I don't think you'll be able to see if socket.h
was included, and the relevant functions are in libc, so they will always be available to the application. I would try to see if the application actually calls those functions.
A simple way (in shell) to check if an executable directly calls socket functions:
objdump -D `which wget` | grep '<\(accept\|bind\|connect\|getpeername\|getsockname\|getsockopt\|listen\|recv\|recvfrom\|recvmsg\|send\|sendmsg\|sendto\|setsockopt\|shutdown\|socket\|socketpair\)@'
objdump -D
disassembles the executable (including data sections, in case some malicious executable is using some trickery), then grep
checks for any calls to the libc functions prototyped in socket.h
.
But that only works if the executable itself directly calls the socket functions, which is not always the case. Replace wget
with curl
and you'll get no results. The reason is that curl
's network functionality is all within libcurl
.
So, next step: look at the libraries.
ldd `which curl`
Actually, this could be your first step even. If the executable is linked to some obvious networking libraries (i.e. libssl.so.1.0.0
), you could stop here. But assuming it isn't, you now have the list of dynamic libraries loaded by the executable. You can use objdump -D
on those as well. And disassembling /usr/lib/x86_64-linux-gnu/libcurl.so.4
shows that the library does indeed call the socket functions.
Hopefully this gives you a decent starting point. Besides the tediousness (though that's mitigated by the fact that you're going to write code to do this for you), there is also the issue that ANY external function named the same as the socket functions will show up using my command line. That shouldn't be a big deal if you're ok with erring on the side of false-positives, but there might be a better way to check the functions.
EDIT: This may not work on all binaries. grep
finds those function names directly in the executable, which I didn't expect on the distributed wget
and curl
in Ubuntu.