Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the method of analyzing bin file under Linux". In the daily operation, I believe that many people have doubts about the method of analyzing bin file under Linux. The editor consulted all kinds of data and sorted out a simple and easy-to-use operation method. I hope it will be helpful to answer the doubt of "the method of analyzing bin file under Linux". Next, please follow the editor to study!

File

The file command is used to analyze the type of file.

If you need to analyze the binaries, you can first use the file command to cut in. We know that under Linux, everything is a file, but not all files are executable. We also have a variety of files, such as text files, pipe files, linked files, socket files, and so on.

Before analyzing a file, we can first use the file command to analyze their types. Of course, in addition to that, we can also see some other information.

$file / bin/pwd / bin/pwd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID [sha1] = 0d264bacf2adc568f0e21cbcc9576df434c44380, stripped

Ldd

The ldd command can be used to analyze the dependencies of executable files.

When we use the file command to analyze an executable file, we can sometimes see the word dynamically linked in the output. What does this mean?

Most programs use third-party libraries so that you don't have to repeat wheels and save a lot of time. In the simplest way, if we write C program code, we will definitely use libc or glibc libraries. Of course, in addition to that, other libraries may be used.

Under what circumstances do we need the dependent library of the analysis program? There is a scene that you must have experienced. If you go to your colleague to copy the program written by him and run it in your own environment, sometimes you may not be able to run. Of course, there may be many reasons why you can't run, but one of them may be the lack of a corresponding dependency library.

At this point, ldd came in handy. It can analyze what dependent libraries the program needs, you just need to put the corresponding libraries in the corresponding location.

$ldd / bin/pwd linux-vdso.so.1 = > (0x00007ffeb73e5000) libc.so.6 = > / lib64/libc.so.6 (0x00007f908b321000) / lib64/ld-linux-x86-64.so.2 (0x00007f908b6ef000)

Ltrace

The function of ltrace is a library function call that can track the process.

We can use the ldd command to find the dependent library of the program, but there are as few as several functions in a library, so how do we know what functions the program is calling now?

The ltrace command is used to do this. In the following example, we can see the function called by the program and the parameters passed in, as well as the output of the function call.

$ltrace / bin/pwd _ _ libc_start_main (0x401760, 1, 0x7ffff6524cc8, 0x404a00 getenv ("POSIXLY_CORRECT") = nil strrchr ("/ bin/pwd",'/') = "/ pwd" setlocale (LC_ALL, ") =" en_US.utf8 "bindtextdomain (" coreutils ") "/ usr/share/locale") = "/ usr/share/locale" textdomain ("coreutils") = "coreutils" _ cxa_atexit (0x4022f0, 0,0, 0x736c6974756572) = 0 getopt_long (1, 0x7ffff6524cc8, "LP", 0x606d00, nil) =-1 getcwd (nil 0) = "puts (" / home/alvin "/ home/alvin) = 12 free (0x22bc030) = exit (0 _ fpending (0x7f3048865400, 0,64, 0x7f3048865eb0) = 0 fileno (0x7f3048865400) = 1 _ freading (0x7f3048865400, 0,64, 0x7f3048865eb0) = 0 _ freading (0x7f3048865400) 0, 2052, 0x7f3048865eb0) = 0 fflush (0x7f3048865400) = 0 fclose (0x7f3048865400) = 0 _ fpending (0x7f30488651c0, 03328, 0xfbad000c) = 0 fileno (0x7f30488651c0) = 2 _ freading (0x7f30488651c0, 03328, 0xfbad000c) = 0 _ freading (0x7f30488651c0, 0,4) 0xfbad000c) = 0 fflush (0x7f30488651c0) = 0 fclose (0x7f30488651c0) = 0 + exited (status 0) +

Strace

The strace command can be used to track system calls and signals while the program is running.

From the above introduction, we know that the ltrace command is used to track function calls. The strace command is similar, but it tracks system calls. What is a system call? To put it simply, we can interact with the kernel through system calls to accomplish the tasks we want.

For example, if we want to print certain characters on the screen, we can use the printf or puts functions, both of which are library functions of libc, and at a lower level, they both call the system call write.

$strace-f / bin/pwd execve ("/ bin/pwd", ["/ bin/pwd"], [/ * 24 vars * /]) = 0 brk (NULL) = 0xbc9000 mmap (NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1,0) = 0x7f918ba69000 access ("/ etc/ld.so.preload", R_OK) =-1 ENOENT (No such file or directory) open ("/ etc/ld.so.cache") O_RDONLY | O_CLOEXEC) = 3 fstat (3, {st_mode=S_IFREG | 0644, st_size=38684,...}) = 0 mmap (NULL, 38684, PROT_READ, MAP_PRIVATE, 3,0) = 0x7f918ba5f000 close (3) = 0 open ("/ lib64/libc.so.6", O_RDONLY | O_CLOEXEC) = 3 read (3) "\ 177ELF\ 2\ 1\ 3\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 3\ 0 >\ 0\ 1\ 0\ 0\ 3\ 0 >\ 0\ 1\ 0\ 0\ 20 &\ 2\ 0\ 0\ 0\ 0"... 832) = 832 fstat (3, {st_mode=S_IFREG | 0755, st_size=2156160,...}) = 0 mmap (NULL, 3985888, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE, 3, 0) = 0x7f918b47b000 mprotect (0x7f918b63e000, 2097152, PROT_NONE) = 0 mmap (0x7f918b83e000, 24576) PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE, 3, 0x1c3000) = 0x7f918b83e000 mmap (0x7f918b844000, 16864, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,-1,0) = 0x7f918b844000 close (3). + exited with 0 + +

Hexdump

The hexdump command is used to view the hexadecimal encoding of binary files, but it can actually view any file, not just binaries.

A binary file, if you open it directly with a text editor, you will see a pile of garbled code. At this point, you can use the hexdump command to view its contents.

The display format of hexdump is: the byte serial number on the left, the hexadecimal encoding of the file in the middle, and if it is a printable character, it will be displayed on the right.

By using this command, we can get a general idea of what is in the binary file and what is more convenient to do later.

$hexdump-C / bin/pwd | head 00000000 7f 45 4c 46 02 01 00000000 00 00 | .ELF. | 00000010 02 00 3e 0001 000000 17 19 40 00000000 00 |.. > @. | 00000020 4000000000000 50 7a 00000000 0000 | @ .Pz. | 0000003000000000 40 00 38 00 09 0040 00 1e 00 1d 00 |. @ .8. @. | 00000040 06 000000 05 00000040 000000000 |. | 00000050 40 00400000000000400040000000000000 | @. | 00000060 f8 01 000000000 |. . | 00000070 08 000000 000000 00 03 000000 04 000 |. | 00000080 38 02 000000000000 38 02 40000000000 38 02 40000000000000 | 8.00009038 02 400000000001c 0000000000000000000 | 8.000000000. |

Strings

The strings command can be used to print characters that can be displayed in a binary file.

What are displayable characters? To put it simply, the characters you see on the monitor are displayable characters, such as abcABC,.:.

We know that a binary file contains a lot of non-display characters, so it cannot be opened directly with a text processor. When the program is developed, we often add some debugging information, such as debug log, warn log, error log, and so on. This information can be seen using the strings command.

$strings / bin/pwd | head / lib64/ld-linux-x86-64.so.2 libc.so.6 fflush strcpy _ _ printf_chk readdir setlocale mbrtowc strncmp optind

Readelf

Readelf is generally used to view file information in ELF format.

ELF (Executable and Linkable Format) executable connection file format is a relatively complex file format, but it is widely used. When you use the file command to find out that a file is an ELF file, you can use the readelf command to read the file's information.

$readelf-h / bin/pwd ELF Header: Magic: 7f 45 4c 46 02 01 00 00 00 Class: ELF64 Data: 2's complement Little endian Version: 1 (current) OS/ABI: UNIX-System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x401917 Start of program headers: 64 (bytes into file) Start of section headers: 31312 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 9 Size of section headers: 64 (bytes) Number of section headers: 30 Section header string table index: 29

Objdump

Objdump is a GCC tool that uses to view the composition of an object file or executable object file.

We know that after the program is developed, it needs to be compiled before it can generate binaries that can be recognized by the computer. The code we write cannot be executed directly by the computer. It needs to be compiled into an assembler before the computer can execute it in turn.

The objdump command reads the executable file and then prints out the assembly instructions. So if you want to understand the results of objdump, you need to have some assembly base.

$objdump-d / bin/pwd | head / bin/pwd: file format elf64-x86-64 Disassembly of section .init: 0000000000401350: 401350: 48 83 ec 08 sub $0x8 mov 0x205c6d% RSP 401354: 48 8b 05 6d 5c 20 00 mov 0x205c6d (% rip),% rax # 606fc8 40135b: 48 85 c0 test% rax,%rax

Nm

The nm command mainly lists the symbols of the target file (to put it bluntly, some functions, global variables, etc.).

If you compile a program that does not pass strip, the nm command can uncover important secrets hidden in executable files. It can help you list the variables and functions in the file, which is of great significance for us to reverse the operation.

Let's explain the purpose of the nm command through a short simple program. When compiling this program, we added the-g option, which makes the compiled file contain more valid information.

$cat hello.c # include int main () {printf ("Hello world!"); return 0 } $$gcc-g hello.c-o hello $$file hello hello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID [sha1] = 3de46c8efb98bce4ad525d3328121568ba3d8a5d Not stripped $$. / hello Hello worldview $nm hello | tail 0000000000600e20 d _ JCR_END__ 0000000000600e20 d _ _ JCR_LIST__ 00000000004005b0 recording _ libc_csu_fini 00000000400540 libc_csu_init U _ libc_start_main@@GLIBC_2.2.5 0000000040051d T main U printf@@GLIBC_2.2.5 00000000400490 t register_tm_clones 00000000400430 T _ start 00000000601030 dating _ TMC_END__ $

Gdb

Gdb is the so-called GNU debugger.

Everyone has heard of gdb more or less. When we use some IDE to write code, we can debug by breaking points, stepping, looking at the values of variables, and so on. In fact, the underlying IDE calls gdb.

You can write a lot about the use of gdb, so this article won't go any further. Let's start with a short demonstration of the most basic functions of gdb.

$gdb-Q. / hello Reading symbols from / home/flash/hello...done. (gdb) break main Breakpoint 1 at 0x400521: file hello.c, line 4. (gdb) info break Num Type Disp Enb Address What 1 breakpoint keep y 0x0000000000400521 in main at hello.c:4 (gdb) run Starting program: / home/flash/./hello Breakpoint 1, main () at hello.c:4 4 printf ("Hello world!") Missing separate debuginfos, use: debuginfo-install glibc-2.17-260.el7_6.6.x86_64 (gdb) bt # 0 main () at hello.c:4 (gdb) c Continuing. Hello world! [Inferior 1 (process 29620) exited normally] (gdb) Q $at this point, the study of "the method of analyzing bin files under Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.