[TriLUG] Scanning for executables

Ian Kilgore ian at trilug.org
Wed Jan 4 12:04:22 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jonc wrote:
| Jim,
|
| You can do the equivalent of a "strings" command against the file -
| treating it as a streaming binary file. Look for a few specific binary
| sequences near the very beginning of the stream and that will tag the
| file as a binary.
|
| I don't know what the sequences you need to look for are, but I've done
| similar things in the past - hacking executables to change specific
| initialization data - and I've always noticed that the beginning
| sequences of executables are very similar.
|
| Good luck - Jon
|
Well, ELF files have this handy little magic number: 7F 45 4C 46
(Which is some undisplayable character, followed by 'ELF').. the ELF
headers will usually be very similar to each other (Just taking a look
at a few files in /bin, I see:

7F 45 4C 46  01 01 01 00  00 00 00 00  00 00 00 00
02 00 03 00  01 00 00 00

at the start, is the same between them all.  That won't work if you're
looking for raw machine code, or another binary format (a.out, eew).
And, of course, there's '#!' ;]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDvAAWwsRpgTiXSOERAs0eAJ92vkiKm7ULtSXVoo2aVzBfFe5XUwCgrud4
AbOAepSKNP59L3OiXesHxPw=
=/X6H
-----END PGP SIGNATURE-----



More information about the TriLUG mailing list