code snippets and reminders
Here are some code snippets because I always forgot and spent a lot of time to figure it out.
IDA
to define a function, use this:
void (* myfunc)(int a1, int a2)
Adapt all types, and number of arguments. You can add __fastcall to tell IDA
to follow the calling convention (works on ARM/x86 32/64).
useful aliases
grep
Search only for an extension, number lines, cas insensitive and coloring the output.
clathetic@box:~$ grep -inr --include \*.h my_pattern
check
When I'm analyzing elf files, I always do the same thing, check the size,
then the type, the source language, and so on. I put everything in a script called
check:
clathetic@box:~$ cat /usr/local/bin/check
#! /bin/bash
# Detect ELF, architecture, linkage (static/dynamic), libc, and likely language.
# Use of checksec and grep dangerous functions
file="$1"
if [[ -z "$file" ]]; then
echo "Usage: $0 <file>"
exit 1
fi
if [[ ! -f "$file" ]]; then
echo "Error: '$file' is not a regular file."
exit 1
fi
# --- Step 0: Basic checks:
_basic() {
local bytes size unit
bytes=$(stat -c%s "$1" 2>/dev/null || stat -f%z "$1" 2>/dev/null)
if [[ -z "$bytes" ]]; then
echo "unknown"
return
fi
if (( bytes < 1024 )); then
size="${bytes} B"
elif (( bytes < 1048576 )); then
size="$(awk "BEGIN {printf \"%.1f\", $bytes/1024}") KB"
elif (( bytes < 1073741824 )); then
size="$(awk "BEGIN {printf \"%.1f\", $bytes/1048576}") MB"
else
size="$(awk "BEGIN {printf \"%.1f\", $bytes/1073741824}") GB"
fi
echo " -> $size"
}
# --- Step 1: Check ELF ---
_elf() {
file_info=$(file "$file")
if ! grep -q "ELF" <<<"$file_info"; then
file "$file"
exit 0
fi
echo "'$file' is an ELF binary."
}
# --- Step 2: Get architecture ---
_arch() {
file_info=$(file "$1")
arch=$(echo "$file_info" | sed -nE 's/.*ELF[^,]*, ([^,]+), ([^,]+), ([^,]+),.*/\1, \2, \3/p')
if [[ -z "$arch" ]]; then
# fallback if format differs
arch=$(echo "$file_info" | grep -oE 'ELF[^,]*, [^,]*, [^,]*' | sed 's/^ELF //')
fi
# Detect CPU type from file output (x86, ARM, MIPS, RISC-V, etc.)
cpu=$(echo "$file_info" | grep -oE 'ARM|AArch64|MIPS|x86-64|Intel 80386|RISC-V|PowerPC|SPARC' | head -n1)
[[ -n "$cpu" ]] && arch="$arch ($cpu)"
#echo " -> Architecture: $arch"
echo " -> $arch"
}
# --- Step 2.5: detect bitness ---
_bitness() {
local bits
if readelf -h "$1" 2>/dev/null | grep -q "Class:.*ELF64"; then
bits="64-bit"
elif readelf -h "$1" 2>/dev/null | grep -q "Class:.*ELF32"; then
bits="32-bit"
else
# fallback to file command if readelf output unavailable
if file "$1" | grep -q "64-bit"; then
bits="64-bit"
elif file "$1" | grep -q "32-bit"; then
bits="32-bit"
else
bits="unknown-bit"
fi
fi
echo " -> $bits"
}
# --- Step 3: Check linkage type (static/dynamic) ---
# That doesn't seems to work for a number of files
_linkage() {
if readelf -l "$file" 2>/dev/null | grep -q "INTERP"; then
linkage="dynamically linked"
else
linkage="statically linked"
fi
echo "Linkage: $linkage"
}
# --- Step 4: Detect libc flavor (glibc / musl / unknown) ---
_libc() {
libc="unknown"
if strings "$file" | grep -q "musl"; then
libc="musl"
elif strings "$file" | grep -q "libc"; then
libc="glibc"
elif strings "$file" | grep -q "GNU C Library"; then
libc="glibc"
fi
[[ "$libc" != "unknown" ]] && echo " -> libc: $libc"
}
# --- Step 5: Guess language ---
_lang() {
lang="unknown"
symbols=$(strings -a "$file" 2>/dev/null)
# Heuristics
if echo "$symbols" | grep -q "go.buildid"; then
lang="Go"
elif echo "$symbols" | grep -q "runtime.g"; then
lang="Go"
elif echo "$symbols" | grep -q -E "rust_eh_personality|core::|alloc::|std::|panic_handler"; then
lang="Rust"
elif nm -C "$file" 2>/dev/null | grep -q "::"; then
lang="C++"
elif echo "$symbols" | grep -q "libstdc++"; then
lang="C++"
elif echo "$symbols" | grep -q "libc.so"; then
lang="C"
elif nm "$file" 2>/dev/null | grep -q " main"; then
lang="C"
fi
echo "Likely source language: $lang"
}
# --- Step 6: checksec ---
_check() {
#No need to do better
checksec --file=$1
}
# --- Step 7: grep ---
_grep() {
# Easy but effective
grep -q socket $1 && echo contains socket
grep -q system $1 && echo contains system
grep -q popen $1 && echo contains popen
grep -q exec $1 && echo contains exec
}
############## MAIN
_elf $1
_basic $1
_arch $1
_bitness $1
#_linkage $1 # Broken
_libc $1
_lang $1
_check $1
_grep $1
