Introduction to Examiner ====================================== The Examiner is used to analyze basic executables without running any part of the file to be examined. Examiner utilizes a disassembler (currently objdump is the default) It then comments the assembler output to something that is *hopefully* more readable. It is not meant to do everything for you but basically to help prepare a good working template to begin your personal analysis. This tutorial is on how to use these tools to help in your analysis. These should not be the only tools used in your investigation. Nor is this tutorial geared to explaining how to analyze or read assembly. It is just a demonstration on how to use this Suite of utilities. The Examiner's strong points are finding function calls and determining what is being passed to them. To quickly do a dump of a binary simply run this: ./examiner -x hackedelf This will create a file called hackedelf.dump.commented. This file will either be located in your home directory under examiner-data directory or in you TCT directory if you have that installed. This can be changed with the -o option: ./examiner -x hackedelf -o hackedelf.scrap This puts the commented assembly code in hackedelf.scrap. You can also change the entire working directory with -d: ./examiner -x hackedelf -d /tmp You can see details by using the -v option as well as provide a summary with the -s option: ./examiner -x hackedelf -o hackedelf.scrap -vs The summary will look something like this: ___..oooOOO[ Summary ]OOOooo..___ 587 lines of code were processed. 44 functions were located. Of those, 35 were successfully identified. Function Ratio: 79% Commented code can be found here: hackedelf.scrap The function Ratio is the percentage that it believes to have identified successfully. In general the following chart is what you can expect when analyzing a binary: ~20% stripped & statically linked ~75% stripped & dynamically linked ~100% not stripped & dynamically linked You can generate additional reference files to help in your analysis. Use the -R option to dump some handy reference files. You can also use the -H option to dump each section of the ELF in hex. ./examiner -HRvx hackedelf These options will create files like hackedelf.dump.functions, hackedelf.dump.interrupts, hackedelf.dump.sections. You can use these in conjunction with the hexdump of the sections. Using examiner in conjunction with xhierarchy ============================================== The Examiner comes with a utility called xhierarchy. This tool is used to display the a function tree as to who calls who. You can read a commented file with xhierarchy like so: ./xhierarchy.pl -f hackedelf.dump.commented It will produce output like so: ## ## Hierarchy of hackedelf.dump.commented ## .TEXT_FUNCT + __LIBC_START_MAIN_FUNCT + _START_MAIN_FUNCT |+ FUNCTION40 ||+ FOPEN_FUNCT ||+ TIME_FUNCT ||+ SRAND_FUNCT ... ||+ FCLOSE_FUNCT Here you can see that the MAIN function calls an unknown function call (FUNCTION40) Within this function We see several known calls. Now in this hypothetical situation we could infer this function opens and closes a file but if we want to see more info on this file we can use the -v option like so: ./xhierarchy -vf hackedelf.dump.commented ## ## Hierarchy of hackedelf.dump.commented ## .TEXT_FUNCT + __LIBC_START_MAIN_FUNCT(80489e0,SI,CX,80486e4,8048dcc,DX,SP,AX) + _START_MAIN_FUNCT() |+ FUNCTION40("/lib/security/. ...","[login]","ping",BX,SI,BP,BP) ||+ FOPEN_FUNCT(8,"r") ||+ TIME_FUNCT(0) ||+ SRAND_FUNCT(DX) Now the very first function called from main() tends to have extra values pushed to the stack so we can check further into the code to see how many arguments get passed later in the code. After looking we fined a line like so: |+FUNCTION40("/lib/security/. ...","[login]","su_pass") It would be safe to assume that FUNCTION40 takes 3 arguments. The first argument is abbreviated here do to size limitations. In the main commented code it should expanded a bit more. This feature can be disabled when running examiner with the -L option. After further analysis we conclude that this function is used to lookup a rootkit's configuration file that is in an INI file format. So now we can updated our commented source. Simply pull up you file in VI or whatever editor you choose. vi hackedelf.dump.commented :%s/FUNCTION40(/GET_INI_VALUE_FUNCT(/g You can use xhierarchy to help with an overview of what is going on so you can comment and rename some of the unknown functions with a more logical name. Be careful not to simply substitute FUNCTION40 because in large files this will match FUNCTION401,FUNCTION402,etc. Use the '(' as a end character. You can actually stream the results of Examiner directly into xhierarchy if you wish: ./examiner -x hackedelf -o - | ./xhierarchy -f - Using a singe '-' as you file it will use STDIO instead.