martin.uy – Page 3 – Open source, Linux, kernel, C/C++, Security.

January 30, 2019May 19, 2020

Who prints “(core dumped)” after a segmentation fault?

When a CLI process in Linux exits after a segmentation fault, the following message is typically printed to stdout: “Segmentation fault (core dumped)”. We are assuming here that the process did not register a handler for the SIGSEGV signal. I was a bit curious about who was printing the message so started to dig a bit.

My first hypothesis was that libc had a default handler for this signal. After running the application with strace, I found no sys_write system call: the application and its libraries were not printing anything.

If a process registers no handler for SIGSEGV, do_coredump function (fs/coredump.c – Linux kernel) is executed. Caught my attention that the Kernel creates a new task and launches a user mode application. This application is /usr/libexec/abrt-hook-ccpp in Fedora, and the goal is to record and report the crash. I ran strings over its binary and dynamically linked libraries (libc, libreport, libabrt, etc.) but no clues.

Continue reading “Who prints “(core dumped)” after a segmentation fault?”

January 2, 2019May 19, 2020

Understanding the .gcc_except_table section in ELF binaries (GCC)

ELF binaries generated by the GCC compiler may contain a special section named .gcc_except_table, which is also known as LSDA (Language Specific Data Area). Despite of its name, it’s generated by GCC’s language-agnostic back-end and, thus, is language independent. In this article we will briefly describe it and answer when it is generated, what is in-there and how it is used.

.gcc_except_table section is related to exceptions in the sense of try-catch-finally control-flow blocks. Part of the information there is for handling the exception and the rest for cleanup code (i.e.: calling object destructors when the stack is unwinded).

In a nutshell, GCC language front-ends (such as C++) generate try-catch-finally nodes which are appended to the Abstract Syntax Tree (AST). These nodes are then transformed into back-end nodes and, after multiple passes, simplified into jumps and labels. Information about exception regions and landing pads is kept in annotations associated to each function.

Continue reading “Understanding the .gcc_except_table section in ELF binaries (GCC)”

October 2, 2018August 12, 2020

Simple Patching Tool v1.4 released

Simple Patching Tool has been updated to include the following enhancement:

JDK 11 support extended to allow patching classes from any module -v1.3 was limited to java.base-.

See Simple Patching Tool v1.3 notes for further information.

Download here.

October 1, 2018August 12, 2020

Simple Patching Tool v1.3 released

Simple Patching Tool has been updated with the following enhancement:

JDK 11 support

Patching java.base module classes in JDK 11 was not supported because of the constraints imposed by the new jigsaw feature. An illegal access error happened when a java.base module class -the one patched- tried to call a method belonging to an unnamed module class –Bridge-. The reason is that java.base module does not declare to read the unnamed module. Note: the unnamed module here belongs to the Bootstrap class loader, as Bridge is loaded from there.

Continue reading “Simple Patching Tool v1.3 released”

July 18, 2018May 17, 2020

Wildcard support for MAC addresses in netfilter (Linux kernel) and iptables

Some time ago Riki from Netlabs proposed a simple challenge: add wildcard support for MAC addresses when specifying netfilter rules in Linux.

Netfilter and iptables -its user-space counter part- let you filter network packets based on their source MAC address. However, there is currently no option to match all packets that meet a specific pattern (i.e.: those with prefix from a certain vendor). A wildcards syntax would be enough to accomplish this goal. In example, the following rule should drop every incoming packet on the ens3 interface:

iptables -A INPUT -i ens3 -m mac --mac-source *:*:*:*:*:* -j DROP

1	iptables -A INPUT -i ens3 -m mac --mac-source ::::: -j DROP

A quick lookup in the Linux kernel source and in iptables brought me to a couple of files probably required by the implementation of this functionality: net/netfilter/xt_mac.c (kernel) and libxtables/xtoptions.c (iptables). The former is related to the decision of whether a packet should pass or not when filtering by MAC address. The latter has the iptables options parsing code, through which we can specify matching rules.

Continue reading “Wildcard support for MAC addresses in netfilter (Linux kernel) and iptables”

June 23, 2018August 12, 2020

Reverse Engineering open course v1.0

I’m pleased to announce the release of the Reverse Engineering open course. It has taken more than one year but it’s finally here!

This course is a journey into reversing executable binaries from 3 different angles: 1) Malware analysis, 2) Bug hunting and 3) Exploit writing. Windows and Linux operating systems, on both x86 and x86_64 architectures, are under the scope. It’s not a purely tools-oriented approach but a mix with fundamental concepts, aiming to explain how things work underneath.

All of the content is licensed under Creative Commons Attribution-ShareAlike 4.0 International, and contributions very much welcomed. Published material includes slides and labs for 11 classes (with demos and hands-on exercises). Slides are both in English and Spanish. The course Linux VM has not been published due to its size. I can help you to replicate the environment if needed.

Continue reading “Reverse Engineering open course v1.0”

May 22, 2018May 17, 2020

Debug Watchdog for Linux: v1.1 released

Today I’ve released a new version of Debug Watchdog for Linux: v1.1.

This is a minor release that includes the following changes:

Bug fixes
Documentation enhancements
Minor code style improvements
Minor build system improvements

GitHub: https://github.com/martinuy/debugwatchdog (source code backup).

Further information.

Thanks to Martin Di Paola for his contributions and code review.

April 23, 2018May 17, 2020

Pcapy: pcap library wrapper for Python

Pcapy is a lightweight pcap library wrapper for Python. It allows you to read and handle low-level network packets from Python, both on Windows and UNIX-like platforms (Linux, macOS). Live captures and PCAP files are supported. BPF filters can be applied to get the traffic of interest only.

It works as a native module that can be plugged into the CPython virtual machine. Code is C and links against the Python SDK. In Windows platforms, WinPcap is required.

It has been released under a variation of the Apache Software License, and it’s currently maintained by Core Security. You can get more information and the source code here: https://github.com/helpsystems/pcapy

March 29, 2018May 17, 2020

Simple Patching Tool v1.2 released

Simple Patching Tool has been updated with a couple of minor enhancements:

jtreg (Java Regression Test Harness) is now supported
- You can patch any class in the context of a jtreg test
Bug fix to use Object data types in Hooker class methods
- Any object can be sent by parameter to a Hooker class method. From the ASM side, you push the object to the stack. From the Hooker side, you receive an Object (java.lang.Object class) to be cast to the expected class.

Download here.

March 19, 2018May 19, 2020

RPMs for Devs

There are times in which you want to rapidly set up a development and debugging environment for an open source project; without bothering with all the specifics, dependencies, build systems, installation, deployment scripts and so on. I found the Fedora RPM tools quite useful in this regard.

The idea is to leverage on leverage on the RPM tools, capable of instantly building thousands of projects from source code, but keeping intermediate artifacts as a development environment.

Continue reading “RPMs for Devs”