Checking if an ELF is packed with UPX in Linux

StackOverflow https://stackoverflow.com/questions/4888237

  •  28-10-2019
  •  | 
  •  

Pergunta

I have zero knowledge of how the ELF format works or how to access its headers and data via code, however I need to check whether an ELF binary has been compressed (packed?) with UPX for Linux.

Checking the binary with strings I saw the string UPX! so I guess I can use that. Hexediting the binary shows the string and for the position in the binary I can assume it's part of one of ELF's headers (please correct me if I am wrong). This is a dump of that:

00000000    .ELF........................4...
00000020    ........4. ...(.................
00000040    ........................@...@...
00000060    @.....................[.UPX!....
00000080    ............T............?d..ELF

I don't know if this looks good, sorry.

Does anyone know how to detect UPX on Linux? If not, how to access the headers and get that UPX! string (name of the header?)?

I did look into the UPX source code but everything is C++, I am looking to code this in C, and it's really hard to follow.

Thank, any help is welcomed.

EDIT: About the bounty. They answer must give a solid example that works since I've tried different approaches and they not always work, like the sample below.
Thank you

Foi útil?

Solução

These are the tests to detect an UPX compressed file:

>>>>(0x3c.l+0xf8)   string      UPX0 \b, UPX compressed
>>>>(0x3c.l+0xf8)   search/0x140    UPX2
>>>(&0x7c.l+0x26)   string      UPX \b, UPX compressed
>>>&0x26    string      UPX \b, UPX compressed
>>85    string      UPX     \b, UPX compressed

use

man 5 magic

to see how the offsets inside the file are specified.

For example in you program you should:

  1. open the file under test for reading
  2. skip to one of these offsets
  3. check if the expected string is there
  4. repeat until no more offsets

Interestingly enough, in my ubuntu 64bit, UPX compressed files are not detected because this test is missing from /usr/share/misc/magic:

>>180   string      UPX!        UPX compressed (64-bit)

Outras dicas

In the source code to UPX, there's a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d <file> (unpack executable). It shows which offsets are to be tested to detect if a file was packed with UPX. I found the code clear and easy to follow. I recommend an editor with syntax highlighting.

You can download the source code for UPX on the project site.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top