I know no one that works as of today (i.e., kernels not way too old) and I wonder if anybody found or knows any protector for Linux either commercial, open source, used in malware, etc...
Asked
Active
Viewed 1,306 times
5
-
You also may look on this thread of security.stackexchange.com : Any comprehensive solutions for binary code protection and anti-reverse-engineering? It include both links to external articles and some valuable input. Bit outdated(2010-2011), but still relevant. – Denis Laskov Apr 04 '13 at 08:45
-
This is also related to this question. – jvoisin Dec 16 '13 at 00:36
3 Answers
5
ZVrba's Phrack article on cryptexec: Next-generation runtime binary encryption is a good read and it doesn't rely on additional kernel functionality:
This article describes a method to control the target program that doesn't does not rely on any assistance from the OS kernel or processor hardware. The method is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling method is devised, it is relatively trivial to include on-the-fly code decryption.
0xea
- 4,904
- 1
- 23
- 30
5
There is a nice article on Linux binary code protection at http://www.intel-assembler.it/portale/5/linux-binary-code-protection/linux-binary-code-protection.asp.
If your target is to protect your binary Sentinel HASP supports Linux.
As for the old ones as you mention most of them don't work anymore, elf-encrypter Shiva, Burneye etc. IF I had to guess what will be the most common in Linux malware it will be the most common packer that's is used in windows too, UPX.
Nicolas
- 566
- 2
- 4
0
The majority of modern ELF binaries are protected using UPX or a variant thereof. 1,2 However, custom packers have been observed in the wild, including both UPX based- and non-UPX based-custom packers.
- The simplest variation of the UPX packer used out in the wild is the 'LSD' packer, in which the string 'UPX' is changed to 'LSD'. An example of this was a XMR coin miner written in Go which targeted systems running Jenkins.
mumblehardcustom protector - not based on UPXThe whole packer actually consists of about 200 assembly instructions. Another notable observation: system calls are made directly by using
int 80hinstructions. Another hint that it was written in assembly is that functions do not have the usual prologue to manage the stack. By doing system calls with interrupts, Mumblehard ELF binaries avoid any external dependency. Furthermore, the packer works on both Linux and BSD systems. 1samples:
- 20b567084bcc6bd5ac47b2ab450bbe838ec88fc726070eb6e61032753734d233
- 78c19897d08e35c0e50155c87f501e20f2d1dbfd38607fc8e12711d086d52204
- 84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56a1b1de82f785a43
- 747d985d4bd302e974474dc9ab44cb1f60cb06206f3639c5d603db94395b877b
- 9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f8321069212e0cd67a8
- a5915c3060f5891242514b7899975393ef3d3cb87b33b6a767cffce4feac215f
a variant of
tiny XMR mooneruses a custom packer according to the r2con 2018 presentation Unpacking the Non-Unpackable.- 8a0d9c84cfb86dd1f8c9acab87738d2cb82106aee0d88396f6fa86265ff252dd
md5sum from presentation:
4f1fdacaee8e3c612c9ffbbe162042b2Note this particular file was the subject of The “Tiny XMR mooner” Linux cryptominer malware (the sha256 sum is identical) but no mention is made in this analysis of packing or any other form of binary protection.
Tsunamiwith custom packer- Malshare sample
- f22ffc07e0cc907f00fd6a4ecee09fe8411225badb2289c1bffa867a2a3bd863 (Virustotal)
- there used to be an analysis available at pwning.fun but it looks like its been taken down.
References
julian
- 7,128
- 3
- 22
- 55