Statically linked binaries [Archive] - RCE Messageboard's Regroupment

View Full Version : Statically linked binaries

live_dont_exist

January 16th, 2015, 14:14

Hi All,
I've been trying to write some code to detect the libraries inside statically linked binaries. I've made some nice progress (will share when done). But here is where I am stuck. There's a very simple program that I wrote for test purposes and statically linked with libc.

Code:

gcc -static -lc -o test  test.c

After lots of studying in IDA, I can see some libc code in the binary but there also appear to be other functions (sub_<NUMBER>

that are NOT libc. So the question is, what are these functions? Does gcc add them in by default? Is it the way IDA disassembles things? And whaetver that stuff is... where can I find it on the OS? Like libc I found in libc.a some directory. SImilarly, are those additional functions also due to some libraries? Where are these?

Here is the code for test.c that generates lots of functions in IDA.

Code:



/* http://iamtgc.com/selectively-statically-compile-and-link-nix-binaries/ */

#include <stdio.h>

#include <math.h>



void calc(){

    float d= cos(90);

    printf("cosine of 90 is %f", d); 

}



int main() {

    calc();

}

Any pointers are appreciated. Thanks.

rendari

January 20th, 2015, 14:13

Hi there,

I tried your example with IDA Pro 6.7. My binary was built on Ubuntu with GCC 4.8. I used your exact command line parameters and source file.

IDA Pro identified all functions correctly. There was not a single sub_xxxx function. Here is list of function names:
http://pastebin.com/AU2tRpsz

Are you working on OSX by any chance?

-rendari

live_dont_exist

January 20th, 2015, 21:53

Thanks very much. That's very strange because I'm using a fairly similar environment.

- Ubuntu 12.04
- gcc 4.6.3

Windows 7 - IDA PRO 6.6

I will check again when I have time. But lets step back for a minute...

As in, this binary might well behave just like you said. But there are numerous binaries that are statically linked (I'm thinking of lots of CTF binaries) and its hard to identify the real code from library code. That's the motivation behind my little project.

In that case, when there are lots of sub_ functions... what do you do to filter stuff?

Thanks.

rendari

January 21st, 2015, 18:14

Hi live_dont_exist,

I usually run the binary under a debugger, and set breakpoints where I see interesting library calls and strings. Then I trace the application from there and try to understand its behaviour better.

-r

live_dont_exist

January 26th, 2015, 21:09

Cool thanks. Yeah, I get that you could do it dynamically in a debugger..which is perfectly right. I was trying to see if there was a way to do it statically - just looking at code.

Anyway I made a bit of progress on it and have a small project up here if anyone is interested

and can provide feedback on how I can improve it.

https://github.com/arvinddoraiswamy/slid

And a reddit thread

if you like/hate it

https://www.reddit.com/r/ReverseEngineering/comments/2trxsc/detect_libraries_in_a_statically_linked_binary/