Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Linux ELF not recognized
See original GitHub issueDescription
Two ELF binaries are not recognized by capa. It seems similar to the closed issue: Linux ELF Not Recognised #867:
remnux@remnux:/tmp/malware$ capa 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae
loading : 100%|ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| 661/661 [00:00<00:00, 1486.85 rules/s]
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported OS.
ERROR:capa:
ERROR:capa: capa currently only supports analyzing executables for some operating systems (including Windows and Linux).
ERROR:capa:--------------------------------------------------------------------------------
remnux@remnux:/tmp/malware$ file 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae
64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=8394e29f3afbf71d6811a2d8920c8ffa963138ba, for GNU/Linux 3.2.0, stripped
remnux@remnux:/tmp/malware$ capa f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4
loading : 100%|ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| 661/661 [00:00<00:00, 1555.74 rules/s]
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported OS.
ERROR:capa:
ERROR:capa: capa currently only supports analyzing executables for some operating systems (including Windows and Linux).
ERROR:capa:--------------------------------------------------------------------------------
remnux@remnux:/tmp/malware$ file f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4
f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Steps to Reproduce
Samples on VT:
- 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae
- f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4
Versions
capa v3.2.0-0-gd9d72ad (standalone) OS: Ubuntu 20.04.1 LTS
Issue Analytics
- State:
- Created a year ago
- Comments:5
Top Results From Across the Web
gdb fails to run ELF 64-bit program with "File format not ...
c - gdb fails to run ELF 64-bit program with "File format not recognized" - Stack Overflow. Stack Overflow for Teams β Start...
Read more >Problem Debugging : elf file format not recognised
I have just started with STM32L476-DISCO and System Workbench and have written some code to evaluate FREERTOS. All was good for first 2...
Read more >Linux ELF Not Recognised Β· Issue #867 Β· mandiant/capa
Description. Testing capa with a basic Linux kernel module fails. Β· Steps to Reproduce. Files tested are available on VT: Β· Versions. capa...
Read more >Freedom Studio sifive-welcome.elf: file format not recognized
I said run file /Users/alain/wsFreedomStudio/qemu_sifive_s51_sifive_welcome/src/debug/sifive-welcome.elf . Clearly trying to run the bare-metalΒ ...
Read more >Linux generated elf not working in Windows (source...
The Linux generated .elf after flashing it gives the error that it can't access the sources and I can't do anything. Probably the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
thanks for reporting this @forensenellanebbia! also, having the test cases made this easy to triage. weβll have a fix as a part of the next release (v4), likely in a couple weeks.
the note is found in a section not referenced by the program headers.
duplicating the following logic in the section scan works locally:
https://github.com/mandiant/capa/blob/580a2d7e4519ea5d353650d66468020968f0f27d/capa/features/extractors/elf.py#L175-L198