Friday, July 29, 2011
Examining an unknown binary file in Linux
Lets say you have come across an unknown Binary file in a Linux server and you want to know more details about it.
Steps to follow:
i) First run 'file' command to get its file-type and other details.
ii) Check if the file is installed from any RPM by executing "rpm -qf [filename]"
iii) Check if the binary file uses any shared Library modules by running "ldd".
iv) Check when was the file last modified and accessed, by using "stat" command.
v) Finally check the printable characters in that file by using "strings" command and see if you could figure out anything from the output. "strings" output usually show the System calls made by that file and it will give you a clue about it. If you are familiar with "C" functions such as fopen, stdin, malloc etc, it would be relatively easier for you to figure out.
[root@hostxyz tmp]# ls
hsperfdata_root lost+found strange_file
[root@hostxyz tmp]# file strange_file
strange_file: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
[root@hostxyz tmp]# rpm -qf strange_file
file /tmp/strange_file is not owned by any package
[root@hostxyz tmp]# ldd strange_file
libproc-3.2.7.so => /lib64/libproc-3.2.7.so (0x0000003ea3000000)
libc.so.6 => /lib64/libc.so.6 (0x0000003ea2c00000)
[root@hostxyz tmp]# stat strange_file
Size: 7816 Blocks: 16 IO Block: 4096 regular file
Device: 803h/2051d Inode: 98306 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-07-28 16:52:03.000000000 -0500
Modify: 2011-07-28 15:48:20.000000000 -0500
Change: 2011-07-28 15:49:57.000000000 -0500
[root@hostxyz tmp]# strings strange_file
usage: uptime [-V]
-V display version
Final note: Never open (vi) any binary file as it might corrupt it. Couple of times I had messed up some certification key file, which are in encrypted format.