Listing shared libraries with ldd

Most of the previous sections came with the caveat that these tools rely on binaries that haven’t been stripped. Stripping binaries is a common practice for a couple of reasons. First, removing the symbols can result in a significantly smaller executable. Second, stripping the file makes it harder to reverse engineer (whether or not it is malware). What can you do if the file has been stripped?

If shared libraries are used (which is almost certainly the case), then the program must be able to find them. Also, the names of any functions used in shared libraries must be somewhere in the program. The net of this, assuming no obfuscation techniques have been employed, is that the strings command will tell you the names of functions called and ldd will tell you shared libraries used. The names of the shared libraries cannot easily be obfuscated since doing so would cause the the program’s build process (specifically, the last step called linking) to fail.

The syntax for ldd is simply ldd <binary>. The results of running ldd against xingyi_bindshell and a stripped copy of the same are shown in Figure 10.8. Note that the results are identical. The file command was also run on one of the shared libraries, libc2.19.so. There are two versions of this library, one with debugging symbols and one without.

FIGURE 10.8

Running ldd against a binary and the same binary that has been stripped of all symbols.

Listing shared libraries with ldd

Listing shared libraries with ldd

results matching ""

No results matching ""