开发者

Is there a way to detect an ELF binary is broken/tampered or not?

How do I programatically detect whether an ELF binary is tampered or broken?

For example, If I delete second half of an ELF binary (or a library shared object) and paste random text, this will corrupt it and it will not work after. I want to 开发者_JAVA百科detect whether an Unix ELF 32 binary or UNIX shared C library object is subjected to this.

Thanks.


I'm not sure what are you thinking about, but the "correct way" to validate a ELF binary is to use a HASH like SHA-1, MD5, etc.

When you create the ELF file, then you also create the "signature file" using this HASH algorithm, i.e. MD5 and validate the result.

For example on Solaris you can create a MD5, SHA1, SHA256 digest using the command

# digest -a [algorithm] [/path/to/file] {-v}

So, to validate the "/bin/sh" to prevent modifcations, you should make

# digest -v -a md5 /bin/sh
md5 (/bin/sh) = f4ad35f5246f817d68f4895463d79b09

# digest -v -a sha1 /bin/sh
sha1 (/bin/sh) = aa3843a19f2225458d7e3e765f44e229a09c0ad0

# digest -v -a sha256 /bin/sh
sha256 (/bin/sh) = a5e1a0062bb6600f06e029ce58f500169e966400b173b7fba504d5cd4635f291

Here you have more examples in spanish Where is MD5 in Solaris and HowTo Use it

If hashing is not the solution, you can use (on Solaris) commands to verify the ELF as elfdump and ldd

You can use the ldd with -iv to verify the shared libraries initialization

itily@openzooey:~/hello.world$ ldd -iv hello

   find object=libc.so.1; required by hello
        libc.so.1 =>     /lib/libc.so.1
   find version=libc.so.1
        libc.so.1 (SYSVABI_1.3) =>       /lib/libc.so.1
        libc.so.1 (SUNWprivate_1.1) =>   /lib/libc.so.1

   object=/lib/libc.so.1; filter for /usr/lib/ld.so.1

   object=/lib/libc.so.1; filter for libm.so.2

   find object=libm.so.2; required by /lib/libc.so.1
        libm.so.2 =>     /lib/libm.so.2

   find object=libc.so.1; required by /lib/libm.so.2
   find version=libc.so.1
        libc.so.1 (SUNW_1.1) =>  /lib/libc.so.1
        libc.so.1 (SUNWprivate_1.1) =>   /lib/libc.so.1

   init object=/lib/libc.so.1

To generate a checksum of ELF you can use the option -k

itily@openzooey:~/hello.world$ elfdump -k hello

elf checksum: 0x8922

But, if you don't have a trusted ELF to compare, it's a bit dificult, I think.

I hope this is what you are looking for,

Urko,

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜