Return to Revisions

This is a really interesting question actually, there's several options and all have issues they need to overcome. I'm not very familiar with ELF (primarily Windows here) but the file format shouldn't make any difference regardless. Static analysis crawling the code section(s), which can be retrieved from the file format, and using a disassembler library such as DiStorm, is enough in many cases. For this you need something smart enough to skip past data in code (i.e embedded jump tables). Symbolic execution is another alternative, but what happens if you have obfuscated control flow branches relying on some dynamic value? Then there's further obfuscation in terms of complete junk being thrown into code which all needs to be skipped. You can also use runtime debugging, which of course has its own flaws, namely limitations on only following branches that have been executed, speed, and evading detection. I would say that in most cases the simplest solution is to write your own static analysis tool, which I really only say because I'm not aware of any lightweight and effective tools using this method, though I'm sure they exist, and I've personally very rarely come across targets it's not effective on. Assuming the majority of your targets are largely unobfuscated, this should be an effective and nearly universal tool (per CPU implementation). If your targets are protected then something like angr is probably more suited to your needs. If you're dealing with virtualization then of course that's an entirely different question that deserves an answer of its own.