Master Linux Binary Analysis: 10 Essential Commands Explained

Overview

Binary files are encountered daily on Linux systems, yet many developers are unfamiliar with the tools that reveal their inner structure. This article presents ten core commands that help identify file types, inspect dependencies, trace function and system calls, view raw bytes, and debug executables.

file

The file command determines a file’s type. For example:

$ file /bin/pwd
/bin/pwd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0d264bacf2adc568f0e21cbcc9576df434c44380, stripped

It quickly tells whether a file is an ELF executable, a text file, a socket, etc.

ldd

ldd

lists the shared libraries required by an executable. Example output shows the paths of libc.so.6 and the dynamic linker:

$ ldd /bin/pwd
    linux-vdso.so.1 =>  (0x00007ffeb73e5000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f908b321000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f908b6ef000)

This is useful when a program fails to run due to missing libraries.

ltrace

ltrace

traces library function calls made by a program. A sample run shows calls to __libc_start_main, getenv, and others, together with their arguments and return values.

$ ltrace /bin/pwd
__libc_start_main(0x401760, 1, 0x7ffff6524cc8, 0x404a00) = 0
getenv("POSIXLY_CORRECT") = nil
strrchr("/bin/pwd", '/') = "/pwd"
...

strace

strace

records system calls performed by a process. The following excerpt shows the initial execve, memory mappings, and file accesses when running /bin/pwd:

$ strace -f /bin/pwd
execve("/bin/pwd", ["/bin/pwd"], [/* 24 vars */]) = 0
brk(NULL) = 0xbc9000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f918ba69000
...

hexdump

hexdump -C

displays a file’s raw bytes in hexadecimal alongside printable characters. For /bin/pwd the first few lines look like:

$ hexdump -C /bin/pwd | head
00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 3e 00 01 00 00 00  17 19 40 00 00 00 00 00  |..>.......@.....|
...

strings

strings

extracts printable character sequences from a binary, revealing embedded messages, library names, or debug strings. Example output includes library filenames and function names such as fflush, strcpy, and strncmp:

$ strings /bin/pwd | head
/lib64/ld-linux-x86-64.so.2
libc.so.6
fflush
strcpy
__printf_chk
readdir
setlocale
mbrtowc
strncmp
optind

readelf

readelf -h

prints ELF header information, showing class, data encoding, OS/ABI, entry point, and section header counts. Sample output:

$ readelf -h /bin/pwd
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Entry point address:               0x401917
  ...

objdump

objdump -d

disassembles an executable, showing assembly instructions for each section. The first few lines of /bin/pwd reveal the .init section:

$ objdump -d /bin/pwd | head
/bin/pwd:     file format elf64-x86-64
Disassembly of section .init:
0000000000401350 <.init>:
  401350:       48 83 ec 08          sub    $0x8,%rsp
  401354:       48 8b 05 6d 5c 20 00 mov    0x205c6d(%rip),%rax
  40135b:       48 85 c0             test   %rax,%rax
...

nm

nm

lists symbols (functions, variables) from an object file. Compiling a simple hello.c with -g and running nm shows entries such as main, _start, and library references:

$ nm hello | tail
0000000000600e20 d __JCR_END__
0000000000600e20 d __JCR_LIST__
00000000004005b0 T __libc_csu_fini
0000000000400540 T __libc_csu_init
                 U __libc_start_main@@GLIBC_2.2.5
000000000040051d T main
                 U printf@@GLIBC_2.2.5
...

gdb

The GNU Debugger ( gdb) allows interactive debugging. A brief session sets a breakpoint at main, runs the program, displays the backtrace, and continues execution:

$ gdb -q ./hello
(gdb) break main
Breakpoint 1 at 0x400521: file hello.c, line 4.
(gdb) run
Starting program: /home/flash/./hello
Breakpoint 1, main () at hello.c:4
4    printf("Hello world!");
(gdb) bt
#0  main () at hello.c:4
(gdb) continue
Continuing.
Hello world!
(gdb) quit

Conclusion

When developing on Linux, mastering these ten commands—file, ldd, ltrace, strace, hexdump, strings, readelf, objdump, nm, and gdb—greatly simplifies binary inspection, dependency troubleshooting, and debugging, making them indispensable tools for any programmer or security analyst.