The Examiner is a binary forensic tool that disassembles executable files.
It's important to note that The Examiner is only equipped to handle basic disassembly. If the binary has been altered to resist debugging, then The Examiner may not be able to analyze the code. Additionally, The Examiner is not capable of analyzing live running code. In such cases, it's best to use Fenris instead.
The following are some of the fantastic features of The Examiner that make it an exceptional application:
- Automates objdump usage
- Can generate cross-reference files of functions, interrupts, and other useful details
- Identifies functions within the binary
- Understands the stack and comments on its state
- Can parse and understand the contents of the .rodata section
- Cross-references .rodata calls and comments on them
- Locates .data pointer references to .rodata
- Provides an easy-to-read CALL syntax for comments
- Understands and looks up interrupts calls
- Utilizes Linux source headers to determine function names based on what interrupt is called
- Can differentiate all of the socketcall functions
- Can comment on some C-like constants for function calls
- Separates functions based on RET calls
- Can recognize and attempt to decode UPX compressed binaries
- Works with TCT and Fenris dress utility
- Can detect crippled ELF executables and burneye executables
- Recognizes symbols and will cross-reference dynamic libraries
In the latest release, which comes with amazing new features, The Examiner can now detect burneye via 7350 sig. It can identify crippled ELF header files and optionally uncripple them as well. The program now comes with a TUTORIAL file, while the default working directory has been modified. The feature also enables The Examiner to cross-reference .data pointers to .rodata sections and record pushl calls too. Additionally, the "-H" has been fixed to dump headers instead of -R, while the "-o" feature allows for the specification of an output file or STDOUT with "-". Lastly, a new utility dubbed 'xhierarchy' has been added to print the function call hierarchy.
In conclusion, The Examiner is an incredible software application perfect for those looking to analyze static compiled binaries effectively. With its robust features, it is a software program that every forensic researcher dealing with reverse engineering must-have.