• We did not send an email asking for donations - please read this post.

Cannot execute a binary

bennworah

New Member
Joined
Jul 18, 2020
Messages
20
Reaction score
1
Credits
174
Hello Linux experts,

I am trying to execute a binary file from my shell, but i receive the error message "cannot execute binary".

I ran file <file> , i have an output that the file can run on x86_64. my linux box is an x86_64 (using uname -m).

Please assist
 


captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,913
Reaction score
1,970
Credits
18,126
thing is your not actually providing any information.

hello linux experts implicitly implies your on lInux but not explicitly, so are on on Windows , a Mac or Linux ? which OS
where is the binary ? i.e home or a /bin

Copy and paste for use the output of file . Ctrl + alt +c to copy and ctrl + alt + v to paste. So we can actually see output

Did you compile it ? how big is the file, if you zip it , you can add as an attachment and myabe then someone will download it and play with it. What does the binary do. Has anybody else got it working ? maybe its a dud ?
 
OP
B

bennworah

New Member
Joined
Jul 18, 2020
Messages
20
Reaction score
1
Credits
174
thing is your not actually providing any information.

hello linux experts implicitly implies your on lInux but not explicitly, so are on on Windows , a Mac or Linux ? which OS
where is the binary ? i.e home or a /bin

Copy and paste for use the output of file . Ctrl + alt +c to copy and ctrl + alt + v to paste. So we can actually see output

Did you compile it ? how big is the file, if you zip it , you can add as an attachment and myabe then someone will download it and play with it. What does the binary do. Has anybody else got it working ? maybe its a dud ?
Hello, i am running it on a linux OS. It is place in /usr/bin directory.
Please it is a malware sample (rootkit), i want to detect the rootkit using a SIEM tool.
I will send to you, but be careful because as mentioned it is a malicious file. Link to file
1658395718258.png
 
Last edited:

Fanboi

Well-Known Member
Joined
Apr 16, 2021
Messages
499
Reaction score
407
Credits
6,114
Looks like you're running in a VM on Windows.. Anyway, that you say it's "malicious" means you or your fam built it. Did you link everything statically when compiling it? I presume it was compiled natively (on target arch, for target arch, with libs matching target arch), yes? I presume you did check the file hashes and try building more than once, yes?
Try chmod o+x, too.
 

JasKinasis

Well-Known Member
Joined
Apr 25, 2017
Messages
1,572
Reaction score
2,232
Credits
11,629
Well, there's your problem!
The file is NOT an executable, it's a relocatable.

Effectively, what you have there is an ELF object file. These are generated when a file is compiled by a compiler, but NOT linked into an executable.

So, assuming a single source file was used to create this, it would typically be generated by doing something like this:
So for a C program, compiled using gcc:
Bash:
gcc -c /path/to/somefile.c
Or for a C++ program compiled using g++:
Bash:
 g++ -c  /path/to/somefile.cpp

The -c flag tells gcc/g++ to compile the source file, but NOT to link it into an executable.

So the compiler will parse/validate the source code, once it's all been validated/compiled, it will be assembled during the assembly stage into a relocatable ELF object file.

So both of those examples would generate a relocatable ELF object-file called somefile.o

They're called relocatable, because the functions and variables are not bound to any fixed addresses, the objects are just symbols.
If you run the file through a linker - you can link it into an executable. The linker will assign addresses to the variables/symbols and functions in the object file.
Also, for executables - it will also provide a bootstrap that will load the main() function .


C, or C++ were just arbitrary examples, other compiled languages can be compiled to relocatables in a similar way. You could do this in assembly with NASM/TASM - compile to an object-file, without linking into an executable.

If you use readelf you should see a table of the symbols inside the file.
e.g.
Bash:
readelf --symbols /path/to/malwareSample

That will show you all of the symbols that are in the object file and you should see that all of the addresses/offsets are set to 00000000.

If it has a main() function listed - it means it could be linked as an executable - but you'd probably also need the original source file used to compile the malware sample in order to do so.

If it does not have a main function, then the object file is more likely intended to be linked as a shared-object (.so), which is a library file (a bit like a .dll in windows) - in which case another application would have to be compiled and linked, to use the malicious library, instead of some other genuine library. (I'm guessing!).

I hope this helps!

EDIT: I imagine that the reason the malware sample was distributed as an object file and not as a linked executable is probably because it's malware!
 
Last edited:

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,913
Reaction score
1,970
Credits
18,126
its a bit of an off tangent, in that it involves python , but does involve elf executable and may help those that want to write a python script and get it to do things on linux eg as an executable :

Code:
file fetchmirrorsgui                                                                                              (07-21 12:07)
fetchmirrorsgui: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f6af5bc244c001328c174a6abf855d682aa7401b, for GNU/Linux 2.6.32, stripped

I wrote the python script : https://notabug.org/captainsensible/fetchMirrorsGui

then i used pyinstaller-git: https://aur.archlinux.org/packages?O=0&K=pyinstaller-git (if your on Arch that is )
this enabled me to produce an executable elf file that can be placed in /usr/bin/ and do stuff such as evoking a gui , getting a mirror list relevant to where you are and sort fastest first , when you execute it.


So basically my point is you can use python to carry out stuff on a linux system
 
OP
B

bennworah

New Member
Joined
Jul 18, 2020
Messages
20
Reaction score
1
Credits
174
Well, there's your problem!
The file is NOT an executable, it's a relocatable.

Effectively, what you have there is an ELF object file. These are generated when a file is compiled by a compiler, but NOT linked into an executable.

So, assuming a single source file was used to create this, it would typically be generated by doing something like this:
So for a C program, compiled using gcc:
Bash:
gcc -c /path/to/somefile.c
Or for a C++ program compiled using g++:
Bash:
 g++ -c  /path/to/somefile.cpp

The -c flag tells gcc/g++ to compile the source file, but NOT to link it into an executable.

So the compiler will parse/validate the source code, once it's all been validated/compiled, it will be assembled during the assembly stage into a relocatable ELF object file.

So both of those examples would generate a relocatable ELF object-file called somefile.o

They're called relocatable, because the functions and variables are not bound to any fixed addresses, the objects are just symbols.
If you run the file through a linker - you can link it into an executable. The linker will assign addresses to the variables/symbols and functions in the object file.
Also, for executables - it will also provide a bootstrap that will load the main() function .


C, or C++ were just arbitrary examples, other compiled languages can be compiled to relocatables in a similar way. You could do this in assembly with NASM/TASM - compile to an object-file, without linking into an executable.

If you use readelf you should see a table of the symbols inside the file.
e.g.
Bash:
readelf --symbols /path/to/malwareSample

That will show you all of the symbols that are in the object file and you should see that all of the addresses/offsets are set to 00000000.

If it has a main() function listed - it means it could be linked as an executable - but you'd probably also need the original source file used to compile the malware sample in order to do so.

If it does not have a main function, then the object file is more likely intended to be linked as a shared-object (.so), which is a library file (a bit like a .dll in windows) - in which case another application would have to be compiled and linked, to use the malicious library, instead of some other genuine library. (I'm guessing!).

I hope this helps!

EDIT: I imagine that the reason the malware sample was distributed as an object file and not as a linked executable is probably because it's malware!
Hello, Thanks this is clear..
I really appreciate.
 
OP
B

bennworah

New Member
Joined
Jul 18, 2020
Messages
20
Reaction score
1
Credits
174
its a bit of an off tangent, in that it involves python , but does involve elf executable and may help those that want to write a python script and get it to do things on linux eg as an executable :

Code:
file fetchmirrorsgui                                                                                              (07-21 12:07)
fetchmirrorsgui: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f6af5bc244c001328c174a6abf855d682aa7401b, for GNU/Linux 2.6.32, stripped

I wrote the python script : https://notabug.org/captainsensible/fetchMirrorsGui

then i used pyinstaller-git: https://aur.archlinux.org/packages?O=0&K=pyinstaller-git (if your on Arch that is )
this enabled me to produce an executable elf file that can be placed in /usr/bin/ and do stuff such as evoking a gui , getting a mirror list relevant to where you are and sort fastest first , when you execute it.


So basically my point is you can use python to carry out stuff on a linux system
Hello ,
How do I load the malicious sample (relocatable file) to my linux device.?
 

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,913
Reaction score
1,970
Credits
18,126
Let me give you a metaphor " i've can a car with an empty fuel tank - can you help me make it run ?" no not really; ideally i would have to know how the car works, but the level of what i need to know depends. As the esteemed person Ronald dumsfeld once said :
IN regard to the car I would need to know is it petrol or is it deisel ?

IN regard to say my python script . I wrote the script in python , so i knew to look for ways of adding libraries for python and then test. If you start from source its a lot easier, for instance Java . Going backwards from a compiled Servlet ain't so easy.

You file is password protected, God knows whats in it or what it does. Clamav doesn't know either.
So if you didn't write it , best to pick the brains of who did.
if you wrote it source code before , object before binary would be nice. I never did get into C so can't help with that
 

JasKinasis

Well-Known Member
Joined
Apr 25, 2017
Messages
1,572
Reaction score
2,232
Credits
11,629
Hello ,
How do I load the malicious sample (relocatable file) to my linux device.?
I think the point of the sample is to analyse and understand the code used in the malware sample. Or to be able to use it to fingerprint a particular piece of malware. Running it may be unwise.

As it's relocatable, you'd probably need to write a stub program that loads the relocatable code into memory somewhere and then runs it. But I've never really tried to do that. I'm not sure exactly how that works!

From a quick bit of duckduckgo-fu:
This is probably most relevant:

I looks like the above link only discusses .a and .so files. But I think it also works with .o files too. But again - I’ve never tried it, so I’m not entirely sure!

Another, more complex method may be process injection - injecting the object code into an already running application. Again, not something I've tried, but it's a technique that I'm aware of. It has legitimate uses, but it's probably used more by sophisticated black-hats.

Another quick bit of duckduckgo-fu yielded this:

Which may or may not help!
 
Last edited:
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Top