On 24 March 2012 23:46, Aidan Gauland <[email protected]> wrote:
> Is there any information in ELF binaries about the system on which it > was built? If so, how unique is this to each system? Is it enough to > trace, say, malware back to its author, or even help with an investigation? > > Just wondered about this. > --Aidan > _______________________________________________ > Linux-users mailing list > [email protected] > http://lists.canterbury.ac.nz/mailman/listinfo/linux-users > Probably not. Greenhills tools had the ability to include build identification data (build system name, user id, date-time, etc) into object files and executable files which were ELF format. There were options to remove this data. gcc tools do not seem to include this data, though perhaps the things I have looked at have had it removed. The ELF format does not insist that this type of data is included, so you cannot rely on it being there. You should consider yourself lucky if your malware author was careless enough to leave it there. You might try the following programs; they should be available on any standard linux system: * file * strings * objdump * readelf Stephen Irons ======================================================================= This email, including any attachments, is only for the intended addressee. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission. If the receiver is not the intended addressee, please accept our apologies, notify us by return, delete all copies and perform no other act on the email. Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission. =======================================================================
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
