On 28 March 2012 09:29, Stephen Irons <[email protected]> wrote: > Greenhills tools had the ability to include build identification data (build > system name, user id, date-time, etc) into object files and executable files > which were ELF format. There were options to remove this data.
Sure, but thats non-critical optional data. Obviously those things would be dead-giveaways. But from a more forensics perspective, I believe binaries do tend to have varying traits which can indicate where they came from, more along the lines of GCC library versions , LIBC, etc etc. But those would only be of use if you had a collection of suspect machines and you wanted a criteria to reduce the possible suspects somehow. For instance: GLIBC_2.2.5 ACL_1.0 GLIBC_2.3 GLIBC_2.3.4 ^ this sequence from my /bin/ls could indicate what tools it was built with And the individual elf bits in the headers could indicate the age of their coreutils somewhat and you could possibly even extrapolate some notion of what their platform was by working out what conditional cpu-specific operations were called ( ie: if the code was compiled on a machine where it defaults to emitting code for SSE2 , but the designer wanted it to work on non-sse2 machines, there would likely still be SSE2 operations in there, just switched based on some condition at runtime ) , or perhaps specific alignments of code might indicate what size L1 / L2 the code was optimised for. Though of course, this argument quickly becomes irrelevant if your file is from a truely skilled person. Skilled people will hide the defects by hand manipulating the assembly, or even writing/editing part of their ELF headers by twiddling with the binary in a hex editor. ( And I've seen some really brilliant attempts at shrinking ELF binaries by creating non-standards conformant, but still working binaries ) -- Kent perl -e "print substr( \"edrgmaM SPA NOcomil.ic\\@tfrken\", \$_ * 3, 3 ) for ( 9,8,0,7,1,6,5,4,3,2 );" http://kent-fredric.fox.geek.nz _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
