-1

How can I detect in kernel or user space that this binary is of some interpreter language like python ,Perl or java and not a simple binary like ls ,clear, df, etc.

Dominique
  • 16,450
  • 15
  • 56
  • 112
yasirateeq857
  • 19
  • 1
  • 6

3 Answers3

0

Try using readelf. I have used that succesfully in the past. It can destinguish between binaries or interpreted files, as well as which platform the binary was compiled for. The --program-headers might be useful.

Brent Thierens
  • 371
  • 2
  • 12
  • Actually i am also currently focusing on readelf api but not find some thing yet ,can you elaborate about which field you are talking in that elf structure. – yasirateeq857 Aug 27 '21 at 07:36
0

You can use 'strings' to print printable character sequences from the binary. That should give you some good clues as to what language it was written in.

strings mybinaryfile
flomo2023
  • 1
  • 2
  • In fact this will not work for the case if we write simply "$> python" only ,since we are detecting the language interpreter itself instead of their associated code files – yasirateeq857 Aug 27 '21 at 09:40
0

I have just done tests, using the file command:

For a Python file:

Linux Prompt>file "./Program Files/.../test_XOR.py"
./Program Files/.../test_XOR.py: Python script, ASCII text executable, with CRLF, LF line terminators

For a Java file (*.jar library):

Linux Prompt>file "./Program Files/.../fontbox.jar"
./Program Files/.../fontbox.jar: Java archive data (JAR)

For another Java file (*.class file):

Linux Prompt>file "./Program Files/.../JREProperties.class"
./Program Files/.../JREProperties.class: compiled Java class data, version 52.0 (Java 1.8)

For a Perl file:

Linux Prompt>file "./Program Files/.../docx2txt.pl"
./Program Files/Git/usr/bin/docx2txt.pl: Perl script text executable

So, as you see, parsing the result of the file command might be your solution.

Edit after first comment

In my answer, I thought you were talking about files, which are to be launched by Python, Java or Perl, but you seem to be interested by those files themselves.

The only advise I can give you, is to take the checksum of Python, Java or Perl on that machine, and verify this with the checksum of the suspected file, as in this example:

Linux Prompt>cksum $(which perl)
3199833323 3478464 /usr/bin/perl

Linux Prompt>cp /usr/bin/perl /mnt/c/Temp_Folder/Kopietje

Linux Prompt>cksum /mnt/c/Temp_Folder/Kopietje
3199833323 3478464 /mnt/c/Temp_Folder/Kopietje
Dominique
  • 16,450
  • 15
  • 56
  • 112
  • Actually this idea will not work in the case if we copy "/usr/bin/python" to Desktop with the name "dadi_pi" – yasirateeq857 Aug 27 '21 at 09:39
  • cksum $(which perl) this idea was also in my mind this idea is good but it has limitations for example this technique will not work if we have one python2.7 version installed in a system and we bring a folder from somewhere which has python 3.8 binary interpreter in it. In this case we have no reference to measure. – yasirateeq857 Aug 27 '21 at 10:18
  • Self detection of binary is needed – yasirateeq857 Aug 27 '21 at 10:22
  • 1
    Self detection? What is that? – Dominique Aug 27 '21 at 11:00
  • If you're talking about the binaries themselves, that's quite hard to do, since a program is just that, a program. To the OS, it does not make a difference what exactly the program does. One trick that might work though, depending on your use case, is to execute that program with the --help argument or the --version argument. Most programs will print the name of the program along with the version. A program can easily fool you though, so do not use this for security purposes. – Brent Thierens Aug 27 '21 at 11:57
  • Yes I am talking about binaries themselves,@Brent Thierens your idea is interesting but definitely it cannot be used for security purposes. – yasirateeq857 Aug 27 '21 at 15:51