Info

Rabin2 generates some information about the binary like compiled timestamp, if it has overlay or canary protection, the command used in r2 to extract this information is iI. The complete list of values is:

• havecode (integer)
• pic (integer)
• canary (integer)
• nx (integer)
• crypto (integer)
• va (integer)
• intrp (string)
• bintype (string)
• class (string)
• lang (string)
• arch (string)
• bits (integer)
• machine (integer)
• os (string)
• minopsz (integer)
• maxopsz (integer)
• pcalign (integer)
• subsys (string)
• endian (string)
• stripped (integer)
• static (integer)
• linenum (integer)
• lsyms (integer)
• relocs (integer)
• binsz (integer)
• rpath (string)
• compiled (string)
• dbg_file (string)
• guid (string)

Almost the parameters are auto-descriptived, so, with an example it's enough to undestand the parameters:

rule rule_info
{
condition:
    r2.info.havecode == 1 and 
    r2.info.pic == 0 and
    r2.info.canary == 1 and
    r2.info.nx == 1 and
    r2.info.crypto == 0 and
    r2.info.va == 1 and
    r2.info.intrp contains "linux-x86" and
    r2.info.bintype == "elf" and
    r2.info.class contains "ELF64" and
    r2.info.lang == "c" and
    r2.info.arch == "x86" and
    r2.info.bits == 64 and
    r2.info.machine == "AMD x86-64 architecture" and
    r2.info.os == "linux" and
    r2.info.minopsz == 1 and
    r2.info.maxopsz == 16 and
    r2.info.pcalign == 0 and
    r2.info.subsys == "linux" and
    r2.info.endian == "little" and
    r2.info.stripped == 1 and
    r2.info.static == 0 and
    r2.info.linenum == 0 and
    r2.info.lsyms == 0 and
    r2.info.relocs == 0 and
    r2.info.binsz > 100000 and
    r2.info.rpath == "NONE" and
    r2.info.compiled != "Sat Sep 9 11:32:42 2006" and
    r2.info.dbg_file not contains "test" and
    r2.info.guid == ""
}