Information: The I Module
The Information (i) Module displays information about the binary. We extensively use this module when performing static analysis.
We will collect the following information using this module:
- Binary Compilation Information
- Imports and Exports
- Security Protections
- Symbols and Strings
These pieces are instrumental to understanding the binary, the underlying source code, and the protections in place.
Outside Radare2
The Information Module has identical functionality to the rabin2 library. More information on rabin2 can be found here.
The Help Page
[0x00000000]> i? Usage: i Get info from opened file (see rabin2's manpage) Output mode: | '*' output in radare commands | 'j' output in json | 'q' simple quiet output Actions: | i|ij show info of current file (in JSON) | iA list archs | ia show all info (imports, exports, sections..) | ib reload the current buffer for setting of the bin (use once only) | ic List classes, methods and fields (icj for json) | ic. show class and method name in current seek | ic-[klass.method] delete given klass or klass.name | ic+[klass.method] add new symbol in current seek for a given klass and method name | icc List classes, methods and fields in Header Format | icg [str] List classes as agn/age commands to create class hierarchy graphs (matches str if provided) | icq List classes, in quiet mode (just the classname) | icqq List classes, in quieter mode (only show non-system classnames) | icl Show addresses of class and it methods, without names | ics Show class symbols in an easy to parse format | iC[j] show signature info (entitlements, ...) | id[?] show DWARF source lines information | iD lang sym demangle symbolname for given language | ie entrypoint | iee show Entry and Exit (preinit, init and fini) | iE exports (global symbols) | iE,[table-query] exported symbols using the table query | iE. current export | ih headers (alias for iH) | iHH verbose Headers in raw text | ii[?][cj*,] imports | iI binary info | ik [query] key-value database from RBinObject | il libraries | iL [plugin] list all RBin plugins loaded or plugin details | im show info about predefined memory allocation | iM show main address | io [file] load info from file (or last opened) use bin.baddr | iO[?] perform binary operation (dump, resize, change sections, ...) | ir list the Relocations | iR list the Resources | is list the Symbols | is,[table-query] list symbols in table using given expression | is. current symbol | iS [entropy,sha1] sections (choose which hash algorithm to use) | iS. current section | iS,[table-query] list sections in table using given expression | iS= show ascii-art color bars with the section ranges | iSS list memory segments (maps with om) | it file hashes | iT file signature | iV display file version info | iw show try/catch blocks | iX display source files used (via dwarf) | iz[?][j] strings in data sections (in JSON/Base64) | iz* print flags and comments r2 commands for all the strings | izz search for Strings in the whole binary | izz* same as iz* but exposing the strings of the whole binary | izzz dump Strings from whole binary to r2 shell (for huge files) | iz- [addr] purge string via bin.str.purge | iZ guess size of binary program
Imports and Exports
Imports and exports are useful for understanding the function calls, external libraries imported, and the overall functionality of the binary.
Imports
Imports and exports are important for understanding the libraries imported into the binary and the externally visible and usable functions.
Function imports are essential for understanding the library functions used in the binary. This provides a massive hint into the functionality of the binary. Use ii to list the imports.
[0x00000000]> ii [Imports] nth vaddr bind type lib name ――――――――――――――――――――――――――――――――――――― 1 0x08049040 GLOBAL FUNC __libc_start_main 2 0x08049050 GLOBAL FUNC fflush 3 0x08049060 GLOBAL FUNC gets 4 0x08049070 GLOBAL FUNC puts 5 0x08049080 GLOBAL FUNC system 6 ---------- WEAK NOTYPE __gmon_start__ 7 ---------- GLOBAL OBJ stdout
Exports
Use iE to list the exports. This is useful for understanding the functions that are externally visible and usable. This is especially useful for understanding the functions that are called from other binaries.
[0x00000000]> iE [Exports] nth paddr vaddr bind type size lib name demangled ―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― 8 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 19 0x000010e0 0x080490e0 GLOBAL FUNC 4 __x86.get_pc_thunk.bx 23 ---------- 0x0804c028 GLOBAL NOTYPE 0 _edata 24 0x00001258 0x08049258 GLOBAL FUNC 0 _fini 25 0x00003020 0x0804c020 GLOBAL NOTYPE 0 __data_start 29 0x00003024 0x0804c024 GLOBAL OBJ 0 __dso_handle 30 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 31 0x000011a6 0x080491a6 GLOBAL FUNC 73 win 32 ---------- 0x0804c02c GLOBAL NOTYPE 0 _end 33 0x000010d0 0x080490d0 GLOBAL FUNC 5 _dl_relocate_static_pie 34 0x00001090 0x08049090 GLOBAL FUNC 49 _start 35 0x00002000 0x0804a000 GLOBAL OBJ 4 _fp_hw 37 ---------- 0x0804c028 GLOBAL NOTYPE 0 __bss_start 38 0x0000123c 0x0804923c GLOBAL FUNC 24 main 39 0x00001254 0x08049254 GLOBAL FUNC 0 __x86.get_pc_thunk.ax 40 0x000011ef 0x080491ef GLOBAL FUNC 77 read_in 41 ---------- 0x0804c028 GLOBAL OBJ 0 __TMC_END__ 42 0x00001000 0x08049000 GLOBAL FUNC 0 _init
Checking Security
You can use iI to get the summary information about the binary, which includes the security features.
---tab iI ```nasm [0xf7f3c8a0]> iI arch x86 baddr 0x8048000 binsz 13864 bintype elf bits 32 canary false injprot false class ELF32 compiler GCC: (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0 crypto false endian little havecode true intrp /lib/ld-linux.so.2 laddr 0x0 lang c linenum true lsyms true machine Intel 80386 nx false os linux pic false relocs true relro partial rpath NONE sanitize false static false stripped false subsys linux va true ``` ---tab rabin2 ```nasm $ rabin2 -I args arch x86 baddr 0x8048000 binsz 13864 bintype elf bits 32 canary false injprot false class ELF32 compiler GCC: (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0 crypto false endian little havecode true intrp /lib/ld-linux.so.2 laddr 0x0 lang c linenum true lsyms true machine Intel 80386 nx false os linux pic false relocs true relro partial rpath NONE sanitize false static false stripped false subsys linux va true ```
The most important security features listed here are:
canarypic(andbaddrif PIE is enabled)nxrelrolang,endian,arch,bits, andos
Radare2 supports using pipes. Therefore, you can pipe the output to grep to summarize the output.
$ rabin2 -I args | grep -E "canary|pic|nx|relro" canary false nx false pic false relro partial
Symbols and Strings
Symbols and strings are vital information. Strings tell the story of the binary's functionality, and symbols are useful for understanding the variables and functions.
Strings
The iz submodule is responsible for finding strings. Based on the help pages for this submodule, we have the following options:
[0x0804923c]> iz? | iz[?][j] strings in data sections (in JSON/Base64) | iz* print flags and comments r2 commands for all the strings | izz search for Strings in the whole binary | izz* same as iz* but exposing the strings of the whole binary | izzz dump Strings from whole binary to r2 shell (for huge files) | iz- [addr] purge string via bin.str.purge
The most important two commands here are iz and izz. The other commands perform similar functions, but these two format strings in the most readable way.
---tab iz ```nasm [0x08049050]> iz [Strings] nth paddr vaddr len size section type string ――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00002008 0x0804a008 9 10 .rodata ascii You lose! 1 0x00002012 0x0804a012 12 13 .rodata ascii cat flag.txt 2 0x0000201f 0x0804a01f 23 24 .rodata ascii Good luck winning here! ``` ---tab izz ```nasm [0x08049050]> izz [Strings] nth paddr vaddr len size section type string ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00000028 0x00000028 4 10 utf16le 4 \v( 1 0x00000136 0x00000136 4 5 ascii td8 2 0x00000176 0x00000176 4 5 ascii td\b/ 3 0x00000194 0x08048194 18 19 .interp ascii /lib/ld-linux.so.2 4 0x0000029d 0x0804829d 14 15 .dynstr ascii _IO_stdin_used 5 0x000002ac 0x080482ac 4 5 .dynstr ascii gets 6 0x000002b1 0x080482b1 6 7 .dynstr ascii stdout 7 0x000002b8 0x080482b8 17 18 .dynstr ascii __libc_start_main 8 0x000002ca 0x080482ca 4 5 .dynstr ascii puts 9 0x000002cf 0x080482cf 6 7 .dynstr ascii system 10 0x000002d6 0x080482d6 6 7 .dynstr ascii fflush 11 0x000002dd 0x080482dd 9 10 .dynstr ascii libc.so.6 12 0x000002e7 0x080482e7 9 10 .dynstr ascii GLIBC_2.0 13 0x000002f1 0x080482f1 10 11 .dynstr ascii GLIBC_2.34 14 0x000002fc 0x080482fc 14 15 .dynstr ascii __gmon_start__ 15 0x00002008 0x0804a008 9 10 .rodata ascii You lose! 16 0x00002012 0x0804a012 12 13 .rodata ascii cat flag.txt 17 0x0000201f 0x0804a01f 23 24 .rodata ascii Good luck winning here! 18 0x000020db 0x0804a0db 6 7 .eh_frame ascii ;*2$" 19 0x00003028 0x00000000 44 45 .comment ascii GCC: (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0 20 0x00003309 0x00000001 6 7 .strtab ascii crt1.o 21 0x00003310 0x00000008 9 10 .strtab ascii __abi_tag 22 0x0000331a 0x00000012 10 11 .strtab ascii crtstuff.c 23 0x00003325 0x0000001d 20 21 .strtab ascii deregister_tm_clones 24 0x0000333a 0x00000032 21 22 .strtab ascii __do_global_dtors_aux 25 0x00003350 0x00000048 11 12 .strtab ascii completed.0 26 0x0000335c 0x00000054 38 39 .strtab ascii __do_global_dtors_aux_fini_array_entry 27 0x00003383 0x0000007b 11 12 .strtab ascii frame_dummy 28 0x0000338f 0x00000087 30 31 .strtab ascii __frame_dummy_init_array_entry 29 0x000033ae 0x000000a6 6 7 .strtab ascii args.c 30 0x000033b5 0x000000ad 13 14 .strtab ascii __FRAME_END__ 31 0x000033c3 0x000000bb 8 9 .strtab ascii _DYNAMIC 32 0x000033cc 0x000000c4 18 19 .strtab ascii __GNU_EH_FRAME_HDR 33 0x000033df 0x000000d7 21 22 .strtab ascii _GLOBAL_OFFSET_TABLE_ 34 0x000033f5 0x000000ed 28 29 .strtab ascii __libc_start_main@GLIBC_2.34 35 0x00003412 0x0000010a 21 22 .strtab ascii __x86.get_pc_thunk.bx 36 0x00003428 0x00000120 16 17 .strtab ascii fflush@GLIBC_2.0 37 0x00003439 0x00000131 14 15 .strtab ascii gets@GLIBC_2.0 38 0x00003448 0x00000140 6 7 .strtab ascii _edata 39 0x0000344f 0x00000147 5 6 .strtab ascii _fini 40 0x00003455 0x0000014d 12 13 .strtab ascii __data_start 41 0x00003462 0x0000015a 14 15 .strtab ascii puts@GLIBC_2.0 42 0x00003471 0x00000169 16 17 .strtab ascii system@GLIBC_2.0 43 0x00003482 0x0000017a 14 15 .strtab ascii __gmon_start__ 44 0x00003491 0x00000189 12 13 .strtab ascii __dso_handle 45 0x0000349e 0x00000196 14 15 .strtab ascii _IO_stdin_used 46 0x000034b1 0x000001a9 4 5 .strtab ascii _end 47 0x000034b6 0x000001ae 23 24 .strtab ascii _dl_relocate_static_pie 48 0x000034ce 0x000001c6 6 7 .strtab ascii _fp_hw 49 0x000034d5 0x000001cd 16 17 .strtab ascii stdout@GLIBC_2.0 50 0x000034e6 0x000001de 11 12 .strtab ascii __bss_start 51 0x000034f2 0x000001ea 4 5 .strtab ascii main 52 0x000034f7 0x000001ef 21 22 .strtab ascii __x86.get_pc_thunk.ax 53 0x0000350d 0x00000205 7 8 .strtab ascii read_in 54 0x00003515 0x0000020d 11 12 .strtab ascii __TMC_END__ 55 0x00003521 0x00000219 5 6 .strtab ascii _init 56 0x00003528 0x00000001 7 8 .shstrtab ascii .symtab 57 0x00003530 0x00000009 7 8 .shstrtab ascii .strtab 58 0x00003538 0x00000011 9 10 .shstrtab ascii .shstrtab 59 0x00003542 0x0000001b 7 8 .shstrtab ascii .interp 60 0x0000354a 0x00000023 18 19 .shstrtab ascii .note.gnu.build-id 61 0x0000355d 0x00000036 13 14 .shstrtab ascii .note.ABI-tag 62 0x0000356b 0x00000044 9 10 .shstrtab ascii .gnu.hash 63 0x00003575 0x0000004e 7 8 .shstrtab ascii .dynsym 64 0x0000357d 0x00000056 7 8 .shstrtab ascii .dynstr 65 0x00003585 0x0000005e 12 13 .shstrtab ascii .gnu.version 66 0x00003592 0x0000006b 14 15 .shstrtab ascii .gnu.version_r 67 0x000035a1 0x0000007a 8 9 .shstrtab ascii .rel.dyn 68 0x000035aa 0x00000083 8 9 .shstrtab ascii .rel.plt 69 0x000035b3 0x0000008c 5 6 .shstrtab ascii .init 70 0x000035b9 0x00000092 5 6 .shstrtab ascii .text 71 0x000035bf 0x00000098 5 6 .shstrtab ascii .fini 72 0x000035c5 0x0000009e 7 8 .shstrtab ascii .rodata 73 0x000035cd 0x000000a6 13 14 .shstrtab ascii .eh_frame_hdr 74 0x000035db 0x000000b4 9 10 .shstrtab ascii .eh_frame 75 0x000035e5 0x000000be 11 12 .shstrtab ascii .init_array 76 0x000035f1 0x000000ca 11 12 .shstrtab ascii .fini_array 77 0x000035fd 0x000000d6 8 9 .shstrtab ascii .dynamic 78 0x00003606 0x000000df 4 5 .shstrtab ascii .got 79 0x0000360b 0x000000e4 8 9 .shstrtab ascii .got.plt 80 0x00003614 0x000000ed 5 6 .shstrtab ascii .data 81 0x0000361a 0x000000f3 4 5 .shstrtab ascii .bss 82 0x0000361f 0x000000f8 8 9 .shstrtab ascii .comment ```
Symbols and Variables
Use the is command to list the available symbols.
[0x0804923c]> is [Symbols] nth paddr vaddr bind type size lib name demangled ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― 8 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 1 ---------- 0x00000000 LOCAL FILE 0 crt1.o 2 0x000001cc 0x080481cc LOCAL OBJ 32 __abi_tag 3 ---------- 0x00000000 LOCAL FILE 0 crtstuff.c 4 0x000010f0 0x080490f0 LOCAL FUNC 0 deregister_tm_clones 5 0x00001130 0x08049130 LOCAL FUNC 0 register_tm_clones 6 0x00001170 0x08049170 LOCAL FUNC 0 __do_global_dtors_aux 7 ---------- 0x0804c028 LOCAL OBJ 1 completed.0 8 0x00002f0c 0x0804bf0c LOCAL OBJ 0 __do_global_dtors_aux_fini_array_entry 9 0x000011a0 0x080491a0 LOCAL FUNC 0 frame_dummy 10 0x00002f08 0x0804bf08 LOCAL OBJ 0 __frame_dummy_init_array_entry 11 ---------- 0x00000000 LOCAL FILE 0 args.c 12 ---------- 0x00000000 LOCAL FILE 0 crtstuff.c 13 0x0000215c 0x0804a15c LOCAL OBJ 0 __FRAME_END__ 14 ---------- 0x00000000 LOCAL FILE 0 15 0x00002f10 0x0804bf10 LOCAL OBJ 0 _DYNAMIC 16 0x00002038 0x0804a038 LOCAL NOTYPE 0 __GNU_EH_FRAME_HDR 17 0x00003000 0x0804c000 LOCAL OBJ 0 _GLOBAL_OFFSET_TABLE_ 19 0x000010e0 0x080490e0 GLOBAL FUNC 4 __x86.get_pc_thunk.bx 20 0x00003020 0x0804c020 WEAK NOTYPE 0 data_start 23 ---------- 0x0804c028 GLOBAL NOTYPE 0 _edata 24 0x00001258 0x08049258 GLOBAL FUNC 0 _fini 25 0x00003020 0x0804c020 GLOBAL NOTYPE 0 __data_start 29 0x00003024 0x0804c024 GLOBAL OBJ 0 __dso_handle 30 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 31 0x000011a6 0x080491a6 GLOBAL FUNC 73 win 32 ---------- 0x0804c02c GLOBAL NOTYPE 0 _end 33 0x000010d0 0x080490d0 GLOBAL FUNC 5 _dl_relocate_static_pie 34 0x00001090 0x08049090 GLOBAL FUNC 49 _start 35 0x00002000 0x0804a000 GLOBAL OBJ 4 _fp_hw 37 ---------- 0x0804c028 GLOBAL NOTYPE 0 __bss_start 38 0x0000123c 0x0804923c GLOBAL FUNC 24 main 39 0x00001254 0x08049254 GLOBAL FUNC 0 __x86.get_pc_thunk.ax 40 0x000011ef 0x080491ef GLOBAL FUNC 77 read_in 41 ---------- 0x0804c028 GLOBAL OBJ 0 __TMC_END__ 42 0x00001000 0x08049000 GLOBAL FUNC 0 _init 1 0x00001040 0x08049040 GLOBAL FUNC 16 imp.__libc_start_main 2 0x00001050 0x08049050 GLOBAL FUNC 16 imp.fflush 3 0x00001060 0x08049060 GLOBAL FUNC 16 imp.gets 4 0x00001070 0x08049070 GLOBAL FUNC 16 imp.puts 5 0x00001080 0x08049080 GLOBAL FUNC 16 imp.system 6 ---------- ---------- WEAK NOTYPE 16 imp.__gmon_start__ 7 ---------- ---------- GLOBAL OBJ 16 imp.stdout
To get the list of variables, we need to filter for the objects in this list. We can do this using the ~ operator (the grep operator).
[0x0804923c]> is~OBJ 8 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 2 0x000001cc 0x080481cc LOCAL OBJ 32 __abi_tag 7 ---------- 0x0804c028 LOCAL OBJ 1 completed.0 8 0x00002f0c 0x0804bf0c LOCAL OBJ 0 __do_global_dtors_aux_fini_array_entry 10 0x00002f08 0x0804bf08 LOCAL OBJ 0 __frame_dummy_init_array_entry 13 0x0000215c 0x0804a15c LOCAL OBJ 0 __FRAME_END__ 15 0x00002f10 0x0804bf10 LOCAL OBJ 0 _DYNAMIC 17 0x00003000 0x0804c000 LOCAL OBJ 0 _GLOBAL_OFFSET_TABLE_ 29 0x00003024 0x0804c024 GLOBAL OBJ 0 __dso_handle 30 0x00002004 0x0804a004 GLOBAL OBJ 4 _IO_stdin_used 35 0x00002000 0x0804a000 GLOBAL OBJ 4 _fp_hw 41 ---------- 0x0804c028 GLOBAL OBJ 0 __TMC_END__ 7 ---------- ---------- GLOBAL OBJ 16 imp.stdout