Examiner v0.5 ============= *> Intro The Examiner is a tool that uses objdump to generate a disassembled assembly file. It then parses through the file and comments on the disassembled source. This can be real useful head start when analyzing a foreign binary. This tool was originally created to assist in analyzing foreign binary executables placed on machines. It could have some additional purposes besides forensics such as simply reverse engineering a file when you don't have it's source. *> Features [] Automates objdump usage [] Can generate cross-reference files of functions, interrupts and other useful things [] Locates functions within the binary [] Understands the stack and comments on its state [] Can parse and understand the contents of the .rodata section [] Cross references .rodata calls and comments on them [] Locates .data pointer references to .rodata [] Provides an easy to read CALL syntax for comments [] Understands and looks up interrupts calls [] Utilizes Linux source headers to determine function names based on what interrupt is called [] Can differentiate all of the socketcall functions [] Can comment on some C like constants for function calls [] Separates functions based on ret calls [] Can recognize and attempts to decode UPX compressed binaries [] Can detect crippled ELF executables and burneye executables [] Recognizes symbols and will cross-reference dynamic libraries *> Supported Platforms Linux ELF binary executables. i386 platform - Fully tested FreeBSD i386 - Seems to work fine but the testing isn't as extensive OpenBSD i386 - Runs but doesn't do much <yet> *> HOW TO USE For more information on how to use Examiner please read the man page or the TUTORIAL. *> Special Thanks I would sincerely like to thank the HoneyNet project <http://projects.honeynet.org> for inspiring the create of this utility. Mike Hunter-Linville for testing And the Academic Underground for hosting some cool research <http://AcademicUnderground.org> *> Contact Info Craig Smith <csmith@cardinalsolutions.com> Project Site: <http://AcademicUnderground.org/examiner>