All Questions
45
questions
2
votes
1
answer
171
views
Process Immediately Killed
I'm trying to reverse an ARM executable. It's for an embedded system, but I don't have any details about the normally targeted environment.
Here's what file shows: ELF 32-bit LSB executable, ARM, ...
2
votes
1
answer
3k
views
Disassemblers resolving (ELF) section names
I'm working with linux executables and was just wondering how it is that section names are resolved to addresses upon disassembly of an ELF.
For example take some random disassembly output from ...
1
vote
0
answers
2k
views
My core dump's backtrace stops to a signal handler, what can I do?
I obtained an ELF core dump that was provoked by fuzzing a proprietary server. As I do not have access anymore to the machine that hosted this server, and the server is part of a tightly coupled set ...
1
vote
1
answer
10k
views
Reverse engineering a golang binary file
I compiled docker by myself with some modifications. I would like to perform some static analysis to the binary. Mostly to see which parts of the code take more memory, etc. It's on linux (elf). Any ...
1
vote
2
answers
2k
views
IDA Pro - Applying function signatures
I have three files:
ELF executable,
ELF dynamically linked library (.so),
C headers file (.h) with function signatures and related structures for that library.
#1 imports a number of functions from #...
3
votes
1
answer
5k
views
IDA Pro debugging: follow child process
I'm reverse engineering a malware that creates a number of child processes and I'm trying to do dynamic analysis of the ELF binary with IDA Pro and IDA's Local Linux Debugger, but I can't get IDA to ...
4
votes
1
answer
3k
views
Is there a way to debug an elf file that runs with no problems with damaged header?
My question is general, but to have an example to work with, let us take one from Whirlwind Tutorial.
; tiny.asm
BITS 32
org 0x00010000
db 0x7F, "ELF" ; ...
2
votes
2
answers
5k
views
Changing Entrypoint in ELF executable
I wrote some code that does the following:
Searches for and finds an offset in a binary file to add code (looks for a sequence of 00s I can overwrite).
Then, I change the entrypoint of the ELF to ...
6
votes
1
answer
5k
views
Why are symbols with local binding present in the symbol table of my ELF files?
I found out that there are symbols with binding=LOCAL and visibility=HIDDEN in the symbol table (.symtab) of ELF executables/libraries. What are they needed for? They are not involved in the ...
6
votes
3
answers
9k
views
How to SUCCESSFULLY add a code section to an executable file in Linux?
I am in Linux, and I have seen this question a few times but never, nobody answered how to really make this work.
I need to add a section to an already compiled binary. Lets say for a moment is an ...
2
votes
0
answers
467
views
Using __kernel_vsyscall on x64 linux machine [closed]
I am trying to use __kernel_vsyscall instead of syscall/int 80 on linux x64.
I have read that it can be done on Intel chips (I have one), but i can't find how can one do it. I have x32 version:
int ...
1
vote
1
answer
414
views
Is it possible to rebuild an nexe file if I can read at arbitrary untrusted memory addresses?
Ok, I’m in a remote situation where I don’t have access to the remote filesystem but where I can run arbitrary python code (except I can’t fork processes and I don’t have access to ulimit and uname).
...
0
votes
2
answers
4k
views
Recognize the library functions of statically linked executable file in IDA Pro
Recently I worked on a Linux program which has all of its symbols stripped. Opening it with IDA resulted in none of its functions identified.
Thus I tried to extract any usable information from the ...
2
votes
2
answers
2k
views
How to locate module_init() offset from ELF header of Linux kernel module?
The header is self explanatory but to explain myself better.
I have an ELF binary - loadable kernel module, compiled with symbols.
I want to know how to locate the offset of the module_init() function....
1
vote
1
answer
5k
views
Unable to view stack and memory addresses in IDA Pro [duplicate]
I am debugging a 32-bit ELF executable using remote GDB debugging option of IDA Pro. However, I am unable to view the contents of stack in the stack view. Also, the stack pointer value is: 0xFFFFD328
...