Introduction to the Witchcraft Compiler Collection
Jonathan Brossard @endrazine
9 of November 2016 |
IsecCon 2016, Hillsboro |
TL ; DR
The Witchcraft Compiler Collection is free software (MIT/BSD License).
https://github.com/endrazine/wcc
You can write in Lua,
WhoAmamI ? I ?
DISCLAIMER
S
Disclaimer
DISCLAIMER
•My employers are not associated with this talk in any way.
•This is my personal research.
Legal help
•This talk received help from the EFF.
•Warmest thank you to Nate Cardozo, Andrew Crocker and Mitch Stoltz
Free legal advising to security researchers : https://www.eff.org/ https://www.eff.org/issues/coders/reverse-
Agenda
•WCC components
•“Libifying” a binary
•Unlinking binaries
•Crossing a Fish and a Rabbit
•Introduction to Witchcraft
•Binary “reflection” without a VM
•Towards binary self awareness
•Future work
WCC : components
WCC Components
Binaries (C):
wld : witchcraft linker
wcc : witchcraft core compiler
wsh : witchcraft shell : dynamic interpreter + scripting engine
Scripts (lua, …):
wcch : witchcraft header generator
wldd : witchcraft compiler flags generator
...
Host machine : GNU/Linux x86_64 (mostly portable to POSIX systems).
Wld : “Libification”
Transforming an ELF executable binary into an ELF shared library.
DEMOS
Libification of proftpd
Libification of proftpd
We really patched 1 byte only
libification
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and
other info */ |
/* Object file type */ |
Elf64_Half e_type; |
|
Elf64_Half e_machine; |
/* Architecture */ |
Elf64_Word e_version; |
/* Object file version */ |
Elf64_Addr e_entry; |
/* Entry point virtual address |
*/ |
|
Elf64_Off e_phoff; |
/* Program header table file |
offset */ |
|
Elf64_Off e_shoff; |
/* Section header table file |
offset */ |
|
Elf64_Word e_flags; |
/* |
Elf64_Half e_ehsize; |
/* ELF header size in bytes */ |
Elf64_Half e_phentsize; |
/* Program header table |
Using our new shared
library
How comes this works ?
We’re really creating a “non relocatable” shared library.
ET_DYN and ET_EXEC ELF files are both executable (ASLR support in the kernel)
This is equivalent to creating a shared library with a non NULL base address (equivalent to prelinking)
Note: Amazingly, this shared library is still a valid executable too.
DEMOS
Linking against apache2
Apache2 as a shared library
Apache2 as a shared library
Wcc : “unlinking”
The typical approach to reverse engineering is to transform binaries or shared libraries back to source code.
Instead, we aim at transforming final binaries or shared libraries back to ELF relocatable objects, that can later be relinked normally (using gcc/ld) into executables or shared objects.
Wcc : “unlinking”
Source code |
|
Relocatable |
|
Compiler |
objects |
||
|
|||
|
(*.o) |
||
|
|
L i n k e r
Binaries (executables,
shared libs…)
Wcc : “unlinking”
Source code
Compiler
Decompiler
Relocatable objects
L i n k e r
Binaries (executables,
shared libs…)
Wcc : “unlinking”
Source code
Compiler
Decompiler
Relocatable objects
(*.o)
L i n k e r
Binaries (executables,
shared libs…)
unlinking
Source code
Compiler
Decompiler
Relocatable objects
(*.o)
L |
|
i |
w |
n |
|
k |
c |
e |
c |
r |
|
Binaries (executables,
shared libs…)
WCC : Command line
The command line is made to resemble the syntax of gcc :
Wcc : internals
The front end is build around libbfd. The backend is trivial C to copy each mapped section of the binary, handle symbols and relocations.
Benefit of using libbfd : the input binary doesn’t need to be an ELF !
=> We can for instance transform a Win64 executable into ELF 64b relocatable objects…
DEMO
(Binary to object file to relocatable to unstripped library)
WCC : demo
DEMO
(Crossing a Fish and a Rabbit)
PE + ELF = PELF
WCC : PE32 to ELF64
DEMO
Native OpenBSD on linux
Binary reflection
Binary “reflection” without a VM
Now that we know how to transform arbitrary binaries into shared libraries, we can load them into our address space via dlopen().
Let’s implement the same features as traditional virtual machines, but for raw binaries !
Whish list :
-Load arbitrary applications into memory
-Execute arbitrary functions with any arguments (and get results)
-Monitor/Trace execution
-Automated functions prototyping/annotation
-Learn new behavior
-Examine/Modify arbitrary memory
WSH : architecture
Loading is done via dlopen().
The core engine/shell is built around lua.
Can be compiled with luajit to get JIT compilation. Tracing/Memory analysis doesn’t rely on ptrace() : we share the address space.
Lightweight : ~5k lines of C.
No disassembler (as of writing. Subject to change). No need for /proc support !
Function names mapped in each library is dumped from the link_map cache.
Wsh : The wichcraft
interpreter
Distinctive features:
-We fully share the address space with analyzed applications (no ptrace() nor context switches).
-Requires no privileges/capabilities (no root, no ptrace(), no CAP_PTRACE, no /proc…)
-No disassembly : fully portable (POSIX)
-Implements “reflection” for binaries
-Full featured programming language
-Interactive and/or fully scriptable, autonomous programs
-Has no types
-Has no fixed API : any function you load in memory becomes available in WSH
-Functions have no prototypes
-=> Can call arbitrary functions without knowing their prototypes
Wsh : The wichcraft
interpreter
Advanced features:
-Loads any code via dlopen() : this solves relocations, symbols resolution, dependencies for us.
-Secondary loader bfd based (could load invalid binaries, anything in memory).
-Dumping of dynamic linker cash internals (undocumented) : linkmap
-Breakpoints without int 0x03 (use SIGINVALID + invalid opcode)
-Bruteforcing of mapped memory pages via msync() (0day, no /proc needed)
-Wsh can be compiled to do JIT compilation on the fly at runtime.
-Automated fuzzing/extended prototyping/functional testing
NONE OF THIS IS SUPPOSED TO WORK
Witchcraft
Lua Interpreter
+
“Reflected” C API
=
Witchcraft
DEMO
Witchcraft
DEMO ARM
Witchcraft
FUTURE WORK
FUTURE WORK
-Hyde our own presence better in memory (second heap)
-Remote debugging, running process injection
-Shadow mapping, internal libraries tracing (recursive ltrace)
-ltrace/strace to valid scripts
-system call tracing
TO BE CONTINUED
Questions ?