{"id":2793,"date":"2021-02-19T14:56:14","date_gmt":"2021-02-19T13:56:14","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2793"},"modified":"2021-07-30T08:50:39","modified_gmt":"2021-07-30T06:50:39","slug":"reverse-engineering-tools","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2793","title":{"rendered":"Reverse Engineering tools for the Linux&nbsp;<span class=\"caps\">ELF<\/span>"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This page col\u00adlects tools for the <em>Lin\u00adux Exe\u00adcutable and Link\u00ading For\u00admat (<span class=\"caps\">ELF<\/span>) <\/em>with some basic commands.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">checksec.sh<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Shows which exploits mit\u00adi\u00adga\u00adtions a pro\u00adgram has. (<a href=\"https:\/\/trapkit.de\/tools\/checksec\/\">Source<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/checksec.sh --file file.elf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">GDB<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">See t<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3300\" data-type=\"post\" data-id=\"3300\">he gdb&nbsp;post.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Objdump<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Obj\u00addump<\/em> shows infor\u00adma\u00adtion about a bina\u00adry (object) file.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Show the assem\u00adble code from a <span class=\"caps\">ELF<\/span>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">objdump -d bin.elf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show all sym\u00adbols (e.g. used&nbsp;libs)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">objdump -tT bin.elf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Objcopy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Obj\u00adcopy<\/em> copies parts of a bina\u00adry to anoth\u00ader file. Use\u00adfull to extracts parts of a bina\u00adry to ana\u00adlyzes them more eas\u00adi\u00adly. The fol\u00adlow\u00ading copies the data sec\u00adtion of a bina\u00adry in a new&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">objcopy --only-section=.data bin.elf \/tmp\/data.bin<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">strace<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>strace<\/em> (<em>sys\u00adtem call trace<\/em>) uses the <code>ptrace<\/code> sys\u00adtem call to show infor\u00adma\u00adtion about the used sys\u00adtem calls in a bina\u00adry file or in a run\u00adning process. To obtain all sys\u00adtem calls from a bina\u00adry file,&nbsp;use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strace bin.elf [-o \/tmp\/bin.strace]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To obtain all sys\u00adtem calls from a run\u00adning process, use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strace -p $pid [-o \/tmp\/bin.strace]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To show all files the bina\u00adry wants to access, use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strace --trace=file bin.elf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or show only files the bina\u00adry wants to access which are cur\u00adrent\u00adly not on the filesystem:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strace --trace=file --failed-only bin.elf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show all net\u00adwork relat\u00aded sys\u00adtem&nbsp;calls:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">strace --trace=network bin.elf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">ltrace<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>ltrace<\/em> runs a giv\u00aden com\u00admand and out\u00adputs all library call dur\u00ading the pro\u00adgram\u2019s exe\u00adcu\u00adtion. Exe\u00adcute it&nbsp;with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ltrace bin.elf [-o \/tmp\/bin.ltrace]<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">ftrace<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em><a href=\"https:\/\/github.com\/elfmaster\/ftrace\">ftrace<\/a><\/em> shows the func\u00adtion calls of a bina\u00adry or process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">readelf<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">read\u00adelf shows var\u00adi\u00adous infor\u00adma\u00adtion about an <span class=\"caps\">ELF<\/span>&nbsp;file.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Gen\u00ader\u00adal infor\u00adma\u00adtion: <code>readelf -h bin.elf<\/code><\/li><li>Sec\u00adtion head\u00ader table: <code>readelf -S bin.elf<\/code><\/li><li>Pro\u00adgram head\u00ader table: <code>readelf -l bin.elf<\/code><\/li><li>Sym\u00adbol table: <code>readelf -s bin.elf<\/code><\/li><li><span class=\"caps\">ELF<\/span> file head\u00aders: <code>readelf -e bin.elf<\/code><\/li><li>Show the seg\u00adments: <code>readelf --segments bin.elf<\/code><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This page col\u00adlects tools for the Lin\u00adux Exe\u00adcutable and Link\u00ading For\u00admat (<span class=\"caps\">ELF<\/span>) with some basic com\u00admands. checksec.sh Shows which exploits mit\u00adi\u00adga\u00adtions a pro\u00adgram has. (Source) .\/checksec.sh \u2013file file.elf <span class=\"caps\">GDB<\/span> See the gdb&nbsp;post. Obj\u00addump Obj\u00addump shows infor\u00adma\u00adtion about a bina\u00adry (object) file. Show the assem\u00adble code from a <span class=\"caps\">ELF<\/span>&nbsp;file. obj\u00addump \u2011d bin.elf Show all sym\u00adbols (e.g. [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[355],"tags":[420,415,419,417,416,421,418],"class_list":["post-2793","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","tag-ftrace","tag-gdb","tag-ltrace","tag-objcopy","tag-objdump","tag-readelf","tag-strace"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2793"}],"version-history":[{"count":11,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2793\/revisions"}],"predecessor-version":[{"id":3323,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2793\/revisions\/3323"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}