AgentSkillsCN

binary-analysis

二进制分析工具和技术

SKILL.md
--- frontmatter
name: binary-analysis
description: Binary analysis tools and techniques

Binary Analysis

Initial Reconnaissance

File Identification

bash
file target           # File type, architecture
checksec target       # Security mitigations
readelf -h target     # ELF header details
readelf -S target     # Sections
readelf -l target     # Program headers (segments)

Security Mitigations Explained

CheckMeaningExploit Impact
NX enabledStack not executableNeed ROP/ret2libc
Canary foundStack cookie presentNeed leak or bypass
PIE enabledCode at random addressNeed code leak
Full RELROGOT read-onlyCan't overwrite GOT
Partial RELROGOT writableGOT overwrite possible

Static Analysis

Disassembly

bash
# Intel syntax disassembly
objdump -M intel -d target > target.asm

# With source (if debug symbols)
objdump -M intel -d -S target

# Specific section
objdump -M intel -d -j .text target

String Analysis

bash
strings target                    # ASCII strings
strings -a target                 # All sections
strings -t x target               # With offsets
strings -e l target               # 16-bit LE strings

Symbol Information

bash
nm target                         # Symbol table
nm -D target                      # Dynamic symbols
readelf --syms target             # Detailed symbols

Import/Export Analysis

bash
readelf -r target                 # Relocations (imports)
readelf --dyn-syms target         # Dynamic symbols
objdump -T target                 # Dynamic symbol table

Dynamic Analysis

GDB/pwndbg Commands

code
# Breakpoints
b *main                    # Break at main
b *0x401234                # Break at address

# Execution
r                          # Run
r < input.txt              # Run with input
c                          # Continue
si                         # Step instruction
ni                         # Next instruction (skip calls)

# Memory examination
x/20gx $rsp                # 20 qwords at RSP
x/s 0x401234               # String at address
telescope $rsp 20          # Smart stack view

# Info
info registers             # All registers
info proc mappings         # Memory map
vmmap                      # pwndbg memory map
checksec                   # Security features

# Search
search -s "/bin/sh"        # Find string
search -p 0x401234         # Find pointer

Tracing

bash
# System calls
strace ./target
strace -f ./target         # Follow forks
strace -e open,read,write ./target

# Library calls
ltrace ./target
ltrace -e malloc+free ./target

Address Calculation

With PIE Disabled

python
elf = ELF('./target')
main = elf.symbols['main']       # Direct address
puts_plt = elf.plt['puts']       # PLT entry
puts_got = elf.got['puts']       # GOT entry

With PIE Enabled

python
# Need to leak code address first
leaked_main = u64(leak.ljust(8, b'\x00'))
elf.address = leaked_main - elf.symbols['main']
# Now all addresses are correct

Libc Calculation

python
libc = ELF('./libc.so.6')
# After leaking puts address
libc.address = leaked_puts - libc.symbols['puts']
system = libc.symbols['system']
binsh = next(libc.search(b'/bin/sh'))

Common Patterns in Disassembly

Function Prologue

asm
push rbp
mov rbp, rsp
sub rsp, 0x40      ; Local variables

Canary Check

asm
mov rax, [fs:0x28]          ; Load canary
mov [rbp-0x8], rax          ; Save on stack
...
mov rax, [rbp-0x8]          ; Retrieve
xor rax, [fs:0x28]          ; Compare
je .ok
call __stack_chk_fail       ; Mismatch

Vulnerable strcpy

asm
lea rdi, [rbp-0x40]         ; Buffer (64 bytes)
mov rsi, [user_input]       ; No size limit!
call strcpy