In 2011, I created a software prototype titled Linux VMA Monitor (http://www.bitlackeys.org/#vmavudu) for a DARPA contract. This software was designed to look at live process memory or raw snapshots of process memory. It was able to detect all sorts of runtime infections, including shared library injection, PLT/GOT hijacking, and other anomalies that indicate runtime malware.

In more recent times, I considered rewriting this software into a more finished state, and I felt that a native snapshot format for process memory would be a really nice feature. This was the initial inspiration for developing ECFS, and although I have canceled my plans of reviving the Linux VMA Monitor software for now, I am continuing to expand and develop the ECFS software as it is of great value to many other people's projects. It is even being incorporated into the Lotan product, which is a piece of software used to detect exploitation attempts by analyzing crash dumps (http://www.leviathansecurity.com/lotan...

ECFS is all about making runtime analysis of a program easier than ever before. The entire process is encased within a single file, and it is organized in such a way that locating and accessing data and code that is critical for detecting anomalies and infections is achievable through orderly and efficient means. This is primarily done through parsing section headers to access useful data, such as symbol tables, dynamic linking data, and forensics-relevant structures.

At the time of writing this chapter, the complete ECFS project and source code is available at http://github.com/elfmaster/ecfs. Once you have cloned the repository with git, you should compile and install the software as described in the README file.

Currently, ECFS has two modes of use:

echo '|/opt/ecfs/bin/ecfs_handler -t -e %e -p %p -o \ /opt/ecfs/cores/%e.%p' > /proc/sys/kernel/core_pattern

The ECFS file format is very easy to parse with traditional ELF utilities, such as readelf, but to build parsing tools that are custom, I highly recommend that you use the libecfs library. This library is specifically designed for easy parsing of ECFS core files. It will be demonstrated with slightly more details later in this chapter when we look at designing advanced malware analysis tools to detect infected processes.

libecfs is also used in the ongoing development of the readecfs utility, which is a tool for parsing ECFS files, and is very similar to the commonly known readelf utility. Note that libecfs is included with the ECFS package on the GitHub repository.

The readecfs utility will be used throughout the rest of this chapter while demonstrating the different ECFS features. Here is a synopsis of the tool from readecfs -h:

Usage: readecfs [-RAPSslphega] <ecfscore>
-a  print all (equiv to -Sslphega)
-s  print symbol table info
-l  print shared library names
-p  print ELF program headers
-S  print ELF section headers
-h  print ELF header
-g  print PLTGOT info
-A  print Auxiliary vector
-P  print personality info
-e  print ecfs specific (auiliary vector, process state, sockets, pipes, fd's, etc.)

-[View raw data from a section]
-R <ecfscore> <section>

-[Copy an ELF section into a file (Similar to objcopy)]
-O <ecfscore> .section <outfile>

-[Extract and decompress /proc/$pid from .procfs.tgz section into directory]
-X <ecfscore> <output_dir>

Examples:
readecfs -e <ecfscore>
readecfs -Ag <ecfscore>
readecfs -R <ecfscore> .stack
readecfs -R <ecfscore> .bss
readecfs -eR ...

Before we show the effectiveness of ECFS with a real-world example, it would be helpful to have a little background of the method of infection that we will use from a hacker's perspective. It is often very useful for a hacker to be able to incorporate anti-forensic techniques into their workflow on compromised systems so that their programs, especially the ones that serve as backdoors and such, can remain hidden to the untrained eye.

One such technique is to perform process cloaking. This is the act of running a program inside of an existing process, ideally inside of a process that is known to be benign but persistent, such as ftpd or sshd. The Saruman anti-forensics exec (http://www.bitlackeys.org/#saruman) allows an attacker to inject a complete, dynamically linked PIE executable into an existing process address space and run it.

It uses a thread injection technique so that the injected program can run simultaneously with the host program. This particular...

The ECFS file format is both simple and complicated! The ELF file format is complex in general, and ECFS inherits those complexities from a structural point of view. On the other side of the token, ECFS helps make navigating a process image quite easy if you know what specific features it has and what to look for.

In previous sections, we gave some real-life examples of utilizing ECFS that demonstrated many of its primary features. However, it is also important to have a simple and direct reference to what those characteristics are, such as which custom sections exist and what exactly they mean. In this section, we will provide a reference for the ECFS snapshot files.

Have you ever wanted to be able to pause and resume a process in Linux? After designing ECFS, it quickly became apparent that they contained enough information about the process and its state to relaunch them back into memory so that they can begin execution where they last left off. This feature has many possible use cases and demands more research and development.

Currently, the implementation for ECFS snapshot execution is basic and can only handle simple processes. At the time of writing this chapter, it can restore file streams but not sockets or pipes, and can only handle single-threaded processes. The software for executing an ECFS snapshot can be found on GitHub at https://github.com/elfmaster/ecfs_exec.

Here's an example of snapshot execution:

$ ./print_passfile
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games...

The extended core file snapshot technology, ECFS, is still relatively new. I presented on it at defcon 23 (https://www.defcon.org/html/defcon-23/dc-23-speakers.html#O%27Neill), and the word is still spreading. Hopefully, a community will evolve and more people will begin adopting ECFS for their daily forensics work and tools. Nonetheless, at this point, there are several resources for ECFS in existence:

The official GitHub page: https://github.com/elfmaster/ecfs

In this chapter, we covered the basics of the ECFS snapshot technology and the snapshot format. We experimented with ECFS using several real-life forensic examples, and even wrote a tool that detects shared library injection and PLT/GOT hooks using the libecfs C library. In the next chapter, we will jump out of userland and explore the Linux kernel, the layout of vmlinux, and a combination of kernel rootkit and forensic techniques.