Master Linux Binary Analysis: Essential Tools for Debugging and Profiling

01 Overview

Compilation Phase

nm – retrieve symbol information from binaries

strings – extract string constants from binaries

strip – remove symbols from binaries

readelf – display detailed ELF file information

objdump – disassemble binaries as much as possible

addr2line – map addresses to source code lines

Runtime Phase

gdb – powerful debugger

ldd – show required and actual shared libraries

strace – trace system calls

ltrace – trace library function calls

time – measure execution, user and kernel time

gprof – profile user‑mode function execution time

valgrind – detect memory errors

mtrace – lightweight memory leak detection

opprofile – CPU usage profiling

02 Compilation Details

nm

Symbols: functions, variables. Options: -C, -A, -a, -l, -n, -u.

strings

Purpose: extract string constants, useful for key leakage detection. strings <your_proc> | grep '^.{16}$' Options: -a (scan whole file), -f (show filename), -n min‑len (minimum string length, default 4).

# strings /lib/tls/libc.so.6 | grep GLIBC
GLIBC_2.0
GLIBC_2.1
GLIBC_2.1.1
…

strip

Purpose: reduce executable size after testing; also hinders reverse engineering.

readelf

GNU tool to display ELF file information. Common options: -a (all info), -h (header), -l (program headers), -S (section details), -s (symbol table), -n (notes), -r (relocations), -u (unwind info), -d (dynamic section).

objdump

objdump -S <exe>

Disassembles source when compiled with -g.

addr2line

Maps crash addresses to source lines when binaries contain debug symbols. addr2line -e <exe> <addr> Options: -a (show address), -b (binary format), -C (demangle C++), -e (executable), -f (function name), -s (basename), -i (inlines), -j (relative offsets), -p (one line per address).

03 Runtime Details

Typical debugging steps: determine time spent in user vs kernel mode, use gprof for user‑mode profiling, use strace for kernel‑mode tracing, etc.

ldd

# ldd /bin/ls
linux-gate.so.1 => (0xbfffe000)
librt.so.1 => /lib/librt.so.1 (0xb7f0a000)
libacl.so.1 => /lib/libacl.so.1 (0xb7f04000)
libc.so.6 => /lib/libc.so.6 (0xb7dc3000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7dab000)
/lib/ld-linux.so.2 (0xb7f1d000)
libattr.so.1 => /lib/libattr.so.1 (0xb7da6000)

Shows required library, actual library used, and load address.

strace

Default output to stderr. Common options: -p <pid> (attach), -c (summary), -T (timing), -t/-tt/-ttt (time format), -f/-F (follow forks), -o <file> (output file), -e expr (filter).

ltrace

Similar options to strace for tracing library calls.

time

# time ps aux | grep 'hi'
real 0m0.009s
user 0m0.000s
sys 0m0.004s

Only traces the parent process; does not follow forks.

gprof

Profile with -pg compilation flag; generates gmon.out and analyzes with gprof:

gcc -pg -o exec exec.c
./exec   # generates gmon.out
gprof exec gmon.out > profile.txt

Program must exit normally for accurate results.

valgrind

Detect heap memory errors; usage example:

valgrind --tool=memcheck --leak-check=full ./test

Only checks heap memory; may slow execution significantly.

mtrace

Uses glibc tracing of malloc/free to find leaks. # mtrace test1 memleak.log Shows allocations without corresponding free.

04 Other

proc filesystem

Pseudo‑filesystem exposing kernel and process information (e.g., /proc/cpuinfo, /proc/meminfo, /proc/<pid>/status, /proc/<pid>/fd, etc.).

System logs

Typical log files under /var/log: messages, auth.log, boot.log, daemon.log, lastlog, user.log, cron, wtmp, faillog.