Cannot execute a binary

[bennworah]

Hello Linux experts,

I am trying to execute a binary file from my shell, but i receive the error message "cannot execute binary".

I ran file <file> , i have an output that the file can run on x86_64. my linux box is an x86_64 (using uname -m).

Please assist

 

[KGIII]

Did you set the executable bit? (chmod +x)

 

[bennworah]

Yes, i did set it to executable using chmod +x

 

[captain-sensible]

thing is your not actually providing any information.

hello linux experts implicitly implies your on lInux but not explicitly, so are on on Windows , a Mac or Linux ? which OS
where is the binary ? i.e home or a /bin

Copy and paste for use the output of file . Ctrl + alt +c to copy and ctrl + alt + v to paste. So we can actually see output

Did you compile it ? how big is the file, if you zip it , you can add as an attachment and myabe then someone will download it and play with it. What does the binary do. Has anybody else got it working ? maybe its a dud ?

 

[bennworah]

thing is your not actually providing any information.

hello linux experts implicitly implies your on lInux but not explicitly, so are on on Windows , a Mac or Linux ? which OS
where is the binary ? i.e home or a /bin

Copy and paste for use the output of file . Ctrl + alt +c to copy and ctrl + alt + v to paste. So we can actually see output

Did you compile it ? how big is the file, if you zip it , you can add as an attachment and myabe then someone will download it and play with it. What does the binary do. Has anybody else got it working ? maybe its a dud ?

Hello, i am running it on a linux OS. It is place in /usr/bin directory.
Please it is a malware sample (rootkit), i want to detect the rootkit using a SIEM tool.
I will send to you, but be careful because as mentioned it is a malicious file. Link to file

https://samples.vx-underground.org/APTs/2021/2021.10.11/Samples/E20F87497023E3454B5B1A22FE6C5A5501EAE2CB.7z

 

[Fanboi]

Looks like you're running in a VM on Windows.. Anyway, that you say it's "malicious" means you or your fam built it. Did you link everything statically when compiling it? I presume it was compiled natively (on target arch, for target arch, with libs matching target arch), yes? I presume you did check the file hashes and try building more than once, yes?
Try chmod o+x, too.

 

[JasKinasis]

Well, there's your problem!
The file is NOT an executable, it's a relocatable.

Effectively, what you have there is an ELF object file. These are generated when a file is compiled by a compiler, but NOT linked into an executable.

So, assuming a single source file was used to create this, it would typically be generated by doing something like this:
So for a C program, compiled using gcc:

gcc -c /path/to/somefile.c

Or for a C++ program compiled using g++:

 g++ -c  /path/to/somefile.cpp

The -c flag tells gcc/g++ to compile the source file, but NOT to link it into an executable.

So the compiler will parse/validate the source code, once it's all been validated/compiled, it will be assembled during the assembly stage into a relocatable ELF object file.

So both of those examples would generate a relocatable ELF object-file called somefile.o

They're called relocatable, because the functions and variables are not bound to any fixed addresses, the objects are just symbols.
If you run the file through a linker - you can link it into an executable. The linker will assign addresses to the variables/symbols and functions in the object file.
Also, for executables - it will also provide a bootstrap that will load the main() function .


C, or C++ were just arbitrary examples, other compiled languages can be compiled to relocatables in a similar way. You could do this in assembly with NASM/TASM - compile to an object-file, without linking into an executable.

If you use readelf you should see a table of the symbols inside the file.
e.g.

readelf --symbols /path/to/malwareSample

That will show you all of the symbols that are in the object file and you should see that all of the addresses/offsets are set to 00000000.

If it has a main() function listed - it means it could be linked as an executable - but you'd probably also need the original source file used to compile the malware sample in order to do so.

If it does not have a main function, then the object file is more likely intended to be linked as a shared-object (.so), which is a library file (a bit like a .dll in windows) - in which case another application would have to be compiled and linked, to use the malicious library, instead of some other genuine library. (I'm guessing!).

I hope this helps!

EDIT: I imagine that the reason the malware sample was distributed as an object file and not as a linked executable is probably because it's malware!

 

[captain-sensible]

its a bit of an off tangent, in that it involves python , but does involve elf executable and may help those that want to write a python script and get it to do things on linux eg as an executable :

file fetchmirrorsgui                                                                                              (07-21 12:07)
fetchmirrorsgui: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f6af5bc244c001328c174a6abf855d682aa7401b, for GNU/Linux 2.6.32, stripped

I wrote the python script : https://notabug.org/captainsensible/fetchMirrorsGui

then i used pyinstaller-git: https://aur.archlinux.org/packages?O=0&K=pyinstaller-git (if your on Arch that is )
this enabled me to produce an executable elf file that can be placed in /usr/bin/ and do stuff such as evoking a gui , getting a mirror list relevant to where you are and sort fastest first , when you execute it.


So basically my point is you can use python to carry out stuff on a linux system

 

[bennworah]

Well, there's your problem!
The file is NOT an executable, it's a relocatable.

Effectively, what you have there is an ELF object file. These are generated when a file is compiled by a compiler, but NOT linked into an executable.

So, assuming a single source file was used to create this, it would typically be generated by doing something like this:
So for a C program, compiled using gcc:

gcc -c /path/to/somefile.c

Or for a C++ program compiled using g++:

 g++ -c  /path/to/somefile.cpp

The -c flag tells gcc/g++ to compile the source file, but NOT to link it into an executable.

So the compiler will parse/validate the source code, once it's all been validated/compiled, it will be assembled during the assembly stage into a relocatable ELF object file.

So both of those examples would generate a relocatable ELF object-file called somefile.o

They're called relocatable, because the functions and variables are not bound to any fixed addresses, the objects are just symbols.
If you run the file through a linker - you can link it into an executable. The linker will assign addresses to the variables/symbols and functions in the object file.
Also, for executables - it will also provide a bootstrap that will load the main() function .


C, or C++ were just arbitrary examples, other compiled languages can be compiled to relocatables in a similar way. You could do this in assembly with NASM/TASM - compile to an object-file, without linking into an executable.

If you use readelf you should see a table of the symbols inside the file.
e.g.

readelf --symbols /path/to/malwareSample

That will show you all of the symbols that are in the object file and you should see that all of the addresses/offsets are set to 00000000.

If it has a main() function listed - it means it could be linked as an executable - but you'd probably also need the original source file used to compile the malware sample in order to do so.

If it does not have a main function, then the object file is more likely intended to be linked as a shared-object (.so), which is a library file (a bit like a .dll in windows) - in which case another application would have to be compiled and linked, to use the malicious library, instead of some other genuine library. (I'm guessing!).

I hope this helps!

EDIT: I imagine that the reason the malware sample was distributed as an object file and not as a linked executable is probably because it's malware!

Hello, Thanks this is clear..
I really appreciate.

 

[bennworah]

its a bit of an off tangent, in that it involves python , but does involve elf executable and may help those that want to write a python script and get it to do things on linux eg as an executable :

file fetchmirrorsgui                                                                                              (07-21 12:07)
fetchmirrorsgui: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f6af5bc244c001328c174a6abf855d682aa7401b, for GNU/Linux 2.6.32, stripped

I wrote the python script : https://notabug.org/captainsensible/fetchMirrorsGui

then i used pyinstaller-git: https://aur.archlinux.org/packages?O=0&K=pyinstaller-git (if your on Arch that is )
this enabled me to produce an executable elf file that can be placed in /usr/bin/ and do stuff such as evoking a gui , getting a mirror list relevant to where you are and sort fastest first , when you execute it.


So basically my point is you can use python to carry out stuff on a linux system

Hello ,
How do I load the malicious sample (relocatable file) to my linux device.?

 

[captain-sensible]

Let me give you a metaphor " i've can a car with an empty fuel tank - can you help me make it run ?" no not really; ideally i would have to know how the car works, but the level of what i need to know depends. As the esteemed person Ronald dumsfeld once said :
IN regard to the car I would need to know is it petrol or is it deisel ?

IN regard to say my python script . I wrote the script in python , so i knew to look for ways of adding libraries for python and then test. If you start from source its a lot easier, for instance Java . Going backwards from a compiled Servlet ain't so easy.

You file is password protected, God knows whats in it or what it does. Clamav doesn't know either.
So if you didn't write it , best to pick the brains of who did.
if you wrote it source code before , object before binary would be nice. I never did get into C so can't help with that

 

[JasKinasis]

Hello ,
How do I load the malicious sample (relocatable file) to my linux device.?

I think the point of the sample is to analyse and understand the code used in the malware sample. Or to be able to use it to fingerprint a particular piece of malware. Running it may be unwise.

As it's relocatable, you'd probably need to write a stub program that loads the relocatable code into memory somewhere and then runs it. But I've never really tried to do that. I'm not sure exactly how that works!

From a quick bit of duckduckgo-fu:
This is probably most relevant:

Creating a module system (dynamic loading) in C

How would one go about loading compiled C code at run time, and then calling functions within it? Not like simply calling exec(). EDIT: The the program loading the module is in C.

stackoverflow.com

I looks like the above link only discusses .a and .so files. But I think it also works with .o files too. But again - I’ve never tried it, so I’m not entirely sure!

Another, more complex method may be process injection - injecting the object code into an already running application. Again, not something I've tried, but it's a technique that I'm aware of. It has legitimate uses, but it's probably used more by sophisticated black-hats.

Another quick bit of duckduckgo-fu yielded this:

Code Injection into Running Linux Application

How to inject some code into running Linux application

www.codeproject.com

Which may or may not help!