The Examiner 0.5 review
DownloadThe Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries
|
|
The Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries. This app was designed to analyze static compiled binaries but works ok with others. The intention is for forensic research but could also be used in general reverse engineering.
This program can only handle basic dissassembly. If the binary has been modified to resist debugging then the Examinier probably will not be able to analyze the code. Also the Examiner will not analyze live running code. This can be a good thing but if you need to look at code when it runs or deal with complicated disassembly you should probably use Fenris.
Here are some key features of "The Examiner":
Automates objdump usage
Can generate cross-reference files of functions, interrupts and other useful things
Locates functions within the binary
Understands the stack and comments on its state
Can parse and understand the contents of the .rodata section
Cross references .rodata calls and comments on them
Locates .data pointer references to .rodata
Provides an easy to read CALL syntax for comments
Understands and looks up interrupts calls
Utilizes Linux source headers to determine function names based on what interrupt is called
Can differentiate all of the socketcall functions
Can comment on some C like constants for function calls
Separates functions based on ret calls
Can recognize and attempts to decode UPX compressed binaries
Works with TCT and Fenris dress utility
Can detect crippled ELF executables and burneye executables
Recognizes symbols and will cross-reference dynamic libraries
What's New in This Release:
Has rudementary detection of burneye via 7350 sig.
Can detect crippled ELF header files (optionally uncripple)
Added a TUTORIAL file
Modified default working dir to $HOMEexaminer-data
Can cross-reference .data pointers to .rodata sections
Now records pushl calls
Fixed '-H' to dump headers instead of -R
Added '-o' to specify an output file or STDOUT with '-'
Added '-c' to specify a comment character
Added a new util 'xhierarchy' to print function call hierarchy
The Examiner 0.5 keywords