In Linux, Binary or bin files are executable files composed of machine code in binaries that are executed on the operating system. The information in the binary files is encoded and cannot be readable by the users. This information could be like compiled files, images, metadata, or text files. Analyzing the binary file tells the user about the type, content, and dependencies of the particular file.
This post will demonstrate the multiple methods to analyze the binary files in Linux:
- Type of Binary File
- Shared Libraries of the Binary File
- Content of the Binary File
- Printable Characters of the Binary File
- File Formats of the Binary File
- Binary File Output in Assembly Language
- By Tracing System Calls
- By Tracing Shared Libraries
- Output of the Binary File in Binary Format
How to Analyze the Type of Binary File?
The binary file type is necessary to check what information is stored in the file, whether it is binary, library, ASCII, etc.
To analyze the binary file type, the “file” command is utilized, which enables the user to understand the exact file type as shown below:
$ file /bin/awk
The “awk” contains the information of symbolic link for the file “/etc/alternatives/awk/”.
How to Analyze the Shared Libraries of the Binary File?
Binary files require some common operations to execute, such as opening and displaying the file output stored in the libraries.
These libraries can be displayed through the “dd” utility as shown:
$ ldd /bin/netcat
The above output shows the dependent libraries of the “netcat” binary file.
How to Analyze the Content of the Binary File?
The content of the binary of the file is in the “0, 1” form but can be changed to hexadecimal and ASCII characters.
To do so, the “hexdump” utility is considered; use it with the “C” flag for generating the output of the binary file:
$ hexdump -C /bin/netcat | head
The content of the “/bin/netcat” binary file is in hex and ASCII characters.
How to Analyze the Printable Characters of the Binary File?
The binary file contains printable ASCII/text messages for displaying information, errors, messages, debugging information, etc.
To dump these characters on the screen, the “strings” utility is examined as shown:
$ strings /bin/awk
The printable strings for the “/bin/awk” has been printed.
How to Analyze the File Formats of the Binary File?
The ELF “Executable and Linkable File” is the main file format for the executable or binaries in Linux and its other variants.
The “readelf” command is considered to analyze the binary file format. It enables the user to display the information about the ELF file formats as shown in the following image:
$ readelf -h /bin/gzip
The information about the ELF(Execute Linkable File Format) is listed.
How to Analyze the Binary File Output in Assembly Language?
When a binary file is compiled, it initiates the results in the machine code executed by the CPU. It can be interrupted by the assembly language to dump the machine code output and print it on the screen.
To do so, the “objdump” utility is carried out as executed below:
$ objdump -d /bin/gzip | head
The disassembled code (assembly code information) of the”/bin/gzip” file has been printed.
How to Analyze the Binary Files By Tracing System Calls?
The user can consider the “strace” utility that traces the system calls (interface to the Kernel) for the execution of the binary files.
To do so, use the below-mentioned command:
$ strace -f /bin/hostname
The system calls (process execution with Kernel) are traced for the binary file “/bin/hostname”.
How to Analyze the Binary By Tracing Shared Libraries?
The “ltrace” is the utility that is quite similar to the “strace” command; the difference is it displays the dynamic calls of the shared libraries (functions) at run time.
The “ltrace” can be installed through the following command:
$ sudo apt install ltrace #For Debian/Ubuntu
$ sudo yum install ltrace #For CentOS/RHEL
Let’s run the ltrace for binary files:
$ ltrace /bin/awk
All the shared libraries of the “awk” binary file are printed.
How to Analyze the Output of the Binary File in Binary Format?
The “xxd” is the utility that generates the output of the files in hex, but it can be examined to generate the output in binary form using the “b” flag:
$ xxd -b /bin/ls
The output of the binary file is converted into binary output rather than hex.
Conclusion
The binary files in Linux are analyzed through the file, ldd, hexdump, strings, readelf, objdump, strace, ltrace, and xxd utilities. All of them are built-in tools except the “ltrace” utility which can be installed through the given command. This write-up has illustrated all possible methods to analyze binary files in Linux.
