Analyzing an ELF File

Overview of ELF Files

  • ELF (Executable and Linkable Format) files are the native executable files for Linux systems.

  • Basic Linux usage skills are useful for analyzing ELF files.

Tools for Dynamic Analysis

  1. strace:

    • Traces system calls made by a process.

    • Useful for monitoring API calls directed at the system.

  2. ltrace:

    • Traces library calls made by a process.

    • Monitors user API calls.

  3. gdb (GNU Debugger):

    • Debugs programs and can be used to inspect and control the execution of a program.

  4. IDA Free:

    • Used for disassembling and decompiling ELF files.

    • The Hex-Rays decompiler feature is cloud-based and requires an internet connection.

Steps for Analysis

  1. Initial File Identification:

    • Open a terminal and identify the file type using:

      bashCopy codefile RE_Linux

    • Check for strings within the sample using:

      bashCopy codestrings RE_Linux

    • Generate file hashes for indicators of compromise (IOCs) using:

      bashCopy codemd5sum RE_Linux
sha256sum RE_Linux

  2. Set File Permissions:

    • Add execute permissions if not already set:

      bashCopy codechmod +x RE_Linux

  3. Dynamic Analysis Using strace and ltrace:

    • Run the sample with ltrace:

      bashCopy codeltrace ./RE_Linux

    • Run the sample with strace:

      bashCopy codestrace ./RE_Linux

    • ltrace shows user API calls, while strace logs system calls and provides detailed insights into how the sample interacts with the system.

  4. Disassembly and Debugging with IDA Free:

    • Open the sample in IDA Free.

    • Set a breakpoint at the start of the main function.

    • Start debugging and step through the code using:

      • F8: Step Over

      • F7: Step Into

  5. Handling Cloud-Based Decompiler:

    • Internet Connection: Ensure that FakeNet is turned off to avoid any unintended execution of malware code while connected to the internet.

    • Restart DNS Service: If necessary, restart the DNS service to reconfigure network settings:

      bashCopy codesudo systemctl restart systemd-resolved

    • Decompile: In IDA Free, go to View > Open Subview > Generate Pseudo Code to see the Decompiled source.

  6. Snapshot and Restore:

    • Take a snapshot of the VM state before running the sample to preserve the environment.

Summary

  • Commands: file, strings, md5sum, sha256sum, chmod, ltrace, strace

  • Tools: IDA Free, strace, ltrace

  • Key Points: Use IDA Free for disassembly and decompilation, strace and ltrace for dynamic analysis, and be cautious with cloud-based decompilers.

These steps and tools will help you analyze and understand the behavior of ELF files in a Linux environment.

PreviousSetting Up and Configuring FakeNet in REMnuxNextAnalyzing ASPX Webshells

Last updated