ltrace
The quickest way to get a feel for what a binary is doing is to run it with ltrace, which will print all the library calls itโs making:
ltrace <BINARY> id
UID Checks and Privilege Escalation
The setuid(0) function call attempts to set the UID to root. If it succeeds returns 0.
setuid(0)
UID
root
0
A failure (-1) may indicate the program requires elevated permissions to execute certain operations.
-1
Whitelists/Blacklists
strncmp or strcmp calls are used to compare input against predefined strings. A return value of -1 indicates a mismatch.
strncmp
strcmp
strcspn calls are used to check for forbidden characters (e.g., |, &, >, which could be part of command injection attempts).
strcspn
|
&
>
File Operations and File Descriptors
Look for files related to user credentials, configuration, or logs.
External Command Execution
Calls to system(), execvp(), or similar functions: These often indicate the program is executing shell commands.
system()
execvp()
Input passed to these commands: If user input directly influences these calls, it might indicate an injection vulnerability.
Signals and Inter-Process Communication
Signals like SIGCHLD, SIGSEGV, or SIGKILL in the output.
SIGCHLD
SIGSEGV
SIGKILL
Use of kill() to manage or terminate processes, which can indicate how the program interacts with other processes.
kill()
Last updated 13 days ago