Lab 1: Initial Binary Analysis - Triage
Overview
In this lab, you will explore the structure of executable file formats by comparing static and dynamically linked Linux binaries. You’ll learn about how executables are organized into segments and sections (such as .text, .rodata, .bss, etc.) and use Binary Ninja to examine symbols and strings. Later, you’ll compare a small program compiled for both Windows and Linux to identify platform-specific differences.
Goals:
- Understand the difference between static and dynamically linked executables.
- Learn how executable file formats are organized into segments and sections.
- Identify common sections (e.g., .text, .rodata, .bss) and understand their roles.
- Use Binary Ninja to view symbols and strings for deeper insight into a binary’s functionality.
- Compare Linux and Windows binaries by examining differences in libraries, segments, and platform-specific features.
Estimated Time: 45 Minutes
Instructions
First Steps
Download the program to analyze:
curl 1The first thing you can do to get a limited understanding of a program is just
to look for strings! Developers leave log messages and print strings all over
the place and so this can be very fruitful when your first trying to figure out
what some random binary does. Use the strings command to view strings that are
present inside the binary. Remember to use the -n flag to filter results to
strings greater than or equal to the specified length.
Question
Based on some of the strings that you see, what is this program used for?
Using BinaryNinja
For the labs this week we will be using binaryninja’s
free version which is already installed on your class VMs. You can find it in
the Tools folder on your desktop. You can run it from the terminal with:
~/Desktop/Tools/binaryninja_free/binaryninjaOnce you get it open, select File > Open for Triage from the menu to open
binary files for triage. Navigate to the file you downloaded earlier and double
click to open it. Alternatively, you can drag and drop the file into
binaryninja.
Explore the Triage window in binaryninja
Ignore the Symbols and Cross References view on the left side of binaryninja
for now.
Reverse engineering tools do A LOT of things! But this means that the view can
be a little overwhelming. Ignore the Symbols and Cross References panes on
the left side of the screen. The three indicators in the above screenshot are:
- View selection dropdowns. Use these to get back to the
Triageview if you ever click something and it takes you to a different view. - This is the main triage window. Scroll down to see more stuff!
- The far right-side shows an overview of the whole binary. You can also use this to navigate to other sections of the binary.
Because BinaryNinja understands the ELF file format, it has helpfully pulled out some information and displayed it in the main window. Notice how the entropy bar shows where different parts of the program have higher (yellow) and lower (dark blue) values of entropy.
Analyzing shared libraries
Review the loaded libraries. Compare this to the list when you run the ldd
program on the curl1.bin binary from the terminal. A quick glance at the
ldd man page shows that it
“prints the shared object dependencies” of the specified program.
Question
Why do you think the list fromlddis different from what binaryninja reports?
HINT: Try runninglddon thelibcurl.so.4binary.
Do a quick google search on the libcurl.so.4 library to find out what kind of
functionality it provides.
Question
Based on your search what do you think the curl binary useslibcurlfor?
What functions in the imports table come fromlibcurl?
Examine Segments and Sections
Next lets look at the difference between sections and segments of an ELF
binary. Do
some
research to figure out
what the requested sections are used for.
Question
Describe the following sections:.text,.data,.bss,.got, and.plt
Next lets try to map some data that binaryninja shows us to the different sections of the binary. Double click on one of the imported functions to see what section it takes you to. Then hover your mouse over the memory address to see what bytes are listed there.
Then compare that to the address of the function name on the right hand side of the equals sign.
Question
Based on these two values is this a little-endian or a big-endian binary?
Using the Memory Map view
Use the memory map view to see how each section of the ELF file maps to a segment in memory. Switch to the new view using the drop down menu in the top left of the main view window.
Question
For each section you looked up earlier, what is the starting address of the segment that contains it?
Make comparisons with a different version of the curl binary
Download the second version of the curl binary and open it for triage in
binaryninja. Compare triage views and note any differences between curl1.bin
and curl2.bin.
Question
What is the reason for the differences incurl2.bin?
HINT: Compare the output of thefilecommand on the two binaries.
Part 2: Compare Windows vs. Linux Binaries
Conduct a similar analysis as above
For part two, download or locate a small program compiled for both Windows and Linux.
hashcat.bin hashcat.exeOpen each binary for triage in BinaryNinja, then answer the following questions:
Question
Note any differences in theTriage Summaryfor the two programs. Do they use the same shared libraries?
Question
Compare the segmentation/section layout between the two binaries in theMemory Mapview. Are there more or less sections/segments in one program?
Question
Use theStringsview to find long string then double-click it to see what section it resides in. What section is this for each program?
Tip
- Review the BinaryNinja Documentation to learn how to use the tool.