Arcana is a unique threat detection technology with a focus on ELF binary forensics. ELF (Executable & Linking Format) is the most ubiquitous executab format, being used by all Linux/UNIX enterprise servers, and on ~70% of IoT devices.
Demystifying ELF infections and detecting subtle anomalies within ELF artifacts can rapidly identify infections such as persistent backdoors that hook functions and manipulate global data. APT (Advanced persistent threats) often use Virus technology within their hooking and instrumentation methods.
The Arcana binary forensics technology was designed and is maintained by the Elfmaster, and other thought leaders in the esoteric underground of ELF binary hacking, virus design, and reverse engineering.
Arcana has been tested in various Linux distributions for x86(32|64) to scan ELF binaries with an intelligent heuristics engine. Arcana can identify the most subtle infections within an ELF binary, indicating that the program has been compromised in its integrity and functionality.
Currently Arcana supports analysis of ELF executables, shared libraries, and LKM's. Future support for /proc/kcore analysis (Detecting Kernel rootkits), and process-memory forensics.
Arcana starts where other threat detection products leave off.
Adept detection for ELF infection
Arcana uses state of the art ELF forensics reconstruction techniques to restore stripped symbol tables and section headers on obfuscated or stripped binaries.
- Detection of anomalous artifacts within ELF files
- Forensically reconstructs stripped ELF binaries
- Detects packed/encrypted ELF binaries
- Forensically analyzes an ELF binary and all of it's shared dependencies for the following
- Text segment padding infection
- Reverse text padding infection
- PT_NOTE to PT_LOAD conversion
- DT_NEEDED shared library injection
- Symbol interposition based DT_NEEDED infection
- DT_DEBUG to DT_NEEDED conversion infection.
- Data segment infections
- .bss infections
- SCOP (-Wl,-z,separate-code) ultimate text infection
- TLS (thread local storage) TLSDESC resolver hooks
- Sigaction hooking via PLT (Usually for debugger detection)
- DT_INIT hooking
- DT_FINI hooking
- .ctors/.dtors hooks (.init_array/.fini_array)
- Relocation poisoning (Instruct RTLD to patch your hooks at runtime
- Infected .rela.plt (DT_JMPREL poisoning, to use alternate GOT)
- PLTGOT poisoning (plt hooks)
- GOT poisoning (global data hooks)
- Suspicious program interpreter
- Entry point modification
- glibc init hooks (i.e. hooked __libc_start_main)
- Linking anomalies
- Anomalies in the ELF structure
- Writable code
- Executable data
- Linux LKM symbol hijacking
- Decryption-stub (i.e. ELF binary obfuscation)
- Section header table scrambling
- Symbol header table scrambling
- And more...
- Plugin system for writing C modules. Developers can quickly develop new features for heuristics and code analysis.
- Simple to configure and use