Linux is a family of open source operating systems (OS) commonly used to run internet of things (IoT) devices and web servers. The prevalence of the OS, as expected, has turned it into a valuable target for cybercriminals casting wide nets to reach more potential victims.
In the past few years, Linux systems have been susceptible to attacks involving ransomware, cryptocurrency miners, botnets and other types of malware. The successful deployment of the said attacks refutes an old notion that machines and devices that run Linux are less likely to be affected by malware.
To come up with effective countermeasures, we constantly work on developing methods to address concerns pertaining to attacks against Linux systems, for example, by looking for ways to conduct quick and efficient analysis of malware samples that leads to their eventual detection and blocking. One of these methods involves reverse engineering files to locate the address of the main() function, which usually contains code that malware authors craft to start malicious routines.
Using GDB to locate the main() function
Locating the address of the main() function can be easily achieved when malware samples are compiled with symbols, which are references added by the compiler to help in the debugging process. GDB, or the GNU Project debugger, can be used to put a breakpoint at the beginning of the main() function by just passing its name to the “b” (breakpoint) command.