Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Unsupported OS when analyzing ELF file #2577

Open
r0ny123 opened this issue Jan 28, 2025 · 5 comments
Open

Error: Unsupported OS when analyzing ELF file #2577

r0ny123 opened this issue Jan 28, 2025 · 5 comments
Labels
bug Something isn't working

Comments

@r0ny123
Copy link

r0ny123 commented Jan 28, 2025

Description

I'm encountering an error with capa where it fails to analyze an ELF file due to an "unsupported os: unknown" issue

Steps to Reproduce

sha256 hash: c340e3d3ae7f769b4e88204dd08aa0f7b0145dffafe164d8e09c39b5a6d0d7cb
capa c340e3d3ae7f769b4e88204dd08aa0f7b0145dffafe164d8e09c39b5a6d0d7cb -d

Expected behavior:

Capa should analyze the ELF file, detect the operating system, and provide an analysis based on its signatures and capabilities.

Actual behavior:

capa failed to analyze the file.

Additional Information

Debug Logs: 
DEBUG    capa: successfully loaded 969 rules                                                                                             main.py:683
DEBUG    capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01                                                                       elf.py:147
DEBUG    capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 4                                                         elf.py:177
DEBUG    capa.features.extractors.elf: guess: osabi: None                                                                                elf.py:1475
DEBUG    capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:592
DEBUG    capa.features.extractors.elf: name: GNU                                                                                          elf.py:595
DEBUG    capa.features.extractors.elf: guess: ph notes: None                                                                             elf.py:1482
DEBUG    capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:641
DEBUG    capa.features.extractors.elf: sh:name: GNU                                                                                       elf.py:645
DEBUG    capa.features.extractors.elf: GNU_ABI_TAG: 0xe776ce52                                                                            elf.py:657
DEBUG    capa.features.extractors.elf: guess: sh notes: None                                                                             elf.py:1489
DEBUG    capa.features.extractors.elf: guess: .ident: None                                                                               elf.py:1496
DEBUG    capa.features.extractors.elf: guess: linker: None                                                                               elf.py:1503
DEBUG    capa.features.extractors.elf: guess: ABI versions needed: None                                                                  elf.py:1510
DEBUG    capa.features.extractors.elf: guess: needed dependencies: None                                                                  elf.py:1517
DEBUG    capa.features.extractors.elf: guess: pertinent symbol name: None                                                                elf.py:1524
DEBUG    capa.features.extractors.elf: go buildinfo: found data segment                                                                  elf.py:1003
DEBUG    capa.features.extractors.elf: go buildinfo: no buildinfo magic                                                                  elf.py:1089
DEBUG    capa.features.extractors.elf: guess: Go buildinfo: None                                                                         elf.py:1531
DEBUG    capa.features.extractors.elf: guess: Go source: None                                                                            elf.py:1538
DEBUG    capa.features.extractors.elf: guess: vdso strings: None                                                                         elf.py:1545
DEBUG    capa.features.extractors.common: unsupported os: unknown                                                                      common.py:127
DEBUG    capa.capabilities.common: analyzed file and extracted 35 features                                                              common.py:35
DEBUG    capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01                                                                       elf.py:147
DEBUG    capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 4                                                         elf.py:177
DEBUG    capa.features.extractors.elf: guess: osabi: None                                                                                elf.py:1475
DEBUG    capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:592
DEBUG    capa.features.extractors.elf: name: GNU                                                                                          elf.py:595
DEBUG    capa.features.extractors.elf: guess: ph notes: None                                                                             elf.py:1482
DEBUG    capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:641
DEBUG    capa.features.extractors.elf: sh:name: GNU                                                                                       elf.py:645
DEBUG    capa.features.extractors.elf: GNU_ABI_TAG: 0xe776ce52                                                                            elf.py:657
DEBUG    capa.features.extractors.elf: guess: sh notes: None                                                                             elf.py:1489
DEBUG    capa.features.extractors.elf: guess: .ident: None                                                                               elf.py:1496
DEBUG    capa.features.extractors.elf: guess: linker: None                                                                               elf.py:1503
DEBUG    capa.features.extractors.elf: guess: ABI versions needed: None                                                                  elf.py:1510
DEBUG    capa.features.extractors.elf: guess: needed dependencies: None                                                                  elf.py:1517
DEBUG    capa.features.extractors.elf: guess: pertinent symbol name: None                                                                elf.py:1524
DEBUG    capa.features.extractors.elf: go buildinfo: found data segment                                                                  elf.py:1003
DEBUG    capa.features.extractors.elf: go buildinfo: no buildinfo magic                                                                  elf.py:1089
DEBUG    capa.features.extractors.elf: guess: Go buildinfo: None                                                                         elf.py:1531
DEBUG    capa.features.extractors.elf: guess: Go source: None                                                                            elf.py:1538
DEBUG    capa.features.extractors.elf: guess: vdso strings: None                                                                         elf.py:1545
DEBUG    capa.features.extractors.common: unsupported os: unknown                                                                      common.py:127
DEBUG    capa: skipping library code matching: signatures only supports PE files                                                         main.py:787
DEBUG    capa: format:  elf                                                                                                              main.py:833
DEBUG    capa: backend: vivisect                                                                                                         main.py:834
DEBUG    viv_utils.idaloader: failed to import IDA Pro modules                                                                       idaloader.py:24
DEBUG    capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01                                                                       elf.py:147
DEBUG    capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 4                                                         elf.py:177
DEBUG    capa.features.extractors.elf: ei_class: 0x02 ei_data: 0x01                                                                       elf.py:147
DEBUG    capa.features.extractors.elf: e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 4                                                         elf.py:177
DEBUG    capa.features.extractors.elf: guess: osabi: None                                                                                elf.py:1475
DEBUG    capa.features.extractors.elf: ph:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:592
DEBUG    capa.features.extractors.elf: name: GNU                                                                                          elf.py:595
DEBUG    capa.features.extractors.elf: guess: ph notes: None                                                                             elf.py:1482
DEBUG    capa.features.extractors.elf: sh:namesz: 0x04 descsz: 0x14 type: 0x0003                                                          elf.py:641
DEBUG    capa.features.extractors.elf: sh:name: GNU                                                                                       elf.py:645
DEBUG    capa.features.extractors.elf: GNU_ABI_TAG: 0xe776ce52                                                                            elf.py:657
DEBUG    capa.features.extractors.elf: guess: sh notes: None                                                                             elf.py:1489
DEBUG    capa.features.extractors.elf: guess: .ident: None                                                                               elf.py:1496
DEBUG    capa.features.extractors.elf: guess: linker: None                                                                               elf.py:1503
DEBUG    capa.features.extractors.elf: guess: ABI versions needed: None                                                                  elf.py:1510
DEBUG    capa.features.extractors.elf: guess: needed dependencies: None                                                                  elf.py:1517
DEBUG    capa.features.extractors.elf: guess: pertinent symbol name: None                                                                elf.py:1524
DEBUG    capa.features.extractors.elf: go buildinfo: found data segment                                                                  elf.py:1003
DEBUG    capa.features.extractors.elf: go buildinfo: no buildinfo magic                                                                  elf.py:1089
DEBUG    capa.features.extractors.elf: guess: Go buildinfo: None                                                                         elf.py:1531
DEBUG    capa.features.extractors.elf: guess: Go source: None                                                                            elf.py:1538
DEBUG    capa.features.extractors.elf: guess: vdso strings: None                                                                         elf.py:1545
DEBUG    capa.features.extractors.common: unsupported os: unknown                                                                      common.py:127
ERROR    capa: --------------------------------------------------------------------------------                                       helpers.py:322
ERROR    capa:  Input file does not appear to target a supported OS.                                                                  helpers.py:323
ERROR    capa:                                                                                                                        helpers.py:324
ERROR    capa:  capa currently only analyzes executables for some operating systems                                                   helpers.py:325
ERROR    capa:  (including Windows, Linux, and Android).                                                                              helpers.py:326
ERROR    capa: --------------------------------------------------------------------------------                                       helpers.py:327
@williballenthin
Copy link
Collaborator

thanks, I'll triage the file tomorrow.

do you happen to know the expected OS?

@r0ny123
Copy link
Author

r0ny123 commented Jan 28, 2025

Linux

@williballenthin
Copy link
Collaborator

williballenthin commented Jan 29, 2025
edited
Loading

I don't see any indication from the file metadata/strings that this targets Linux:

Image

Image

Image

Image

we see that it targets x86-64 and is built with GCC (probably), but not the underlying OS.

Binary Ninja indicates this is for Linux:

Image

I wonder how they made that determination.

If we manually cross reference the Linux syscall table then things make sense:

Image

So, this does seem to target Linux, or at least a system with Linux-compatible syscalls. Note that, for example, FreeBSD uses 0x6 for close() which doesn't make sense here.

@williballenthin
Copy link
Collaborator

williballenthin commented Jan 29, 2025
edited
Loading

In this file, there's not many small functions that I'd expect to be statically linked widely by GCC for Linux. My thinking was: maybe we could find a few functions that we expect to exist verbatim, including the syscall indices, that might signal the Linux target. Then we could use yara or strstr to find those bytes and conclude the target was Linux.

This is the best I could find:

Image

but searching in VT doesn't give a wide variety of results (note how most of the files have about the same size):
https://www.virustotal.com/gui/search/content%253A%2520%257B55%252048%25208b%2520ec%252048%252081%2520ec%252088%252000%252000%252000%252048%252089%25207d%2520f8%252048%2520%2520%2520%25208d%2520bd%252078%2520ff%2520ff%2520ff%252048%2520c7%2520c1%252080%252000%252000%252000%252032%2520c0%2520f3%2520%2520%2520aa%252048%25208b%25207d%2520f8%252048%25208d%2520b5%252078%2520ff%2520ff%2520ff%252048%2520c7%2520c0%252061%2520%2520%2520%252000%252000%252000%25200f%252005%252048%25208d%252075%252080%252048%25208d%2520bd%252078%2520ff%2520ff%2520ff%2520%2520%2520%252048%2520c7%2520c1%252008%252000%252000%252000%2520f3%2520a4%252048%25208b%25207d%2520f8%252048%25208d%2520b5%2520%2520%2520%252078%2520ff%2520ff%2520ff%252048%2520c7%2520c0%2520a0%252000%252000%252000%25200f%252005%2520c9%2520c3%2520%2520%2520%2520%2520%257D?type=files

Image

So, I don't know how to detect the OS here, without doing a manual correlation with the Linux syscall table. In theory, this can be done programmatically, but it would be a moderate amount of effort.

In the meantime, @r0ny123 I recommend using --os linux to tell capa to assume its a Linux ELF file.

@williballenthin
Copy link
Collaborator

We could do syscall socket and syscall connect in a short window:

Image

But this would only catch samples that do networking in this way.

004021e1  48c7c029000000     mov     rax, 41  // socket
004021e8  0f05               syscall 

004021ff  48c7c210000000     mov     rdx, 0x10
00402206  48c7c02a000000     mov     rax, 42  // connect
0040220d  0f05               syscall 

48c7c029000000 0f05 ... 48c7c210000000 48c7c02a000000 0f05

content: {48c7c029000000 0f05 [8-64] 48c7c210000000 48c7c02a000000 0f05}

@williballenthin williballenthin added the bug Something isn't working label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williballenthin @r0ny123