TIP: Click on subject to list as thread! ANSI
echo: rberrypi
to: MARKUS ROBERT KESSLER
from: PAUL
date: 2019-05-09 16:50:00
subject: Re: Security aspects Clos
Markus Robert Kessler wrote:

>
> Hi,
>
> I try to figure out how to trace what such a "run file" is doing exactly.
>
> At least this one has to be run as root (and terminates if not). So,
> spying on it is not so easy. Especially if such closed-source binaries
> are using "stealth" techniques or try to manipulate the tracing process
> itself.
>
> Well, one could use a fresh install, as slim as possible, do an md5sum
> for every file on disk, before and after installaion. And then compare
> the md5 lists. Alas, that would mean that you also find tons of files
> that are changed or newly created by the OS anyway.
>
> Same, when using a (VirtualBox) VM.
>
> Any better way?
>
> Thanks,
> best regards,
>
> Markus
>

Try the following.

1) Download a .run or .sh file intended for install.
    It consists of text at the start of the file and
    binary soon after.

2) Open the file in a hex editor. Scroll down
    until the text ends and seemingly binary appears.
    The binary is part of a "here is" structure and
    is being passed to a command very near to the end
    of the text section.

3) Where the text ends, the last line ends in 0x0A.

    Remove all the text including the 0x0A, save the file
    to a temporary file name, such as .bin

    The start of the resulting .bin file is 0x1F 0x8B 0x08 0x00

4) Use the "file" command which should be present in
    your distro.

    file thing.bin

    In the case of the HPLIP run file it says

    "gzip compressed data"

    This is the first level of containment.

5) Open thing.bin in "Archive Manager". It
    will display the folder in the gzip file
    that is thing.bin. This will allow easy viewing
    of the content.

5a) Or, you can do it the old fashioned way.

    file thing.bin

    (GZIP compressed)

    mv thing.bin thing.gz    # purely for entertainment value, to make the
following
                             # easier to understand

    gzip -lv thing.gz        # list the contents, a single file "hplip-3.19.3"

    gzip -d thing.gz         # convert and erase thing.gz, leaving
"hplip-3.19.3"

    file hplip-3.19.3        # tells you it's a "tar" file

    mv hplip-3.19.3 hplip-3.19.3.tar  # purely for entertainment value

    mkdir tar_out

    mv hplip-3.19.3.tar tar_out/

    cd tar_out               # work in a clean place so folders don't spill all
over.
                             # Never trust a tar file to be neat and tidy!

    tar tf hplip-3.19.3.tar  # list the files

    tar xf hplip-3.19.3.tar  # extract the folders and files to tar_out/

Now, examine the files, see how many binary blobs,
how many text files, and so on.

You can see how Archive Manager
has saved you from much hand-crafted commands.

If you are on a headless server, you might not have a lot of fancy
tools, and have to do it as in (5a).

    Paul

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.