Turn: A common binary file analysis method for Linux

When you get a binary file under Unix and don't know what it is, you can get a hint in the following ways

1, the first should try to strings command, such as get a binary file called CR1, you can:

$ Strings CR1 | More

There may be some description of this CR1, which is a textual description left in the program after compilation, so you may be able to tell you what the file is.

For example, there is output:

$ strings CR1 | more
%s%s%s%s%s-%s%s%s (%.*s)
version:2.3
Usage : Dsniff [-CDMN] [-I interface] [-S snaplen] [-F services]
[-T trigger[,...]] [-r|-w SaveFile] [Expression]
...
/USR/LOCAL/LIB/DSNIFF.MAGIC
/USR/LOCAL/LIB/DSNIFF.SERVICES

Then we can know, in fact CR1 is Dsniff command.

2. If such a method does not help you, then you can try:

$/usr/ccs/bin/nm-p CR1 | More

For example, get the following output:

CR1:
[Index] Value Size Type Bind other shndx Name
[180] | 0| FILE | Locl | 0 | ABS | Decode_smtp.c
[2198] |160348| 320| FUNC | GLOB | 0 | 9 | Decode_sniffer

These are the file names of the obj files that generate this binary, and these names will tell you what the binary file does.

Similarly, you can use Nm-du CR1 if you want to see what static library files are called by binary files.

3, of course, we can also use the dump command to get any selected part of a binary file information

$/usr/ccs/bin/dump-c./CR1 | More

Parameter description of the dump command:

-C Dump out string table

-C Dump out C + + symbol table

-D Dump out debugging information

-F Dump out the header of each file

-H Dump the head of the Section

-L Dump Travel information

-L dump out dynamic and static link library part content

-O dump out the executable header for each program

-R Dump out relocation information

-S dump the contents of a section with hex information

-T dump symbol table.

4, you can use the file command to get the information of the binary file

$ file CR1

5, if still not clear, then we can use the LDD command

$ LDD CR1

For example, the output is:
...
Libsocket.so.1 =/usr/lib/libsocket.so.1
Librpcsvc.so.1 =/usr/lib/librpcsvc.so.1
...

Then we can know that this program is related to the network library, we can know its approximate function.

We can also go through the ADB command to get a binary file execution process.

For example:
$ adb CR1
: R
Using DEVICE/DEV/HME0 (Promiscuous mode)
192.168.2.119 Web TCP d=22 s=1111 ack=2013255208
seq=1407308568 len=0 win=17520
Web-192.168.2.119 TCP d=1111 s=22 Push ack=1407308568

We know that this program is a sniffer.

6. If you are sure you want to run this program, you can first pass:

$ truss -f -o cr.out ./cr1
listening on hme0
^C
$

The truss command can help you turn on the system's signal and call output. You can see what the program is doing.

With these tools in mind, we can probably see what an unknown binary program actually does.

Finally, you are aware that running a binary program that you do not understand has serious security issues, so please be careful.