Current Version: 0.5
Intro
The Examiner is an application that utilizes the objdump command
to disassemble and comment foreign executable binaries. This app was
designed to analyze static compiled binaries but works ok with others. The
intention is for forensic research but could also be used in general
reverse engineering.
This program can only handle basic dissassembly. If the binary has been
modified to resist debugging then the Examinier probably will not be able
to analyze the code. Also the Examiner will not analyze live running code.
This can be a good thing but if you need to look at code when it runs or
deal with complicated disassembly you should probably use
Fenris.
I would like to support many other options and platforms still. This
app is still in it's early stages so bare with me. My ultimate
goal is to be able to get output similar to strace without executing
the binary in question. At the same time create a template file that
can be read and further edited. Suggestions are
always welcome.
Craig Smith
Sample
Here is a section of output:
#CALL CHDIR_FUNCT("/")
8048211: e8 1e ef 00 00 call 0x8057134
8048216: 6a 00 push $0x0
#CALL CLOSE_FUNCT(STDIN)
8048218: e8 43 ef 00 00 call 0x8057160
804821d: 6a 01 push $0x1
#CALL CLOSE_FUNCT(STDOUT)
804821f: e8 3c ef 00 00 call 0x8057160
8048224: 6a 02 push $0x2
#CALL CLOSE_FUNCT(STDERR)
8048226: e8 35 ef 00 00 call 0x8057160
Here is an example of what a UPXinfo file looks like:
UPX information for ping.rootkit
====================================
Compressed with UPX v1.11
Version: 11
Format: LINUX i386
--- [ Info from the tailend ] ---
Version: 11 (Should be same as above)
Format: LINUX i386 (Should be same as above)
Method Used: NRV2B_LE32
Level of Compresion: 10
Here is an example of xhierarchy
##
## Hierarchy of hackedelf.dump.commented
##
.TEXT_FUNCT
+ __LIBC_START_MAIN_FUNCT(80489e0,SI,CX,80486e4,8048dcc,DX,SP,AX)
+ _START_MAIN_FUNCT()
|+ FUNCTION40("/lib/security/. ...","[login]","ping",BX,SI,BP,BP)
||+ FOPEN_FUNCT(8,"r")
||+ TIME_FUNCT(0)
||+ SRAND_FUNCT(DX)
Summary of features
- Automates objdump usage
- Can generate cross-reference files of functions, interrupts
and other useful things
- Locates functions within the binary
- Understands the stack and comments on its state
- Can parse and understand the contents of the .rodata section
- Cross references .rodata calls and comments on them
- Locates .data pointer references to .rodata
- Provides an easy to read CALL syntax for comments
- Understands and looks up interrupts calls
- Utilizes Linux source headers to determine function names
based on what interrupt is called
- Can differentiate all of the socketcall functions
- Can comment on some C like constants for function calls
- Separates functions based on ret calls
- Can recognize and attempts to decode UPX compressed binaries
- Works with TCT and Fenris dress utility
- Can detect crippled ELF executables and burneye executables
- Recognizes symbols and will cross-reference dynamic libraries
Supported Platforms
The app is written in perl but it currently only disassembles the
following binaries:
Linux ELF i386 - (Actually it will do any ELF but this is the testing platform)
FreeBSD i386 - (Not fully tested but seems to be working)
OpenBSD/NetBSD - Will run but still does a poor job of commenting
The app will also take advantage of the Linux source and include files if
running from a Linux based system
Download
Examiner v0.5
CHANGELOG
Tutorial on Examiner
Man Page