- a.out(5)
- Binject/exec2shell: Extracts TEXT section of a PE, ELF, or Mach-O executable to shellcode
- binwalk -e FILE
- chip-red-pill/MicrocodeDecryptor
- corkami/collisions: Hash collisions and exploitations
- corkami/pics: Posters, drawings…
- elf(5)
- elfutils debuginfod services
- fzakaria/shrinkwrap: A tool that embosses the needed dependencies on the top level executable
- gahag/bgrep: A binary grep written in Rust.
- gcore -a PID
- haampie/libtree: ldd as a tree
- hasherezade/pe-bear: Portable Executable reversing tool with a friendly GUI
- hasherezade/pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
- horsicq/Detect-It-Easy: Program for determining types of files for Windows, Linux and MacOS.
- kaitai-io/kaitai_struct: Kaitai Struct: declarative language to generate binary data parsers in C++ / C# / Go / Java / JavaScript / Lua / Perl / PHP / Python / Ruby
- m4b/bin2json: Converts ELF, mach-o, or PE binaries to a JSON representation
- m4b/bingrep: like ~~grep~~ UBER, but for binaries
- mandiant/capa: The FLARE team’s open-source tool to identify capabilities in executable files.
- ndd7xv/heh: A terminal UI to edit bytes by the nibble.
- nnsee/fileless-elf-exec: Execute ELF files without dropping them on disk
- panda-re/panda: Platform for Architecture-Neutral Dynamic Analysis
- redballoonsecurity/ofrak: OFRAK: unpack, modify, and repack binaries.
- revng/pagebuster: PageBuster - dump all executable pages of packed processes.
- ruslashev/elfcat: An in-development ELF visualizer. Generates HTML files from ELF binaries.
- sharkdp/binocle: a graphical tool to visualize binary data
- tclahr/uac: UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
- The ABI status of ELF hash tables LWN.net
- wader/fq: jq for binary formats
- woodruffw/nvis: A very simple input visualizer
- yewscion/patchelf-wrapper: A tool to use patchelf with GNU/Guix
- Making our own executable packer
- dettus.net- Now with dMagnetic, a magnetic scrolls interpreter.
- eliben/pyelftools: Parsing ELF and DWARF in Python
- sweetbbak/hexxy: a modern and beautiful alternative to xxd and hexdump.
- davidlattimore/wild: Linker with the goal of being very fast for iterative development
- intoli/exodus: Painless relocation of Linux binaries–and all of their dependencies–without containers.
$ addr2line -e /gnu/store/m8afvcgwmrfhvjpd7b0xllk8vv5isd6j-glibc-cross-i586-pc-gnu-2.33/lib/ld.so.1 0x1000 0x11627 0x11bb ??:0 /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/glibc-2.33/elf/dl-misc.c:333 :?
Address 0 is for the ‘_begin’ symbol, passed by -Wl,-defsym: i586-pc-gnu-gcc -nostdlib -nostartfiles -r -o /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/librtld.os '-Wl,-(' /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/dl-allobjs.os /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/rtld-libc.a -lgcc '-Wl,-)' \ -Wl,-Map,/tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/librtld.os.map i586-pc-gnu-gcc -nostdlib -nostartfiles -shared -o /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/ld.so.new \ -Wl,-z,combreloc -Wl,-z,relro -Wl,--hash-style=both -Wl,-z,defs \ /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/librtld.os -Wl,--version-script=/tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/ld.map \ -Wl,-soname=ld.so.1 \ -Wl,-defsym=_begin=0 i586-pc-gnu-readelf -s /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/ld.so.new \ | gawk '($7 ~ /^UND(|EF)$/ && $1 != "0:" && $4 != "REGISTER") { print; p=1 } END { exit p != 0 }' mv -f /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/ld.so.new /tmp/guix-build-glibc-cross-i586-pc-gnu-2.33.drv-0/build/elf/ld.so
$ objdump -t /gnu/store/m8afvcgwmrfhvjpd7b0xllk8vv5isd6j-glibc-cross-i586-pc-gnu-2.33/lib/ld.so.1|grep _begin 00000000 l *ABS* 00000000 _begin
That ‘-Wl,-defsym=_begin=0’ flag was removed in glibc commit 6f043e0ee7e477f50a44024ed0cb579d5e3f511d (April 2022). On darnassus it’s different but then it’s Debian’s glibc 2.35, natively built, so I don’t what conclusions can be drawn: ludo@darnassus:~$ /lib/ld.so.1 --version ld.so (Debian GLIBC 2.35-1) stable release version 2.35. Copyright (C) 2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ludo@darnassus:~$ objdump -x /lib/ld.so.1 |head -40 /lib/ld.so.1: file format elf32-i386 /lib/ld.so.1 architecture: i386, flags 0x00000150: HAS_SYMS, DYNAMIC, D_PAGED start address 0x0001cc40 Program Header: LOAD off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**12 filesz 0x00038494 memsz 0x00038494 flags r-x LOAD off 0x00038c00 vaddr 0x00039c00 paddr 0x00039c00 align 2**12 filesz 0x00001ca8 memsz 0x00001e34 flags rw- DYNAMIC off 0x00039f24 vaddr 0x0003af24 paddr 0x0003af24 align 2**2 filesz 0x000000b8 memsz 0x000000b8 flags rw- NOTE off 0x00000114 vaddr 0x00000114 paddr 0x00000114 align 2**2 filesz 0x00000024 memsz 0x00000024 flags r--