ELF sections stats

March 13, 2021 in Clustering, linux

If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never looked at ELF section the same way. With this post I took a first stab at it. The below are nothing but quick & dirty stats from a reasonably sized sampleset of ELF files:

47165 .shstrtab
44289 .bss
33390 .comment
31664 .strtab
31651 .symtab
23516 .data
20756 .got
12634 .debug_aranges
12628 .debug_line
12628 .debug_info
12628 .debug_abbrev
12181 .debug_frame
11408 .sbss
10339 .mdebug.abi32
9359 .ARM.attributes
8239 .jcr
6703 .dynamic
6547 .rodata
6432 .debug_str
6386 .ctors
6343 .dtors
6035 .debug_pubnames
5846 .debug_ranges
5834 .debug_loc
5101 .fini_array
4915 .data.rel.ro
4858 .pdr
4133 .eh_frame
3056 .fini
2919 .text
2877 .plt
2515 .init
2444 .sdata
1858 .got.plt
1778 .note
1542 .init_array
1335 .stabstr
1335 .stab
1140 .rel.plt
1003 __libc_freeres_ptrs
862 .tbss
839 .tdata
820 .note.gnu.gold-version
812 .gcc_except_table
791 __libc_thread_subfreeres
739 .ARM.exidx
484 .ARM.extab
423 .data.rel.ro.local
414 .eh_frame_hdr
283 __libc_atexit
245 __libc_subfreeres
239 .note.ABI-tag
172 .preinit_array
140 .note.stapsdt
138 .stapsdt.base
117 .bmp
114 .mips
113 .compiler
110 .dynstr
96 .rld_map
76 .gnu.attributes
75 .noptrbss
73 .context
71 .note.go.buildid
49 .rel.dyn
45 .gnu_debuglink
38 .gnu.prelink_undo
36 .debug_pubtypes
33 .gnu_extab
30 .stab.indexstr
30 .stab.index
29 .note.GNU-stack
29 .engine
20 .xt.prop
19 .xtensa.info
19 .xt.lit
19 .debug_gdb_scripts
19 .bep
18 .rel.gnu.linkonce.this_module
18 .gnu.warning.llseek
17 .interp
17 .gnu.linkonce.this_module
16 .rodata.str1.1
15 .gnu.conflict
14 .rel.debug_aranges
14 .rel.data
13 .rel__ex_table
13 .rel.debug_pubnames
13 .redata
13 .jgd
12 __ex_table
12 .rodata.str1.4
12 .rel.eh_frame
12 .dynbss
11 __versions
11 .rel.rodata
11 .modinfo
10 __mcount_loc
10 .rel__mcount_loc
10 .rel.debug_line
10 .data1
8 __ksymtab
8 .plt.got
8 .exception_ranges
8 .ex_shared
8 .debug_macinfo
8 .data.rel.local
7 COFF
7 .mdebug
6 .rodata1
6 .rel.text
6 .rel.fixup
6 .rel.debug_info
6 .MIPS.stubs
5 __param
5 PROGRAM
5 IBC_2.0
5 ABI
5 .xzrodata
5 .rel__param
5 .rel.debug_loc
5 .rel.debug_frame
4 .note.android.ident
4 .got2
4 .gnu.version_r
4 .cpp_finidata
4 .arm_vfe_header
3 Input file:
3 .upx.1
3 .smp_locks
3 .rel.smp_locks
3 .rdata
3 .ident
2 text_env
2 ta
2 odata
2 elink
2 __verbose
2 __ksymtab_strings
2 ___ksymtab_gpl+fb_mode_option
2 ___ksymtab_gpl+fb_destroy_modelist
2 ___ksymtab+vesa_modes
2 ___ksymtab+fb_videomode_to_var
2 ___ksymtab+fb_var_to_videomode
2 ___ksymtab+fb_mode_is_equal
2 ___ksymtab+fb_match_mode
2 ___ksymtab+fb_find_nearest_mode
2 ___ksymtab+fb_find_mode_cvt
2 ___ksymtab+fb_find_mode
2 ___ksymtab+fb_find_best_mode
2 ___ksymtab+fb_find_best_display
2 Import
2 C_2.0
2 .vmp
2 .tptext
2 .tm_clone_table
2 .rodata.cst4
2 .rela.plt
2 .rel__verbose
2 .rel___ksymtab_gpl+fb_mode_option
2 .rel___ksymtab_gpl+fb_destroy_modelist
2 .rel___ksymtab+vesa_modes
2 .rel___ksymtab+fb_videomode_to_var
2 .rel___ksymtab+fb_var_to_videomode
2 .rel___ksymtab+fb_mode_is_equal
2 .rel___ksymtab+fb_match_mode
2 .rel___ksymtab+fb_find_nearest_mode
2 .rel___ksymtab+fb_find_mode_cvt
2 .rel___ksymtab+fb_find_mode
2 .rel___ksymtab+fb_find_best_mode
2 .rel___ksymtab+fb_find_best_display
2 .rel.debug_pubtypes
2 .null
2 .msym
2 .fixup
2 .conststring
2 .constdata
2 .compact_rel
2 .comment.SUSE.OPTs
2 .PPC.EMB.apuinfo

Beyond good ol’ Run key, Part 133

March 5, 2021 in Anti-Forensics, Autostart (Persistence)

Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities.

When the executable starts it checks the environment for a presence of Java Runtime Environment (JRE) and while doing so it is checking a number of locations:

  • 64-bit search: HKLM\SOFTWARE\JavaSoft\Java Runtime Environment
  • 32-bit search: HKLM\SOFTWARE\JavaSoft\Java Runtime Environment
  • 64-bit search: HKLM\SOFTWARE\JavaSoft\Java Development Kit
  • 32-bit search: HKLM\SOFTWARE\JavaSoft\Java Development Kit
  • 64-bit search: HKLM\SOFTWARE\JavaSoft\JRE
  • 32-bit search: HKLM\SOFTWARE\JavaSoft\JRE
  • 64-bit search: HKLM\SOFTWARE\JavaSoft\JDK
  • 32-bit search: HKLM\SOFTWARE\JavaSoft\JDK
  • 64-bit search: HKLM\SOFTWARE\IBM\Java Runtime Environment
  • 32-bit search: HKLM\SOFTWARE\IBM\Java Runtime Environment
  • 64-bit search: HKLM\SOFTWARE\IBM\Java2 Runtime Environment
  • 32-bit search: HKLM\SOFTWARE\IBM\Java2 Runtime Environment
  • 64-bit search: HKLM\SOFTWARE\IBM\Java Development Kit
  • 32-bit search: HKLM\SOFTWARE\IBM\Java Development Kit

The JAVA_HOME environment variable is not being used.

Placing malicious entry under any of these branches e.g.:

[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\1.8]
"JavaHome"="c:\test"

and then dropping malicious c:\test\jre\bin\javaw.exe will cause the original program compiled with launch4j 9when launched) to spawn that malicious javaw.exe.

And as a little bonus, the stub of launch4j accepts these debug command line arguments (or uses equivalent values of environment variables shown in parenthesis):

  • –l4j-debug (or Launch4j=*debug*)
  • –l4j-debug-all (or Launch4j=*debug-all*)

When any of these two are present a launch4j.log log file will be created with all the information needed for troubleshooting (the second option generating more verbose version of the log file).