clinuxpackerupx

Checking if an ELF is packed with UPX in Linux


I have zero knowledge of how the ELF format works or how to access its headers and data via code, however I need to check whether an ELF binary has been compressed (packed?) with UPX for Linux.

Checking the binary with strings I saw the string UPX! so I guess I can use that. Hexediting the binary shows the string and for the position in the binary I can assume it's part of one of ELF's headers (please correct me if I am wrong). This is a dump of that:

00000000    .ELF........................4...
00000020    ........4. ...(.................
00000040    ........................@...@...
00000060    @.....................[.UPX!....
00000080    ............T............?d..ELF

I don't know if this looks good, sorry.

Does anyone know how to detect UPX on Linux? If not, how to access the headers and get that UPX! string (name of the header?)?

I did look into the UPX source code but everything is C++, I am looking to code this in C, and it's really hard to follow.

Thank, any help is welcomed.

EDIT: About the bounty. They answer must give a solid example that works since I've tried different approaches and they not always work, like the sample below.
Thank you


Solution

  • These are the tests to detect an UPX compressed file:

    >>>>(0x3c.l+0xf8)   string      UPX0 \b, UPX compressed
    >>>>(0x3c.l+0xf8)   search/0x140    UPX2
    >>>(&0x7c.l+0x26)   string      UPX \b, UPX compressed
    >>>&0x26    string      UPX \b, UPX compressed
    >>85    string      UPX     \b, UPX compressed
    

    use

    man 5 magic
    

    to see how the offsets inside the file are specified.

    For example in you program you should:

    1. open the file under test for reading
    2. skip to one of these offsets
    3. check if the expected string is there
    4. repeat until no more offsets

    Interestingly enough, in my ubuntu 64bit, UPX compressed files are not detected because this test is missing from /usr/share/misc/magic:

    >>180   string      UPX!        UPX compressed (64-bit)