-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capa v7.01 Not recognizing Linux x64 file #1978
Comments
Hi @C0d3R3ad3r Thanks for reporting this issue with so many details. Guessing the underlying OS for an ELF file is tricky - there's not a header that says "this is for Linux". We have a bunch of heuristics that help us, but they don't work perfectly. You can see them here: capa/capa/features/extractors/elf.py Line 959 in fde1de3
23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad is a statically linked ELF file compiled by GCC. There aren't any hints in the ELF format about this targeting Linux, there's only a Within the file strings, there are some hints:
I will see if I can figure out if All in all, I think you did the right thing: to determine the sample targets Linux and provide the hint to capa. Unfortunately, capa won't always be able to recognize the underlying OS, so these hints are required. |
the We could inspect the strings of the file and note any of the symbol and version strings, using these to infer that VDSO on Linux is used. I don't really like that we're just guessing based on strings, but I suppose it's better than nothing. |
a69ce71a6b5cef7aadf343c93e00e1ffc549d649bd011fbb39bfa38534484511 is a statically linked ELF file compiled from Go. There also aren't hints in the ELF format about this targeting Linux, but there is Go metadata that we could use. Since Go is so prevalent, I think we should extend our OS detection code to recognize ELF binaries compiled by Go. The GoReSym technique is found here: https://github.com/mandiant/GoReSym/blob/0860a1b1b4f3495e9fb7e71eb4386bf3e0a7c500/main.go#L150-L178 |
Actually, here's the algorithm we should prefer to use: https://github.com/mandiant/GoReSym/blob/0860a1b1b4f3495e9fb7e71eb4386bf3e0a7c500/buildinfo/buildinfo.go#L105 |
Hopefully, these suggestions can be implemented in the next update to CAPA. For now, I can use the --os option to have capa analyze the files. Also, thank you for the quick response. I wasn't sure how capa determined the file type. I would think something like the file command or custom file determination scheme would easily pick up that the file was a 64 bit elf file. In the meantime, I can script something up to use the file command and then pass the file along to capa with the proper --os options |
A few minor comments here, not to be combative, but just for information:
We can tell the file is a 64-bit ELF (specifically, an ELF file with 64-bit little endian words), but this doesn't tell us the OS. While we can probably guess that most of these are for Linux, I'm afraid we'd lead too many people astray when encountering a FreeBSD file, for example. So, we try to be pretty sure, or we bail and ask the user to specify
I went looking how how |
I have an implementation of OS detection for Go ELF files pending, should have that PR opened tomorrow. I think that will cover a lot of the edge cases that people see today. I'm glad that @C0d3R3ad3r mentioned it here. |
Not taken as combative at all. Just trying to find the best way to process these types of files. I have encountered a lot of 64 bit elf files and show that they are not supported but using the --os option, capa runs as expected. I do appreciate all the comments and like I said, I am just trying to find some workaround for now. I get what you are saying though. |
Feel free to post as many sample hashes as you like into this chat - I'd be happy to triage them and add heuristics as feasible. |
As a quick fix, I wrote a python script which imports magic library so when I pass a file through to capa (so I can do this in bulk), I can compare strings looking for "ELF 64-bit" or "ELF 32-bit". It works for my purposes, but I hope in a later release of capa this can be automatic.
' Trivial, but for now it works. |
Description
Files being analyzed: docker-credential-pass-v0.8.0.linux-amd64 and linmux x64 file 23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad (both are linux x64 files)
Trying to analyze a linux x64 file and with no options set, just running ./capa [file], capa returns an error:
However, when running with options explicitly set, ./capa -f auto --os linux [file], capa analyzes the file correctly.
It looks like with this file (and a few other linux x64) files, capa fails to detect the file type and reports the error that the input file does not appear to target a supported OS
Steps to Reproduce
Expected behavior:
Expected behavoir would be for capa to recognize the elf file and analyze it
Actual behavior:
capa errors with "Input file does not appear to target a supported OS."
Versions
capa v7.01
remnux 20.04
Additional Information
I am not sure if this is a bug that is not identifying these linux x64 files or not, but the workaround is to explicitly specify the --os linux on the command line which I would think should not be necessary (unless dealing with shellcode)
The text was updated successfully, but these errors were encountered: