127.0.0.1:2000
7
continue
8
stepi
9
next
10
disas "function"
Copied!
GitHub - hugsy/gdb-static: Public repository of static GDB and GDBServer
GitHub

Trace apps with qemu-mipsel-static

1
sudo apt-get install qemu qemu-user qemu-user-static
2
sudo apt-get install gdb-multiarch
3
sudo apt-get install 'binfmt*'
4
5
$ sudo apt-get install libc6-mipsel-cross # For MIPS-EL
6
$ sudo apt-get install libc6-armhf-armel-cross # For ARM
7
8
$ sudo apt-get install gcc-4.4-mipsel-linux-gnu # For MIPS-EL on Ubuntu 14.04
9
$ sudo apt-get install gcc-mipsel-linux-gnu # For MIPS-EL on Ubuntu 16.04
10
$ sudo apt-get install gcc-arm-linux-gnueabihf # For ARM
11
12
$ sudo mkdir /etc/qemu-binfmt
13
$ sudo ln -s /usr/mipsel-linux-gnu /etc/qemu-binfmt/mipsel # MIPSEL
14
$ sudo ln -s /usr/arm-linux-gnueabihf /etc/qemu-binfmt/arm # ARM
15
16
---execution---------
17
qemu-mipsel -strace ./myelf
18
or
19
qemu-mipsel-static -strace ./myelf
20
21
22
------GDB--------
23
$ qemu-mipsel -g 12345 ./a.out &
24
25
or
26
27
./qemu-mipsel-static -g 12345 /bin/httpd
28
29
$ gdb-multiarch ./a.out
30
(gdb) set arch mips
31
The target architecture is assumed to be mips
32
(gdb) set endian little
33
The target is assumed to be little endian
34
(gdb) target remote localhost:12345
35
Remote debugging using localhost:12345
36
37
(gdb) info functions
38
39
Non-debugging symbols:
40
0x00407360 _init
41
0x004073f0 _ftext
42
0x004075a0 CheckWanType
43
0x004078ac check_dhcpc
44
0x00407d80 CheckPPPOE
45
0x00407ed0 random_xid
46
0x004082bc send_discover
47
0x00408754 udhcp_checksum
48
0x00408884 get_raw_packet
49
0x00408c60 parsePacket
50
0x004096c8 printErr
51
0x004097f8 computeTCPChecksum
52
0x0040a100 sendPADT
53
0x0040a874 pktLogErrs
54
0x0040bca0 discovery
55
0x0040c020 openInterface
56
0x0040c3e4 sendPacket
57
0x0040c498 receivePacket
58
59
(...)
60
Copied!
Cross debugging for ARM / MIPS ELF with QEMU/toolchain
Reverse Engineering Stack Exchange

Mips binaries

GitHub - darkerego/mips-binaries: Various binaries for the mips architecture.
GitHub
gdb-static-cross/prebuilt at master · stayliv3/gdb-static-cross
GitHub
Mobile - Previous
Resources
Next - IoT / Reverse / Firmware
Reverse IoT devices
Last modified 9mo ago
Copy link
Contents
Finding ELF format
Create file image with rootFS from scratch
DD
cpio unpacking
OverlayFS
sasquatch
GDB server
Trace apps with qemu-mipsel-static
Mips binaries