The Examiner is a forensic tool to disassemble binary executables.
Version:The Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries. This app was designed to analyze static compiled binaries but works ok with others. The intention is for forensic research but could also be used in general reverse engineering.
Operating System: Linux
This program can only handle basic dissassembly. If the binary has been modified to resist debugging then the Examinier probably will not be able to analyze the code. Also the Examiner will not analyze live running code. This can be a good thing but if you need to look at code when it runs or deal with complicated disassembly you should probably use Fenris.
Here are some key features of "The Examiner":
· Automates objdump usage
· Can generate cross-reference files of functions, interrupts and other useful things
· Locates functions within the binary
· Understands the stack and comments on its state
· Can parse and understand the contents of the .rodata section
· Cross references .rodata calls and comments on them
· Locates .data pointer references to .rodata
· Provides an easy to read CALL syntax for comments
· Understands and looks up interrupts calls
· Utilizes Linux source headers to determine function names based on what interrupt is called
· Can differentiate all of the socketcall functions
· Can comment on some C like constants for function calls
· Separates functions based on ret calls
· Can recognize and attempts to decode UPX compressed binaries
· Works with TCT and Fenris dress utility
· Can detect crippled ELF executables and burneye executables
· Recognizes symbols and will cross-reference dynamic libraries
What's New in This Release:
· Has rudementary detection of burneye via 7350 sig.
· Can detect crippled ELF header files (optionally uncripple)
· Added a TUTORIAL file
· Modified default working dir to $HOMEexaminer-data
· Can cross-reference .data pointers to .rodata sections
· Now records pushl calls
· Fixed '-H' to dump headers instead of -R
· Added '-o' to specify an output file or STDOUT with '-'
· Added '-c' to specify a comment character
· Added a new util 'xhierarchy' to print function call hierarchy