IoT MALWARE ANALYSIS In0de 

台科資安社 /CNYCTG6GEJPKECN ▸ Run in memory ▸ ELF Infected ▸ Anti-debug ▸ Anti-sandbox ▸ Packer ▸ ……… 

台科資安社 /CNYCTG6GEJPKECN ▸ Run in memory ▸ ELF Infected ▸ Anti-debug ▸ Anti-sandbox ▸ Packer ▸ ……… #VVCEM &GHGPF 

台科資安社 %QPVGPVU ▸ ELF Format ▸ Loader ▸ Run ELF in Memory ▸ Text Segment Infect ▸ PLT Infection ▸ Anti-debug 

台科資安社 .KPWZ15 Hardware Linux Kernel Share library Custom Library Busybox SHELL ELF Kernel Space User Space syscall 

台科資安社 '.(6TCEKPI6QQNU ▸ Structure view: ELF Parser, readelf ▸ Static analysis: IDA pro, ghidra, objdump ▸ Dynamic analysis: GDB, ltrace, strace 

台科資安社 %嵿峡罉幐篾纑 % 5 1 GNH 5QWTEGEQFG #UUGODN[EQFG 1DLGEVEQFG 'ZGEWVCDNGEQFG %QORKNG #UUGODNG .KPMGT 

台科資安社 %嵿峡罉幐篾纑 % 5 5QWTEGEQFG #UUGODN[EQFG %QORKNG KPENWFGUVFKQJ  KPVOCKP XQKF] EJCTOUIň+ O*GNNQ9QTNFʼn RTKPVH U>POUI TGVWTP _ OQXTDRTUR UWDTUR OQX3914&264=TDR?1((5'6(.#6.% OQXTCZ3914&264=TDR? OQXTFKTCZ ECNNRWVU OQXGCZ NGCXG 

台科資安社 %嵿峡罉幐篾纑 5 1 #UUGODN[EQFG 1DLGEVEQFG #UUGODNG OQXTDRTUR UWDTUR OQX3914&264=TDR?1((5'6(.#6.% OQXTCZ3914&264=TDR? OQXTFKTCZ ECNNRWVU OQXGCZ NGCXG ELF Header Section [.text] Section Header Section [.rela.text] Section [.rodata] Section [.data] Section [.bss] 

台科資安社 ELF Header Section [.text] Section Header Section [.rela.text] Section [.rodata] Section [.data] Section [.bss] Ŏ ň+ O*GNNQ9QTNFʼn %嵿峡罉幐篾纑 5 1 #UUGODN[EQFG 1DLGEVEQFG #UUGODNG 

台科資安社 %嵿峡罉幐篾纑 1 GNH 1DLGEVEQFG 'ZGEWVCDNGEQFG .KPMGT ELF Header Program Header Section [.interp] Section Header Section [.rodata] Section [.strtab] Section [.symtab] Library Info Section [.dynsym] Section [.dynstr] Section [.text] ▸ Relocation ▸ Library Link ELF Header Section [.text] Section Header Section [.rela.text] Section [.rodata] Section [.data] Section [.bss] 

台科資安社 QDLFWORF/KPVGNRTQITCO object file dynamic executable file Relocation 

台科資安社 '.((QTOCV ▸ ELF header ▸ Program header ▸ Section header ▸ Section ELF Header Program Header Section [.text] Section Header Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 

LAB1 

台科資安社 4WP'.(KP/GOQT[ ▸ container.c & spy.c ▸ 偽裝 spy 執⾏的痕跡 read(spy.elf) memfd = memfd_create(‘filename’,type) fork() execve(memfd, argv, env) Wait or leave write(memfd, spyBuf, size); 

台科資安社 RTQE]RKF_HF ▸ 紀錄當前 process 所有開啟的 ”⽂件” 

台科資安社 4WP'.(KP/GOQT[ ▸ xxd -i ./malware > malware_array ▸ 將malware_array 放入程式 ELF Header Program Header Section [.text] Section Header Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Section [.data] spy.elf 

台科資安社 4WP'.(KP/GOQT[ 

台科資安社 5GEVKQPXU5GIOGPV ELF Header Program Header Section [.text] Section Header Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 6GZVUGIOGPV 4GNQECVKQP UGIOGPV &CVC UGIOGPV Section Header 

台科資安社 :A'.(.QCFKPI ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Text Segment Relocation Segment Data Segment Heap Stack Align padding Z Z Z Z Z Section [.got] Section [.got.plt] Align padding Align padding 

台科資安社 :A'.(.QCFKPI ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Text Segment Relocation Segment Data Segment Heap Stack Align padding Align padding Align padding 2TQEGUU Section Header 

台科資安社 U[UAGZGEXG  Loader _start __libc_start_main __libc_csu_init main exit 

台科資安社 櫧ㄗ⃡㚱 Text Segment Relocation Segment Data Segment Heap Stack 290 4'8'45' 

LAB2 

台科資安社 .CD6GUV5GIOGPV%QFG+PLGEVKQP Text Segment Relocation Segment Data Segment Z Z Z Z Z !!!!! 

台科資安社 .CD6GUV5GIOGPV%QFG+PLGEVKQP Text Segment Relocation Segment Data Segment Z Z Z Z Z 盪畘⛐⇆㠟袛↡袂 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Align padding Align padding Align padding Relocation Segment Data Segment Z Z Z Z Z Text Segment .CD6GUV5GIOGPV%QFG+PLGEVKQP 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 0x2000 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 5VGR Section [.got] Section [.got.plt] Section Header Section [.shstrtab] Section [.got] Section [.got.plt] Section Header Section [.shstrtab] 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 0x2000 5VGR㠚5GEVKQP*GCFGT QHHUGV QHHUGV Z Section [.got] Section [.got.plt] Section Header Section [.shstrtab] 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR㠚2TQITCO*GCFGT 6GZVUGIOGPV 4GNQECVKQP UGIOGPV &CVC UGIOGPV 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 0x2000 5VGR㠚'.(*GCFGT GAUJQHH Z Section [.got] Section [.got.plt] Section Header Section [.shstrtab] GAGPVT[ 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR⬿5JGNNEQFG 

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR⦿GPVT[RQKPV OQXTCZTGCNAGPVT[ LORTCZ 

台科資安社 椥藃獌'.(*GCFGT ELF Header (Elf64_Ehdr) WPUKIPGFEJCT GAKFGPV='+A0+&'06? 'NHA*CNH GAV[RG   1DLGEVHKNGV[RG 'NHA*CNH GAOCEJKPG  #TEJKVGEVWTG 'NHA9QTFGAXGTUKQP  1DLGEVHKNGXGTUKQP 'NHA#FFT GAGPVT[  'PVT[RQKPVXKTVWCNCFFTGUU 'NHA1HH GARJQHH  2TQITCOJGCFGTVCDNGHKNGQHHUGV 'NHA1HH GAUJQHH  5GEVKQPJGCFGTVCDNGHKNGQHHUGV 'NHA9QTFGAHNCIU  2TQEGUUQTURGEKHKEHNCIU 'NHA*CNH GAGJUK\G '.(JGCFGTUK\GKPD[VGU 'NHA*CNH GARJGPVUK\G 2TQITCOJGCFGTVCDNGGPVT[UK\G 'NHA*CNH GARJPWO2TQITCOJGCFGTVCDNGGPVT[EQWPV 'NHA*CNH GAUJGPVUK\G 5GEVKQPJGCFGTVCDNGGPVT[UK\G 'NHA*CNH GAUJPWO 5GEVKQPJGCFGTVCDNGGPVT[EQWPV 'NHA*CNH GAUJUVTPFZ 5GEVKQPJGCFGTUVTKPIVCDNGKPFGZ 

台科資安社 椥藃獌5GEVKQP*GCFGT 'NHA9QTFUJAPCOG 5GEVKQPPCOG UVTKPIVDNKPFGZ 'NHA9QTFUJAV[RG 5GEVKQPV[RG 'NHA:YQTF UJAHNCIU 5GEVKQPHNCIU 'NHA#FFT UJACFFT 5GEVKQPXKTVWCNCFFTCVGZGEWVKQP 'NHA1HH UJAQHHUGV  5GEVKQPHKNGQHHUGV 'NHA:YQTF UJAUK\G  5GEVKQPUK\GKPD[VGU 'NHA9QTFUJANKPM  .KPMVQCPQVJGTUGEVKQP 'NHA9QTFUJAKPHQ  #FFKVKQPCNUGEVKQPKPHQTOCVKQP 'NHA:YQTF UJACFFTCNKIP5GEVKQPCNKIPOGPV 'NHA:YQTF UJAGPVUK\G 'PVT[UK\GKHUGEVKQPJQNFUVCDNG  Section Header 'NHA5JFT 

台科資安社 椥藃獌2TQITCO*GCFGT 'NHA9QTFRAV[RG  5GIOGPVV[RG 'NHA9QTFRAHNCIU  5GIOGPVHNCIU 'NHA1HH RAQHHUGV 5GIOGPVHKNGQHHUGV 'NHA#FFT RAXCFFT 5GIOGPVXKTVWCNCFFTGUU 'NHA#FFT RARCFFT 5GIOGPVRJ[UKECNCFFTGUU 'NHA:YQTF RAHKNGU\  5GIOGPVUK\GKPHKNG 'NHA:YQTF RAOGOU\ 5GIOGPVUK\GKPOGOQT[ 'NHA:YQTF RACNKIP  5GIOGPVCNKIPOGPV Program Header 'NHA2JFT 

Take a break~8:25 

台科資安社 5JCTG.KDTCT[TWPVKOGDKPFKPI puts@plt LORRWVU"IQVRNV RWUJZ LORZH .text ECNNRWVU"RNV [email protected] RWVU"RNV  

台科資安社 puts@plt LORRWVU"IQVRNV RWUJZ LORZH PLT0 RWUJ )16  LOR )16  .text ECNNRWVU"RNV [email protected] RWVU"RNV  AFNATWPVKOGATGUQNXG NKPMAOCRAQDLTGNQEAKPFGZ 5JCTG.KDTCT[TWPVKOGDKPFKPI 

台科資安社 .KDTCT[TWPVKOGDKPFKPI .text ECNNRWVU"RNV puts@plt LORRWVU"IQVRNV RWUJZ LORZH PLT0 RWUJ )16  LOR )16  dl_resolve %CNNHKZAWR [email protected] RWVU"RNV  

台科資安社 .text ECNNRWVU"RNV puts@plt LORRWVU"IQVRNV RWUJZ LORZH PLT0 RWUJ )16  LOR )16  dl_resolve %CNNHKZAWR [email protected] RWVUNKDECFFTGUU 5JCTG.KDTCT[TWPVKOGDKPFKPI 

LAB3 

台科資安社 .CD2.65GEVKQP+PHGEVGF ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Section Header Section [.shstrtab] PLT0 RWUJ )16  LOR )16  puts@plt LORRWVU"IQVRNV RWUJZ LORZH 

台科資安社 .CD2.65GEVKQP+PHGEVGF PLT0 RWUJ )16  LOR )16  puts@plt LORRWVU"IQVRNV RWUJZ LORUJGNNEQFG ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 0x2000 Section [.got] Section [.got.plt] Section Header Section [.shstrtab] 獑獑獑 

台科資安社 .CD2.65GEVKQP+PHGEVGF UKNXKQVGUVARTQITCOUCORNGUJGNNEQFGXKTWUZHD 

台科資安社 ㄙ屬CPVKFGDWI ▸ ptrace anti-debug ▸ /proc/self/status ▸ Clean section header ▸ https://github.com/JonathanSalwan/stuffz/blob/master/elf-corruption-little-anti-debug.c 

台科資安社 禮荽茞徿 ▸ mail: [email protected]