# Analyzing an ELF File **Overview of ELF Files** * **ELF (Executable and Linkable Format)** files are the native executable files for Linux systems. * Basic Linux usage skills are useful for analyzing ELF files. **Tools for Dynamic Analysis** 1. **`strace`**: * Traces system calls made by a process. * Useful for monitoring API calls directed at the system. 2. **`ltrace`**: * Traces library calls made by a process. * Monitors user API calls. 3. **`gdb`** (GNU Debugger): * Debugs programs and can be used to inspect and control the execution of a program. 4. **IDA Free**: * Used for disassembling and decompiling ELF files. * The Hex-Rays decompiler feature is cloud-based and requires an internet connection. **Steps for Analysis** 1. **Initial File Identification**: * Open a terminal and identify the file type using: ```bash bashCopy codefile RE_Linux ``` * Check for strings within the sample using: ```bash bashCopy codestrings RE_Linux ``` * Generate file hashes for indicators of compromise (IOCs) using: ```bash bashCopy codemd5sum RE_Linux sha256sum RE_Linux ``` 2. **Set File Permissions**: * Add execute permissions if not already set: ```bash bashCopy codechmod +x RE_Linux ``` 3. **Dynamic Analysis Using `strace` and `ltrace`**: * Run the sample with `ltrace`: ```bash bashCopy codeltrace ./RE_Linux ``` * Run the sample with `strace`: ```bash bashCopy codestrace ./RE_Linux ``` * `ltrace` shows user API calls, while `strace` logs system calls and provides detailed insights into how the sample interacts with the system. 4. **Disassembly and Debugging with IDA Free**: * Open the sample in IDA Free. * Set a breakpoint at the start of the main function. * Start debugging and step through the code using: * **F8**: Step Over * **F7**: Step Into 5. **Handling Cloud-Based Decompiler**: * **Internet Connection**: Ensure that FakeNet is turned off to avoid any unintended execution of malware code while connected to the internet. * **Restart DNS Service**: If necessary, restart the DNS service to reconfigure network settings: ```bash bashCopy codesudo systemctl restart systemd-resolved ``` * **Decompile**: In IDA Free, go to **View** > **Open Subview** > **Generate Pseudo Code** to see the Decompiled source. 6. **Snapshot and Restore**: * Take a snapshot of the VM state before running the sample to preserve the environment. **Summary** * **Commands**: `file`, `strings`, `md5sum`, `sha256sum`, `chmod`, `ltrace`, `strace` * **Tools**: IDA Free, `strace`, `ltrace` * **Key Points**: Use IDA Free for disassembly and decompilation, `strace` and `ltrace` for dynamic analysis, and be cautious with cloud-based decompilers. These steps and tools will help you analyze and understand the behavior of ELF files in a Linux environment.