Common binary file analysis methods in Linux

1. First, try the strings command. For example, to get a binary file named CR1, you can:

$ Strings CR1 | more

There may be some descriptions of this CR1.
Are some textual descriptions left in the program after compilation, so it may tell you what this file is.

For example, output:

$ Strings CR1 | more

% S % s-> % S % s (%. * s)

Version: 2.3

Usage: dsniff [-cdmn] [-I interface] [-s snaplen] [-F services]

[-T trigger [,...] [-r |-W SaveFile] [expression]

...

/Usr/local/lib/dsniff. Magic

/Usr/local/lib/dsniff. Services

...

Then we can know that CR1 is actually a dsniff command.

2. If this method does not help you, you can try:

$/Usr/CCS/bin/nm-P CR1 | more

For example, the following output is obtained:

CR1:

[Index] value size type bind other shndx name

[180] | 0 | 0 | file | locl | 0 | ABS | decode_smtp.c

[2198] | 160348 | 320 | func | glob | 0 | 9 | decode_sniffer

These are the names of the OBJ files that generate the binary file. These names will tell you the role of the binary file.

Similarly, if you want
View binary files
You can use nm-du CR1 to call static library files.

3. Of course, we can also use the dump command to obtain the selected part of any binary file.

$/Usr/CCS/bin/Dump-C./CR1 | more

Dump command parameters:

-C dump the string table

-C dump the C ++ symbol table

-D dump debugging information

-F dump the header of each file

-H dump the section header

-L dump travel number information

-L dump part of the dynamic and static Link Library

-O dump the executable headers of each program

-R dump relocation Information

-S: hexadecimal Information
Dump the section content

-T dump symbol table.

4. You can use the file command to obtain the binary file information.

$ File CR1

5. If it is still unclear, we can use the LDD command.

$ LDD CR1

For example, the output is:

...

Libsocket. so.1 =>/usr/lib/libsocket. so.1

Librpcsvc. so.1 =>/usr/lib/librpcsvc. so.1

...

Then we can know that this program is related to the network library, and we can know its approximate functions.

We can also use the ADB command to get a binary file execution process.

For example:

$ ADB CR1

: R

Using device/dev/hme0 (promiscuous mode)

192.168.2.119-> Web TCP d = 22 s = 1111 ACK = 2013255208

SEQ = 1407308568 Len = 0 win = 17520

Web-> 192.168.2.119 TCP d = 1111 S = 22 push ACK = 1407308568

We know that this program is a sniffer.

6. If you are sure you want to run this program, you can first pass:

       $ truss -f -o cr.out ./cr1
       listening on hme0
       ^C
       $

The truss command can help you open the system signal and call the output. you can know what the program is doing.

With these tools, we can probably find out what an unknown binary program is doing.

Finally, we will remind you that running unknown binary programs has serious security problems. Please be careful.

 

 

 

The last time a program was debugged. The program encountered an error when using dlopen. The error message is that the dynamic library contains undefined symbols when loading the dynamic library. I knew it was a problem with the dynamic library, but I searched for it for a long time,
The problem is not solved. Dr. Zhang came over, and a LDD looked at the dynamic library and determined that there was a problem with the database. Then another nm found the error and reld the database. The problem was solved. Amazing! I also use these
I have checked the database, but I haven't found any problems. I am still not familiar with the command usage.
Here we will sort out these commands to help you remember them. (Most translations, hehe)
NM command
This command lists the symbols of the target file. If no target file is specified, the default value is a. Out.
Command outline
NM [-
| -- Debug-Syms
] [-G
| -- Extern-only
]
[-B
] [-C
| -- Demangle
[= Style
] [-D
| -- Dynamic
]
[-S
| -- Print-size
] [-S
| -- Print-armap
]
[-
|-O
| -- Print-file-name
]
[-N
|-V
| -- Numeric-sort
] [-P
| -- No-sort
]
[-R
| -- Reverse-sort
] [-- Size-sort
] [-U
| -- Undefined-only
]
[-T
Radix
| -- Radix =
Radix
] [-P
| -- Portability
]
[-- Target =
Bfdname
] [-F
Format
| -- Format =
Format
]
[-- Defined-only
] [-L
| -- Line-Numbers
] [-- No-demangle
]
[-V
| -- Version
] [-X 32_64
] [-- Help
] [Objfile
...]
Output Format
The output of the NM command contains three parts: 1 Symbol value. It is displayed in hexadecimal notation by default. You can also specify it. It is a 2-symbol type. In lower case, it is a local symbol, in upper case it is a global symbol (external), and 3 is a symbol name. Here is an example:
08049ad8 A _ bss_start
080485e8 t call_gmon_start
08049ad8 B completed.1
The following describes the symbol types (I am not familiar with the symbol types to be less sensitive to errors)
A
The symbolic value is absolute. Further connections will not be changed. B
The symbol is located in the uninitialized data segment (known as BSS ).
C
Common symbols. Shared symbols are uninitialized data. During connection, multiple shared symbols may use the same name. If this symbol is defined somewhere, it is considered as an undefined reference.
D
Symbol of the initialized Data Segment
G
The small objective symbol in the initialized data segment. Some target file formats allow more effective access to small target data. For example, a global int variable is relative to a large global array.
I
Other symbols are directly used, which is extended by GNU and rarely used.
N
Debugging symbol.
R
Read-only data segment symbol.
S
The small object symbol in the data segment is not initialized.
T
The symbol of the code segment.
U
Undefined symbol.
V
Weak object (weak object) symbol. when a defined weak symbol is connected to a general definition symbol, the general definition symbol can be used normally. When an undefined weak object is connected to an undefined symbol, the value of the weak symbol is 0.
W
A weak symbol (weak symbol) that is not specified with a weak object symbol ).
-
A. Out the stabs symbol in the target file. In this case, the next value to be printed is another field, Description field, and type. The Thorn symbol is used to retain debugging information.
?
Unknown symbol type, or the specific symbol type of the target file. Command Parameter
-T

Radix

-- Radix =
Radix

Symbol value base. D
Decimal, O
Octal, X
Hexadecimal.-d

-- Dynamic

Displays dynamic symbols, which are only useful when objects are dynamic.
-F

Format

-- Format =
Format

The output format, which can be "BSD", "sysv", or "POSIX. The default value is "BSD ".
-G

-- Extern-only

Only external symbols are displayed.
-L

-- Line-Numbers

For each symbol, use the debugging information to find the file name and row number. -U

-- Undefined-only

Only undefined symbols are displayed.
-- Defined-only

Show only the defined symbols. -- Help

Show Help