This page col­lects tools for the Lin­ux Exe­cutable and Link­ing For­mat (ELF) with some basic commands.

checksec.sh

Shows which exploits mit­i­ga­tions a pro­gram has. (Source)

./checksec.sh --file file.elf

GDB

See the gdb post.

Objdump

Obj­dump shows infor­ma­tion about a bina­ry (object) file.

Show the assem­ble code from a ELF file.

objdump -d bin.elf

Show all sym­bols (e.g. used libs)

objdump -tT bin.elf

Objcopy

Obj­copy copies parts of a bina­ry to anoth­er file. Use­full to extracts parts of a bina­ry to ana­lyzes them more eas­i­ly. The fol­low­ing copies the data sec­tion of a bina­ry in a new file:

objcopy --only-section=.data bin.elf /tmp/data.bin

strace

strace (sys­tem call trace) uses the ptrace sys­tem call to show infor­ma­tion about the used sys­tem calls in a bina­ry file or in a run­ning process. To obtain all sys­tem calls from a bina­ry file, use

strace bin.elf [-o /tmp/bin.strace]

To obtain all sys­tem calls from a run­ning process, use

strace -p $pid [-o /tmp/bin.strace]

To show all files the bina­ry wants to access, use

strace --trace=file bin.elf

Or show only files the bina­ry wants to access which are cur­rent­ly not on the filesystem:

strace --trace=file --failed-only bin.elf

Show all net­work relat­ed sys­tem calls:

strace --trace=network bin.elf

ltrace

ltrace runs a giv­en com­mand and out­puts all library call dur­ing the pro­gram’s exe­cu­tion. Exe­cute it with

ltrace bin.elf [-o /tmp/bin.ltrace]

ftrace

ftrace shows the func­tion calls of a bina­ry or process.

readelf

read­elf shows var­i­ous infor­ma­tion about an ELF file.

• Gen­er­al infor­ma­tion: readelf -h bin.elf
• Sec­tion head­er table: readelf -S bin.elf
• Pro­gram head­er table: readelf -l bin.elf
• Sym­bol table: readelf -s bin.elf
• ELF file head­ers: readelf -e bin.elf
• Show the seg­ments: readelf --segments bin.elf