Detecting provenance of dynamically linked ELF binaries can be achieved by creating fingerprints using information in the dynamic symbol table and comparing these to fingerprints created by symbols from reference binaries, or from symbols extracted from source code. Fingerprints can be stored in a database or turned into rules for the YARA pattern matching tool.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Hemel, Armijn, "Using ELF symbols extracted from dynamically linked ELF binaries for fingerprinting", Technical Disclosure Commons, (July 11, 2021)