Edit

Binaries

Key Binary Behaviors in Dynamic Analysis

UID Checks and Privilege Escalation

  • The setuid(0) function call attempts to set the UID to root. If it succeeds returns 0.

  • A failure (-1) may indicate the program requires elevated permissions to execute certain operations.

Whitelists/Blacklists

  • strncmp or strcmp calls are used to compare input against predefined strings. A return value of -1 indicates a mismatch.

  • strcspn calls are used to check for forbidden characters (e.g., |, &, >, which could be part of command injection attempts).

File Operations and File Descriptors

  • Look for files related to user credentials, configuration, or logs.

External Command Execution

  • Calls to system(), execvp(), or similar functions: These often indicate the program is executing shell commands.

  • Input passed to these commands: If user input directly influences these calls, it might indicate an injection vulnerability.

Signals and Inter-Process Communication

  • Signals like SIGCHLD, SIGSEGV, or SIGKILL in the output.

  • Use of kill() to manage or terminate processes, which can indicate how the program interacts with other processes.

PreviousCreate Malicious ApplicationsNextGDB

Last updated