[colug-432] Necropsy: Virus?: objdump -d; size
jep200404 at columbus.rr.com
jep200404 at columbus.rr.com
Tue May 3 19:14:21 EDT 2011
On Tue, 3 May 2011 18:07:32 -0400, Jeff Frontz <jeff.frontz at gmail.com> wrote in another order:
> On Tue, May 3, 2011 at 5:59 PM, <jep200404 at columbus.rr.com> wrote:
> > What non-malicious reasons can there be for a new version of a
> > program to have the same size and timestamp as an old version,
> > yet have different md5sums?
> You can use objdump to see if the parts that
> matter (.bss, .data, .rodata and code -- the last via -d) have
> actually changed.
[root at localhost backup]# diff <(objdump -d 20110322/bin/cp) <(objdump -d 20110324bad/bin/cp)
2c2
< 20110322/bin/cp: file format elf32-i386
---
> 20110324bad/bin/cp: file format elf32-i386
[root at localhost backup]# diff <(objdump -d 20110322/bin/rpm) <(objdump -d 20110324bad/bin/rpm)
2c2
< 20110322/bin/rpm: file format elf32-i386
---
> 20110324bad/bin/rpm: file format elf32-i386
[root at localhost backup]#
> Also, even if "ls" says the files are the same size, things may have
> been rounded up to some nice round value; a better quick check is to
> use "size" to see if the important parts have actually changed size.
[root at localhost backup]# size 201103*/bin/cp
text data bss dec hex filename
64846 1792 0 66638 1044e 20110322/bin/cp
64846 1792 0 66638 1044e 20110324bad/bin/cp
[root at localhost backup]# size 201103*/bin/rpm
text data bss dec hex filename
79068 4684 42268 126020 1ec44 20110322/bin/rpm
79068 4684 42268 126020 1ec44 20110324bad/bin/rpm
[root at localhost backup]#
Even if the parts that changed do not matter, what non-malicious
causes for those differences are there? That there is any change
at all is suspect.
More information about the colug-432
mailing list