All Questions
45
questions
0
votes
0
answers
61
views
Improving the output of pseudocode C++ code from IDA Pro
I have some specific questions and some general ones about reverse-engineering a dynamic shared library via IDA Pro 8.3:
If I know the compiler used and compiler flags used (via readelf --debug-dump),...
0
votes
1
answer
72
views
Updating legacy library in an already compiled binary
I'm dealing with a reverse engineering challenge involving a binary application that was statically compiled with a legacy library. While the legacy library is not vulnerable, it lacks certain ...
1
vote
1
answer
438
views
Adding a program header to ELF
I am a newbie in this, and I am trying to add a program header to a simple ELF64 "Hello World" program on Ubuntu. All in changing the binary data of the ELF.
I went to the end of the program ...
1
vote
2
answers
592
views
Adding debug symbols with GDB
In CTFs when I'm given some ELF file, it usually wasn't compiled with the -g flag. Is there a way to to somehow edit the file to make it be as if the ELF file was originally compiled with the -g flag?
...
3
votes
1
answer
395
views
How can I verify section -> segment mapping for ELFs on linux?
I'm looking at at ELF on linux and I have readelf --segments ./myELF which shows:
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR ...
1
vote
1
answer
73
views
Patching a B(ranch) causes segfault in ARMv7 binary, while the same patch (with JMP) works on x64 binary
Any ideas why trying to patch a ARMv7 binary causes a segfault while basically the same patch on the Win64 version of the software works as expected?
Here is the Win64 version, that works
UPX0:...
0
votes
1
answer
2k
views
Running ELF file built for ARM arhitecture
My goal is to run and debug ELF file (c444) which is compiled for the ARM architecture. I have some experience with x32 and x64 Intel architectures. However, I down know how to proceed with ARM-based ...
1
vote
1
answer
157
views
How to split bytes into instructions in binary ELF file for x86
I'm working on a static code injector for ELF files. I need to "steal" some bytes in order to write jump to my code on their place and then execute stolen instructions somewhere in the ...
0
votes
1
answer
307
views
Call libc functions from the payload statically injected into ELF binary
I am working on ELF-injector, which given some payload (currently it's an assembly file with .text section only) will inject it into ELF binary. I had related post here.
Now I would like to make it ...
3
votes
1
answer
2k
views
ELF binary injection
I am currently working on an ELF-injector and my approach is standard: find code cave (long enough sequence of 0's), rewrite it with the instructions I want to execute and then jump back to the start ...
2
votes
0
answers
408
views
Shellcode execution segfault
I have been trying to exploit simple buffer overflow caused by scanf. I'm working on x86 Linux. The point is to spawn a shell. I sucesfully overwritten return address and jumped into my shellcode. But ...
4
votes
1
answer
770
views
IAT vs GOT address resolving: which of them resolve during runtime and which during load time by default?
So based on my knowledge on windows apps, as far as i know the IAT gets filled with correct addresses when the library gets loaded (correct me if I'm wrong)
now in linux, they use GOT, and again ...
3
votes
1
answer
257
views
What is actually loaded here and different hexdump outputs on util-linux hexdump and on cutter and ghidra's hexdump
I was trying to understand what segment of file gets loaded by fourth LOAD header on phdr array.
First 6 headers are shown below from readelf
Program Headers:
Type Offset ...
6
votes
1
answer
5k
views
Why have two symbols tables?
Why have two symbol tables if .symtab already contains everything that's in .dynsym ?
1
vote
1
answer
2k
views
Changing entry-point of and ELF file
I'm trying to conduct a little experiment which basically consists of changing the EP of an ELF file and executing an exit(9) syscall, without returning to the OEP. As shown in the image everything ...
2
votes
1
answer
171
views
Process Immediately Killed
I'm trying to reverse an ARM executable. It's for an embedded system, but I don't have any details about the normally targeted environment.
Here's what file shows: ELF 32-bit LSB executable, ARM, ...
2
votes
1
answer
3k
views
Disassemblers resolving (ELF) section names
I'm working with linux executables and was just wondering how it is that section names are resolved to addresses upon disassembly of an ELF.
For example take some random disassembly output from ...
1
vote
0
answers
2k
views
My core dump's backtrace stops to a signal handler, what can I do?
I obtained an ELF core dump that was provoked by fuzzing a proprietary server. As I do not have access anymore to the machine that hosted this server, and the server is part of a tightly coupled set ...
1
vote
1
answer
10k
views
Reverse engineering a golang binary file
I compiled docker by myself with some modifications. I would like to perform some static analysis to the binary. Mostly to see which parts of the code take more memory, etc. It's on linux (elf). Any ...
1
vote
2
answers
2k
views
IDA Pro - Applying function signatures
I have three files:
ELF executable,
ELF dynamically linked library (.so),
C headers file (.h) with function signatures and related structures for that library.
#1 imports a number of functions from #...
3
votes
1
answer
5k
views
IDA Pro debugging: follow child process
I'm reverse engineering a malware that creates a number of child processes and I'm trying to do dynamic analysis of the ELF binary with IDA Pro and IDA's Local Linux Debugger, but I can't get IDA to ...
4
votes
1
answer
3k
views
Is there a way to debug an elf file that runs with no problems with damaged header?
My question is general, but to have an example to work with, let us take one from Whirlwind Tutorial.
; tiny.asm
BITS 32
org 0x00010000
db 0x7F, "ELF" ; ...
2
votes
2
answers
5k
views
Changing Entrypoint in ELF executable
I wrote some code that does the following:
Searches for and finds an offset in a binary file to add code (looks for a sequence of 00s I can overwrite).
Then, I change the entrypoint of the ELF to ...
6
votes
1
answer
5k
views
Why are symbols with local binding present in the symbol table of my ELF files?
I found out that there are symbols with binding=LOCAL and visibility=HIDDEN in the symbol table (.symtab) of ELF executables/libraries. What are they needed for? They are not involved in the ...
6
votes
3
answers
9k
views
How to SUCCESSFULLY add a code section to an executable file in Linux?
I am in Linux, and I have seen this question a few times but never, nobody answered how to really make this work.
I need to add a section to an already compiled binary. Lets say for a moment is an ...
2
votes
0
answers
467
views
Using __kernel_vsyscall on x64 linux machine [closed]
I am trying to use __kernel_vsyscall instead of syscall/int 80 on linux x64.
I have read that it can be done on Intel chips (I have one), but i can't find how can one do it. I have x32 version:
int ...
1
vote
1
answer
414
views
Is it possible to rebuild an nexe file if I can read at arbitrary untrusted memory addresses?
Ok, I’m in a remote situation where I don’t have access to the remote filesystem but where I can run arbitrary python code (except I can’t fork processes and I don’t have access to ulimit and uname).
...
0
votes
2
answers
4k
views
Recognize the library functions of statically linked executable file in IDA Pro
Recently I worked on a Linux program which has all of its symbols stripped. Opening it with IDA resulted in none of its functions identified.
Thus I tried to extract any usable information from the ...
2
votes
2
answers
2k
views
How to locate module_init() offset from ELF header of Linux kernel module?
The header is self explanatory but to explain myself better.
I have an ELF binary - loadable kernel module, compiled with symbols.
I want to know how to locate the offset of the module_init() function....
1
vote
1
answer
5k
views
Unable to view stack and memory addresses in IDA Pro [duplicate]
I am debugging a 32-bit ELF executable using remote GDB debugging option of IDA Pro. However, I am unable to view the contents of stack in the stack view. Also, the stack pointer value is: 0xFFFFD328
...
4
votes
0
answers
343
views
Modern equivalent to rsymtab for reconstructing symbol table for statically linked / stripped binaries?
I'm working with a 32-bit ELF binary that (I believe) has been statically linked against a few different third-party libraries. It has also been stripped, so I don't have much to go on with respect to ...
2
votes
3
answers
7k
views
Where can I get Linux malware samples?
There have been numerous sites stated in this wonderful post that one could retrieve malware samples. However, I am having a difficult time (sorry D:) locating Linux-specific malware from those sites ...
11
votes
4
answers
8k
views
How can I generate a call graph from an unstripped x86 Linux ELF?
There's a piece of software, for which I only have the binary, not the source code. It's:
unobfuscated (so, not polymorphic or anything. It is optimized a bit, though)
unstripped
x86 32 bit
...
11
votes
2
answers
16k
views
Which python library for parsing Linux ELF files?
I want to be able to parse 32 and 64 bit ELF files - but not create or modify them (e.g. as discussed in this thread). The ELF binaries may possibly come from embedded Linux systems, that is, the ...
4
votes
1
answer
6k
views
How to disassemble/run mips ELF file ? (with readelf error)
So i want to disassemble and then run a MIPS elf file for the first time. As i don't have MIPS hardware i am using mipsel-unknown-linux-gnu toolchain.Here comes the problem. The output of the command ...
2
votes
1
answer
625
views
possible to rebase an ELF file?
Is there any way to rebase an ELF file?
(i want to load an elf binary at 0x40000000, not at 0x08040000 which is typical base)
I found this tool(prelink, http://en.wikipedia.org/wiki/Prelink), but it'...
3
votes
1
answer
4k
views
ELF link_map when linked as RELRO
When linking a binary with -Wl,-z,relro,-z,now, all relocations are performed at start-up before passing control to the binary.
Because of this, there is no need for the .got.plt segment. Normally, ...
3
votes
1
answer
1k
views
How to determine which thread implementation binary compiled with
Is it possible to determine if a binary (static or shared and not stripped) is compiled with Linuxthreads or NPTL implementation ?
1
vote
1
answer
2k
views
ldd showing absolute path only
Under what circumstances does the output of ldd have only the absolute path?
In the below eg, /usr/lib/arm-linux-gnueabihf/libcofi_rpi.so and /lib/ld-linux-armhf.so.3.
pi@raspberrypi ~ $ uname -a
...
1
vote
1
answer
939
views
Kernel dealing with the section headers in an ELF
I recently read that the kernel and the dynamic loader mostly deal with the program header tables in an ELF file and that assemblers, compilers and linkers deal with the section header tables.
The ...
5
votes
1
answer
3k
views
Merging elf shared-objects
Let say I have libA.so and libB.so, is there any way for me to combine them into a single shared library libC.so that contains all exported symbols of both libA.so and libB.so?
6
votes
3
answers
12k
views
Packers/Protectors for Linux
I was wondering if anyone had come across a packer/protector which could be used for ELF binaries. There seem to be quite a few articles on writing packers and protectors for the PE format -- however, ...
4
votes
1
answer
876
views
Changing parameter of function call in ELF executable
I want to alter a ELF executable function call and replace one of it's parameters.
The executable calls dlopen() function and passes RTLD_NOW as the flag parameter.
I want to change it to RTLD_LAZY.
...
20
votes
2
answers
6k
views
Why are GOT and PLT still present in Linux static stripped binaries?
I am looking at statically linked linux x86 stripped binary. I noticed that there are .got and .plt sections.
I wonder what does a statically linked binary need got and plt sections for ? Anyone ?
12
votes
1
answer
5k
views
How are stripped shared libraries linked against?
Lately I've been reversing the Android framework for the Nexus S mobile phone.
99% of the source code is of course open, but there are few propriety shared libraries which needs to be downloaded in ...