From owner-freebsd-chat Mon Feb 3 11:24:35 2003 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BBA037B401 for ; Mon, 3 Feb 2003 11:24:34 -0800 (PST) Received: from puffin.mail.pas.earthlink.net (puffin.mail.pas.earthlink.net [207.217.120.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id D113843FA3 for ; Mon, 3 Feb 2003 11:24:32 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0144.cvx21-bradley.dialup.earthlink.net ([209.179.192.144] helo=mindspring.com) by puffin.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18fmCN-0002JX-00; Mon, 03 Feb 2003 11:24:08 -0800 Message-ID: <3E3EC183.225F874A@mindspring.com> Date: Mon, 03 Feb 2003 11:22:43 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Fabio Miranda Hamburger Cc: freebsd-chat@freebsd.org Subject: Re: Disassembling question. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a48b046ad0ee0e28f0884ebac5a5cc43cd350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fabio Miranda Hamburger wrote: > Hi, I would like to know what tools does freebsd offer me for > disassembling purposes ? objdump, what else? gdb, and there are ports of various debuggers and other tools. > Also, Where can I learn more about disassembling on FreeBSD ? In the books, help files, and manual pages for the tools, above. > I have certain binary in FreeBSD and I would like to know What library > functions does it call? and try to find out what does the binary do when > it's executed. Are you willing to execute it to find out, or is this a forensic discussion (e.g. it's a worm or something, and you'd rather just read it than run it)? If you are willing to execute it, you can use ktrace or truss to get the system calls and parameters. For the library routines, it's harder; you will need to build an instrimented version of the library and force it to use it. IF the program is statically linked, this won't be possible. BTW, if you are concerned it's a trojan or a "root kit", you can always create two jails, run it in one, and then compare the jails afterward, byte-by-byte, to see what, if anything, changed between them. Generally, when I run suspicious Windows code (usually I disassemble it with V Communication's Inc.'s "Sourcer", which is a commenting disassembler for Windows/DOS, if I'm suspicious enough to care), I do it in a VMWare virtual machine running under FreeBSD, which lets me do all sorts of things, like monitor all the network traffic directly, intercept it, change it, and let it keep going, etc.. It'd be a great way to cheat at Netrek, borging a "blessed" client, if you wer the sort to do that kind of thing. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message