User Tools

Site Tools


krd:siggen

krd can perform a hex dump of common linux binaries:

bozo@lust:~/krd-pre0.2/src$ ./krd -h /bin/ls|less
./krd pre0.1 [http://krd.linux.edu] Guillaume R.
./krd [-c hex] [-h file]
7F454C460101010000000000000000000200030001000000F0960408340000009017010000000000 34002000080028001A00190006000000340000003480040834800408000100000001000005000000 04000000030000003401000034810408348104081300000013000000040000000100000001000000 …..

Here we have the first 120 bytes of /bin/ls. As you can see, it starts with 7F454C46 - this is the ELF header magic number. (Fun trivia for our windows friends, you may remember the first 2 bytes of executables are MZ.. after Mark Zbikowski who designed the format. Well nothing like that in linux here.. ELF actually stands for something.)

We can understand this hex dump by learning about the ELF header.

References: http://www.cs.ucdavis.edu/~haungs/paper/node10.html
http://www.caldera.com/developers/gabi/1998-04-29/ch4.eheader.html

readelf will show us this format in a “prettier” or at least human readable format:

bozo@lust:~/krd-pre0.2/src$ readelf -h /bin/ls ELF Header:

Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x80496f0
Start of program headers:          52 (bytes into file)
Start of section headers:          71568 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         8
Size of section headers:           40 (bytes)
Number of section headers:         26
Section header string table index: 25

For instance, from the docs, you will see that our first 03 is the e_machine member which tells us the ELF will run on an “Intel 80386.” When generating signatures we must be careful to take these changes into account.

krd/siggen.txt · Last modified: 2010/04/15 21:18 (external edit)