Academic Underground: The Examiner

Current Version: 0.5

Intro
The Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries. This app was designed to analyze static compiled binaries but works ok with others. The intention is for forensic research but could also be used in general reverse engineering.

This program can only handle basic dissassembly. If the binary has been modified to resist debugging then the Examinier probably will not be able to analyze the code. Also the Examiner will not analyze live running code. This can be a good thing but if you need to look at code when it runs or deal with complicated disassembly you should probably use Fenris.

I would like to support many other options and platforms still. This app is still in it's early stages so bare with me. My ultimate goal is to be able to get output similar to strace without executing the binary in question. At the same time create a template file that can be read and further edited. Suggestions are always welcome.

Craig Smith

Sample
Here is a section of output:

#CALL CHDIR_FUNCT("/")
 8048211:       e8 1e ef 00 00          call   0x8057134
 8048216:       6a 00                   push   $0x0
 #CALL CLOSE_FUNCT(STDIN)
 8048218:       e8 43 ef 00 00          call   0x8057160
 804821d:       6a 01                   push   $0x1
 #CALL CLOSE_FUNCT(STDOUT)
 804821f:       e8 3c ef 00 00          call   0x8057160
 8048224:       6a 02                   push   $0x2
 #CALL CLOSE_FUNCT(STDERR)
 8048226:       e8 35 ef 00 00          call   0x8057160

Here is an example of what a UPXinfo file looks like:

UPX information for ping.rootkit
====================================
Compressed with UPX v1.11
Version: 11
Format: LINUX i386
--- [ Info from the tailend ] ---
Version: 11 (Should be same as above)
Format: LINUX i386 (Should be same as above)
Method Used: NRV2B_LE32
Level of Compresion: 10

Here is an example of xhierarchy

##
## Hierarchy of hackedelf.dump.commented
##
.TEXT_FUNCT
+ __LIBC_START_MAIN_FUNCT(80489e0,SI,CX,80486e4,8048dcc,DX,SP,AX)
+ _START_MAIN_FUNCT()
|+ FUNCTION40("/lib/security/. ...","[login]","ping",BX,SI,BP,BP)
||+ FOPEN_FUNCT(8,"r")
||+ TIME_FUNCT(0)
||+ SRAND_FUNCT(DX)

Summary of features

Automates objdump usage
Can generate cross-reference files of functions, interrupts and other useful things
Locates functions within the binary
Understands the stack and comments on its state
Can parse and understand the contents of the .rodata section
Cross references .rodata calls and comments on them
Locates .data pointer references to .rodata
Provides an easy to read CALL syntax for comments
Understands and looks up interrupts calls
Utilizes Linux source headers to determine function names based on what interrupt is called
Can differentiate all of the socketcall functions
Can comment on some C like constants for function calls
Separates functions based on ret calls
Can recognize and attempts to decode UPX compressed binaries
Works with TCT and Fenris dress utility
Can detect crippled ELF executables and burneye executables
Recognizes symbols and will cross-reference dynamic libraries

Supported Platforms
The app is written in perl but it currently only disassembles the following binaries:

Linux ELF i386 - (Actually it will do any ELF but this is the testing platform)
FreeBSD i386 - (Not fully tested but seems to be working)
OpenBSD/NetBSD - Will run but still does a poor job of commenting

The app will also take advantage of the Linux source and include files if running from a Linux based system

Download
Examiner v0.5
CHANGELOG
Tutorial on Examiner
Man Page