Friday, July 29, 2011

Examining an unknown binary file in Linux

Lets say you have come across an unknown Binary file in a Linux server and you want to know more details about it. 

Steps to follow:
i)    First run 'file' command to get its file-type and other details.
ii)   Check if the file is installed from any RPM by executing "rpm -qf  [filename]"
iii)  Check if the binary file uses any shared Library modules by running "ldd".
iv)  Check when was the file last modified and accessed, by using "stat" command.
v)   Finally check the printable characters in that file by using "strings" command and see if you could figure out anything from the output. "strings" output usually show the System calls made by that file and it will give you a clue about it. If you are familiar with "C" functions such as fopen, stdin, malloc etc, it would be relatively easier for you to figure out.  


[root@hostxyz tmp]# ls
hsperfdata_root  lost+found  strange_file
[root@hostxyz tmp]# file strange_file
strange_file: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
[root@hostxyz tmp]# rpm -qf strange_file
file /tmp/strange_file is not owned by any package
[root@hostxyz tmp]# ldd strange_file => /lib64/ (0x0000003ea3000000) => /lib64/ (0x0000003ea2c00000)
        /lib64/ (0x0000003ea2800000)
[root@hostxyz tmp]# stat strange_file
  File: `strange_file'
  Size: 7816            Blocks: 16         IO Block: 4096   regular file
Device: 803h/2051d      Inode: 98306       Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2011-07-28 16:52:03.000000000 -0500
Modify:  2011-07-28 15:48:20.000000000 -0500
Change: 2011-07-28 15:49:57.000000000 -0500
[root@hostxyz tmp]# strings strange_file
l$ L
usage: uptime [-V]
    -V    display version
[root@hostxyz tmp]#

Final note: Never open (vi) any binary file as it might corrupt it. Couple of times I had messed up some certification key file, which are in encrypted format.

1 comment: