Is there a way to detect an ELF binary is broken/tampered or not?
How do I programatically detect whether an ELF binary is tampered or broken?
For example, If I delete second half of an ELF binary (or a library shared object) and paste random text, this will corrupt it and it will not work after. I want to 开发者_JAVA百科detect whether an Unix ELF 32 binary or UNIX shared C library object is subjected to this.
Thanks.
I'm not sure what are you thinking about, but the "correct way" to validate a ELF binary is to use a HASH like SHA-1, MD5, etc.
When you create the ELF file, then you also create the "signature file" using this HASH algorithm, i.e. MD5 and validate the result.
For example on Solaris you can create a MD5, SHA1, SHA256 digest using the command
# digest -a [algorithm] [/path/to/file] {-v}
So, to validate the "/bin/sh" to prevent modifcations, you should make
# digest -v -a md5 /bin/sh
md5 (/bin/sh) = f4ad35f5246f817d68f4895463d79b09
# digest -v -a sha1 /bin/sh
sha1 (/bin/sh) = aa3843a19f2225458d7e3e765f44e229a09c0ad0
# digest -v -a sha256 /bin/sh
sha256 (/bin/sh) = a5e1a0062bb6600f06e029ce58f500169e966400b173b7fba504d5cd4635f291
Here you have more examples in spanish Where is MD5 in Solaris and HowTo Use it
If hashing is not the solution, you can use (on Solaris) commands to verify the ELF as elfdump and ldd
You can use the ldd with -iv to verify the shared libraries initialization
itily@openzooey:~/hello.world$ ldd -iv hello
find object=libc.so.1; required by hello
libc.so.1 => /lib/libc.so.1
find version=libc.so.1
libc.so.1 (SYSVABI_1.3) => /lib/libc.so.1
libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1
object=/lib/libc.so.1; filter for /usr/lib/ld.so.1
object=/lib/libc.so.1; filter for libm.so.2
find object=libm.so.2; required by /lib/libc.so.1
libm.so.2 => /lib/libm.so.2
find object=libc.so.1; required by /lib/libm.so.2
find version=libc.so.1
libc.so.1 (SUNW_1.1) => /lib/libc.so.1
libc.so.1 (SUNWprivate_1.1) => /lib/libc.so.1
init object=/lib/libc.so.1
To generate a checksum of ELF you can use the option -k
itily@openzooey:~/hello.world$ elfdump -k hello
elf checksum: 0x8922
But, if you don't have a trusted ELF to compare, it's a bit dificult, I think.
I hope this is what you are looking for,
Urko,
精彩评论