Sophie

Sophie

distrib > Fedora > 15 > i386 > by-pkgid > e67ff766e6ce3cfb88a0987cf5b93cad > files > 6

examiner-0.5-7.fc15.noarch.rpm

Examiner v0.5
=============

*> Intro

The Examiner is a tool that uses objdump to generate a disassembled
assembly file.  It then parses through the file and comments on
the disassembled source.  This can be real useful head start when
analyzing a foreign binary.  This tool was originally created to
assist in analyzing foreign binary executables placed on machines.  It
could have some additional purposes besides forensics such as simply
reverse engineering a file when you don't have it's source.

*> Features

	[]  Automates objdump usage
	[]  Can generate cross-reference files of functions, interrupts
	    and other useful things
	[]  Locates functions within the binary
	[]  Understands the stack and comments on its state
	[]  Can parse and understand the contents of the .rodata section
	[]  Cross references .rodata calls and comments on them
	[]  Locates .data pointer references to .rodata
	[]  Provides an easy to read CALL syntax for comments
	[]  Understands and looks up interrupts calls
	[]  Utilizes Linux source headers to determine function names
	    based on what interrupt is called
	[]  Can differentiate all of the socketcall functions
	[]  Can comment on some C like constants for function calls
	[]  Separates functions based on ret calls
	[]  Can recognize and attempts to decode UPX compressed binaries
	[]  Can detect crippled ELF executables and burneye executables
	[]  Recognizes symbols and will cross-reference dynamic libraries

*> Supported Platforms

Linux ELF binary executables.  i386 platform - Fully tested
FreeBSD i386 - Seems to work fine but the testing isn't as extensive
OpenBSD i386 - Runs but doesn't do much <yet>

*> HOW TO USE

For more information on how to use Examiner please read the man page
or the TUTORIAL.

*> Special Thanks

I would sincerely like to thank the HoneyNet project 
<http://projects.honeynet.org> for inspiring the create of this utility.
Mike Hunter-Linville for testing
And the Academic Underground for hosting some cool research
<http://AcademicUnderground.org>

*> Contact Info

Craig Smith <csmith@cardinalsolutions.com>
Project Site: <http://AcademicUnderground.org/examiner>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional