Linux Commands and Scripts

Steps to Analyze Binary Files in Linux

In this article, we’ll explain how to analyze binary files in Linux.

We’ll cover simple 5 commands and tools that can help you to analyze binary files easily. Linux provides a rich set of tools that makes analyzing binaries a breeze! Whatever might be your job role, if you are working on Linux, knowing the basics about these tools will help you understand your system better.

Let’s get started.

1. file

The file command will help you identify the exact file type that you are dealing with. file, specify a file specially formatted containing position-sensitive tests; default position-sensitive tests and context-sensitive tests will not be performed.

The command tells only what the file looks like, not what it is (in the case where file looks at the content). It is easy to fool the program by putting a magic number into a file the content of which does not match it. Thus the command is not usable as a security tool other than in specific situations.

# file file.c
file.c: C program text

# file /bin/ls

bin/ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=937708964f0f7e3673465d7749d6cf6a2601dea2, stripped, too many notes (256)

# file /etc/passwd
/etc/passwd: ASCII text

2. ldd

ldd prints the shared objects (shared libraries) required by each program or shared object specified on the command line. When software is being developed, we try not to reinvent the wheel. There are a set of common tasks that most software programs require, like printing output or reading from standard in, or opening files, etc.

All of these common tasks are abstracted away in a set of common functions that everybody can then use instead of writing their own variants. These common functions are put in a library called libc or glibc.

# ldd /bin/rm
linux-vdso.so.1 (0x00007ffcd6d7d000)
libc.so.6 => /lib64/libc.so.6 (0x00007f13d841c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f13d89f1000)

3. hexdump

hexdump – display file contents in hexadecimal, decimal, octal, or ascii. The hexdump utility is a filter which displays the specified files, or standard input if no files are specified, in a user- specified format.

Opening unknown files in Hexdump helps you see what exactly the file contains. You can also choose to see the ASCII representation of the data present in the file using some command-line options. This might help give you some clues to what kind of file it is.

# hexdump -C /bin/ls | head
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF…………|
00000010 03 00 3e 00 01 00 00 00 00 5e 00 00 00 00 00 00 |..>……^……|
00000020 40 00 00 00 00 00 00 00 70 82 02 00 00 00 00 00 |@…….p…….|
00000030 00 00 00 00 40 00 38 00 0a 00 40 00 1f 00 1e 00 |….@.8…@…..|
00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |……..@…….|
00000050 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |@…….@…….|
00000060 30 02 00 00 00 00 00 00 30 02 00 00 00 00 00 00 |0…….0…….|
00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |…………….|
00000080 70 02 00 00 00 00 00 00 70 02 00 00 00 00 00 00 |p…….p…….|
00000090 70 02 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 |p……………|

4 readelf

readelf displays information about one or more ELF format object files. The options control what particular information to display. ELF (Executable and Linkable File Format) is the dominant file format for executable or binaries, not just on Linux but a variety of UNIX systems as well. Having a reference of the actual ELF specification handy when using readelf can be very useful.

# readelf -h /bin/ls
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2’s complement, little endian
Version: 1 (current)
OS/ABI: UNIX – System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x67d0
Start of program headers: 64 (bytes into file)
Start of section headers: 140224 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 30
Section header string table index: 29

5. objdump

objdump – display information from object files. objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work. This compiler generates machine language instructions equivalent to the source code, which can then be executed by the CPU to perform a given task.

# objdump -d /bin/ls | head

/bin/ls: file format elf64-x86-64

Disassembly of section .init:

0000000000004000 <.init>:
4000: f3 0f 1e fa endbr64
4004: 48 83 ec 08 sub $0x8,%rsp
4008: 48 8b 05 c9 ef 01 00 mov 0x1efc9(%rip),%rax # 22fd8 <__gmon_start__>

In this article, we have seen how to analyze binary files in Linux.

Get a high performance dual E5 series dedicated server and cheap KVM VPS.

Related Articles