Reversing Tools: Command-Line Utilities for Binary Analysis

Introduction

Reversing is the process of analyzing a program or binary to understand its behavior, uncover vulnerabilities, or learn about its inner workings. While disassemblers and decompilers like Ghidra or IDA Pro are integral to reverse engineering, there are many powerful command-line tools that can help in gathering information about a binary, tracking its execution, and analyzing its properties.

In this post, we’ll focus on some of the most commonly used command-line tools for reversing ELF binaries and other executable formats. We’ll cover their usage, what they provide, and when to use them during your reverse engineering process.

---

1. strace

What It Does

strace is a powerful tool for tracing system calls and signals during the execution of a program. It allows you to observe all interactions a program has with the kernel, such as file operations, memory allocations, network connections, and process management.

When to Use

• Monitor System Calls: Use strace when you want to understand what system calls a binary is making during execution. This helps in identifying key interactions like file I/O, process creation, network communication, and more.

• Debugging: If the program is behaving unexpectedly or has security flaws like improper file handling, strace helps you trace the cause.

• Detecting Anti-Debugging: Programs may use system calls to check for a debugger, and strace can reveal these calls.

Example Usage

strace ./binary.elf  # Trace system calls made by the binary
strace -f -e trace=network ./binary.elf  # Trace only network-related system calls

---

2. ltrace

What It Does

ltrace is similar to strace, but it traces library calls instead of system calls. It can be helpful for monitoring the use of functions from shared libraries, such as printf(), malloc(), or read().

When to Use

• Monitor Library Calls: Use ltrace to track functions that a program is calling from shared libraries. This is especially useful for understanding higher-level operations like printing output, memory allocation, or manipulating files.

• Track Function Arguments: ltrace shows the arguments passed to functions, allowing you to understand how a program processes inputs and interacts with libraries.

• Identify Vulnerabilities: If a binary has a format string vulnerability or improper input sanitization, ltrace can help reveal these issues by showing how functions are invoked.

Example Usage

ltrace ./binary.elf  # Trace library calls
ltrace -e malloc,free ./binary.elf  # Trace only memory allocation/deallocation calls

---

3. strings

What It Does

strings searches for and extracts printable strings from a binary file. These strings can be helpful for identifying hardcoded messages, file paths, or potential credentials embedded in the binary.

When to Use

• Locate Hardcoded Information: Use strings when you want to find user-readable data such as error messages, file names, IP addresses, or even passwords that might be hardcoded in the binary.

• Identify Vulnerable Functions: Sometimes, strings may give you clues about vulnerable functions like system() or exec(), which can be exploited for command injection.

• Explore Metadata: You might find debug information, compiler versions, or other relevant metadata that could help in further analysis.

Example Usage

strings binary.elf  # Extract strings from the binary
strings -n 10 binary.elf  # Find strings that are at least 10 characters long

---

4. file

What It Does

The file command is used to identify the type of a file. It detects the format of the file based on its magic numbers and provides information about whether a file is a text file, binary, ELF executable, compressed archive, and more.

When to Use

• Identify Binary Types: Use file to determine whether the binary is an ELF file, Windows executable, or another type of format.

• Verify File Integrity: Sometimes, malware or suspicious binaries are disguised as other file types. The file command can help confirm the binary format.

Example Usage

file binary.elf  # Display file type information for an ELF binary
file somefile.txt  # Identify if the file is a text file

---

5. dmesg

What It Does

dmesg (short for “diagnostic message”) prints out kernel ring buffer messages, which are logs generated by the kernel. These messages can provide critical information about the system, including error messages, system crashes, and hardware events.

When to Use

• Debugging Program Crashes: If a program crashes or behaves unexpectedly, dmesg can help you identify low-level issues such as segmentation faults or memory violations that the kernel logs.

• Check for Security Events: Sometimes, the kernel logs security-related events, such as the use of ptrace or other debugging tools. dmesg can help you spot these events.

Example Usage

dmesg | grep -i "segfault"  # Check for segmentation faults in the kernel log
dmesg | grep "ptrace"  # Look for ptrace-related messages (debugger detection)

---

6. checksec

What It Does

checksec is a tool that checks the security features enabled in a binary. It evaluates the presence of protections like stack canaries, position-independent executables (PIE), and address space layout randomization (ASLR).

When to Use

• Check Security Features: Use checksec to determine which security mechanisms are enabled in an ELF binary. This can help you assess the difficulty of exploiting the binary (e.g., stack overflow attacks).

• Assess Exploitation Difficulty: If you are reverse engineering a binary for exploitation, knowing whether features like NX (No Execute), RELRO (Read-Only Relocations), and PIE are enabled can inform your exploitation strategy.

Example Usage

checksec --fortify-file=binary.elf  # Check the stack protection settings
checksec --pie --vulnerable  # Check if the binary is a PIE binary and if there are vulnerabilities

---

7. pwn

What It Does

pwn is an informal term referring to exploitation techniques used for compromising a binary, such as buffer overflows, format string vulnerabilities, and ROP (Return-Oriented Programming). It's also the name of a Python package (pwntools) that simplifies the exploitation of binaries in CTF and penetration testing environments.

When to Use

• Capture the Flag (CTF) Challenges: The pwn tools (especially pwntools) are excellent for quickly exploiting vulnerable binaries in CTF challenges.

• Binary Exploitation: Use pwn for creating and sending payloads to vulnerable binaries. This can involve crafting shellcode, manipulating stack or heap memory, and interacting with the target binary to exploit vulnerabilities.

Example Usage (with pwntools in Python)

from pwn import *
binary = ELF('./binary.elf')
p = process(binary.path)
p.sendline(b'A' * 100)  # Send payload to the binary
p.interactive()  # Interact with the program

---

8. Other Useful Tools

There are several additional command-line tools that you can use in reversing:

nm

• What It Does: Lists symbols (functions, variables, etc.) in an ELF binary.

• When to Use: Use nm to quickly identify symbols in a binary and locate function names or global variables.

nm binary.elf  # List symbols in the ELF binary

objdump

• What It Does: Disassembles a binary into assembly instructions, similar to gdb or IDA Pro.

• When to Use: Use objdump to view the assembly code and check the structure of the binary.

objdump -d binary.elf  # Disassemble the binary into assembly

---

Conclusion

In this post, we've covered several essential command-line tools used for reversing ELF binaries and other executable formats. Tools like strace, ltrace, strings, file, and checksec provide critical insights into the behavior, structure, and security features of a binary. They are all useful at different stages of reverse engineering, whether you're trying to understand a program's execution, locate vulnerabilities, or check its security settings.

By integrating these tools into your reverse engineering workflow, you can efficiently analyze binaries, uncover hidden behaviors, and even exploit vulnerabilities.