Introduction to Examiner
======================================

The Examiner is used to analyze basic executables without running
any part of the file to be examined.  Examiner utilizes a disassembler
(currently objdump is the default)  It then comments the assembler output
to something that is *hopefully* more readable.  It is not meant to do
everything for you but basically to help prepare a good working template
to begin your personal analysis.

This tutorial is on how to use these tools to help in your analysis.  These
should not be the only tools used in your investigation.  Nor is this
tutorial geared to explaining how to analyze or read assembly.  It is
just a demonstration on how to use this Suite of utilities.

The Examiner's strong points are finding function calls and determining
what is being passed to them.  To quickly do a dump of a binary simply
run this:

./examiner -x hackedelf

This will create a file called hackedelf.dump.commented.  This file will either
be located in your home directory under examiner-data directory or in
you TCT directory if you have that installed.

This can be changed with the -o option:

./examiner -x hackedelf -o hackedelf.scrap

This puts the commented assembly code in hackedelf.scrap.  You can also
change the entire working directory with -d:

./examiner -x hackedelf -d /tmp

You can see details by using the -v option as well as provide a summary with
the -s option:

./examiner -x hackedelf -o hackedelf.scrap -vs

The summary will look something like this:

   ___..oooOOO[ Summary ]OOOooo..___
   587 lines of code were processed.
   44 functions were located.
   Of those, 35 were successfully identified.
   Function Ratio: 79%
Commented code can be found here: hackedelf.scrap

The function Ratio is the percentage that it believes to have identified
successfully.  In general the following chart is what you can expect when
analyzing a binary:

   ~20% stripped & statically linked
   ~75% stripped & dynamically linked
   ~100% not stripped & dynamically linked

You can generate additional reference files to help in your analysis.
Use the -R option to dump some handy reference files.  You can also use
the -H option to dump each section of the ELF in hex.

./examiner -HRvx hackedelf

These options will create files like hackedelf.dump.functions,
hackedelf.dump.interrupts, hackedelf.dump.sections.  You can
use these in conjunction with the hexdump of the sections.

Using examiner in conjunction with xhierarchy
==============================================

The Examiner comes with a utility called xhierarchy.  This tool is
used to display the a function tree as to who calls who.  You can
read a commented file with xhierarchy like so:

./xhierarchy.pl -f hackedelf.dump.commented

It will produce output like so:

##
## Hierarchy of hackedelf.dump.commented
##
.TEXT_FUNCT
+ __LIBC_START_MAIN_FUNCT
+ _START_MAIN_FUNCT
|+ FUNCTION40
||+ FOPEN_FUNCT
||+ TIME_FUNCT
||+ SRAND_FUNCT
...
||+ FCLOSE_FUNCT

Here you can see that the MAIN function calls an unknown function call
(FUNCTION40) Within this function We see several known calls. Now in
this hypothetical situation we could infer this function opens and
closes a file but if we want to see more info on this file we
can use the -v option like so:

./xhierarchy -vf hackedelf.dump.commented

##
## Hierarchy of hackedelf.dump.commented
##
.TEXT_FUNCT
+ __LIBC_START_MAIN_FUNCT(80489e0,SI,CX,80486e4,8048dcc,DX,SP,AX)
+ _START_MAIN_FUNCT()
|+ FUNCTION40("/lib/security/. ...","[login]","ping",BX,SI,BP,BP)
||+ FOPEN_FUNCT(8,"r")
||+ TIME_FUNCT(0)
||+ SRAND_FUNCT(DX)

Now the very first function called from main() tends to have extra
values pushed to the stack so we can check further into the code
to see how many arguments get passed later in the code.  After looking
we fined a line like so:

|+FUNCTION40("/lib/security/. ...","[login]","su_pass")

It would be safe to assume that FUNCTION40 takes 3 arguments.  The first
argument is abbreviated here do to size limitations.  In the main commented
code it should expanded a bit more.  This feature can be disabled when
running examiner with the -L option.  After further analysis we conclude
that this function is used to lookup a rootkit's configuration file
that is in an INI file format.  So now we can updated our commented source.

Simply pull up you file in VI or whatever editor you choose.

vi hackedelf.dump.commented
:%s/FUNCTION40(/GET_INI_VALUE_FUNCT(/g

You can use xhierarchy to help with an overview of what is going on so
you can comment and rename some of the unknown functions with a more
logical name.  Be careful not to simply substitute FUNCTION40 because
in large files this will match FUNCTION401,FUNCTION402,etc.  Use the '('
as a end character.

You can actually stream the results of Examiner directly into xhierarchy
if you wish:

./examiner -x hackedelf -o - | ./xhierarchy -f -

Using a singe '-' as you file it will use STDIO instead.