I have zero knowledge of how the ELF format works or how to access its headers and data via code, however I need to check whether an ELF binary has been compressed (packed?) with UPX for Linux.
Checking the binary with strings
I saw the string UPX!
so I guess I can use that. Hexediting the binary shows the string and for the position in the binary I can assume it's part of one of ELF's headers (please correct me if I am wrong). This is a dump of that:
00000000 .ELF........................4...
00000020 ........4. ...(.................
00000040 ........................@...@...
00000060 @.....................[.UPX!....
00000080 ............T............?d..ELF
I don't know if this looks good, sorry.
Does anyone know how to detect UPX on Linux? If not, how to access the headers and get that UPX!
string (name of the header?)?
I did look into the UPX source code but everything is C++, I am looking to code this in C, and it's really hard to follow.
Thank, any help is welcomed.
EDIT: About the bounty. They answer must give a solid example that works since I've tried different approaches and they not always work, like the sample below.
Thank you
These are the tests to detect an UPX compressed file:
>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
>>>>(0x3c.l+0xf8) search/0x140 UPX2
>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
>>>&0x26 string UPX \b, UPX compressed
>>85 string UPX \b, UPX compressed
use
man 5 magic
to see how the offsets inside the file are specified.
For example in you program you should:
Interestingly enough, in my ubuntu 64bit, UPX compressed files are not detected because this test is missing from /usr/share/misc/magic
:
>>180 string UPX! UPX compressed (64-bit)