Quick start with tools to analyze executables

• Popular tools for analyzing executables/ binaries
• Jargon
• Pre-requisite installations
• File required for exercise
• Exercises
  • Exercise #1: How to dissassemble the binary using objdump?
  • Exercise #2: Yet another way to analyse the binary using readelf?
  • Exercise #3: How to dump all the strings inside a binary using strings?
  • Exercise #4: How to trace system calls using strace?
  • Exercise #5: How to trace library calls using ltrace?
• Quiz

Popular tools for analyzing executables/ binaries

In this tutorial we will look at some of the popular tools for analyzing executables/ binaries. We divide the tools into two categories i.e Static analysis tools and Dynamic analysis tools.

1. Static analysis tools
   1. objdump: ELF Object file extractor
   2. readelf: ELF reader
   3. strings: Extract strings from binaries
2. Dynamic analysis tools
   1. strace: System call tracer
   2. ltrace: Library call tracer

Jargon

1. Static analysis tools: Tools that help to analyse binaries without executing it
2. Dynamic analysis tools: Tools that execute binaries the binary and capture details that will to analyse the binary
3. Sandbox: Its a isolated environment for executing binaries

If you are analysing malware care should be taken while using dynamic analysis tools. They can harm your system. Hence malware analysis is carried out in a sandbox environmemt.

Pre-requisite installations

1
2
3

sudo apt-get install binutils 
sudo apt-get install strace
sudo apt-get install ltrace

File required for exercise

bindemo.c

1
2
3
4
5
6
7
8
9
10
11
12

#include <stdio.h>

int main(int argc, char const *argv[])
{
  FILE *fp;

  fp = fopen("out.txt", "w");
  fprintf(fp, "%s\n", "binarydemo");
  fclose(fp);

  return 0;
}

Compile the program using gcc as shown below:

1

gcc -o bindemo bindemo.c

Exercises

Exercise #1: How to dissassemble the binary using objdump?

To see the dissassembly of the code section of the binary use the following command:

1

objdump -S ./bindemo

The snapshot below shows a part of the dissassembly for the binary specifically for the main function:

Following are the main observations on the output as shown in the snapshot below.

Exercise #2: Yet another way to analyse the binary using readelf?

To see the header information in the binary use the following command:

1

readelf -h ./bindemo

The snapshot below shows header for the binary:

Following are the main observations on the output as shown in the snapshot below.

1. Its a 64 bit ELF file
2. The binary can execute on UNIX based OS and is System V compliant (ABI => Application Binary Interface)
3. The hardware architecture the binary would execute is x86-64
4. The entry point of the program is at an offset of 0x10f0

Exercise #3: How to dump all the strings inside a binary using strings?

To see the strings inside the binary use the following command:

1

strings bindemo

You can observe the string out.txt which was the name of the file that was opened.

Exercise #4: How to trace system calls using strace?

strace is an utility that intercepts and records system calls. This is useful while debugging and while performing security analysis on binaries.

Use the strace utility as below:

1

strace ./bindemo

Output of strace is shown in the snapshot below.

Following are the main observations on the output as shown in the snapshot below.

1. Use of openat system call to open a file
2. Flag AF_FDCWD is depicting that the file is in Current Working Directory (CWD)
3. File will be created if it does not exists (O_CREAT flag)
4. File is opened for writing (O_WRONLY flag)
5. If the file exists it will be truncated to length 0 (O_TRUNC flag)
6. The process get information about the status of the file using fstat system call
7. It then writes the string binarydemo into the file which is string of length 11
8. The process finally closes the opened file using the system call close

Exercise #5: How to trace library calls using ltrace?

Quiz

Take a quiz to test your understanding