1EXAMINER(1)           User Contributed Perl Documentation          EXAMINER(1)
2
3
4

NAME

6       examiner - A ELF binary executable analyzer
7

SYNOPSIS

9       examiner [ -hvVsHRLq ] [ -d directory ] [ -C coroner.conf ] [ -o
10       outfile ] [ -c 'comment char' ] -x executable
11

DESCRIPTION

13       The examiner is a program used to analyze and comment on ELF
14       executables.  Its purpose is mainly intended for forensic analysis but
15       can be used for general reverse engineering.  The goal is to take a
16       foreign executable and analyze it without running it.  The examiner
17       relies on objdump to do its disassembly and then it parses the assembly
18       output and attempts to put human readable comments to help facilitate
19       analysis of the binary.
20
21       The commented file will be created with the name of the target binary
22       with the extension of .commented.  By default the Examiner creates
23       $HOME/examiner-data directory to store its output.  This can be
24       overridden with the -d option.  Also if The Coroners Toolkit (TCT) is
25       installed the examiner will use the directory specified by TCT.  See
26       below for more information for using the Examiner with TCT.  You may
27       use the -o option to specify a seperate file for the commented source.
28       If you use -o - Then Examiner will print the commented source to
29       STDOUT.
30
31       The examiner requires that you use the -x option to specify an
32       executable to analyze.  By default the examiner only reports what Phase
33       of analysis it is currently working on.  The examiner analyzes binaries
34       in four phases.
35
36       PHASE 1 - Initial analysis and parsing
37       PHASE 2 - Passes over the information and collects info
38       PHASE 3 - Manipulates collected data to draw conclusions
39       PHASE 4 - Generate the commented output
40
41       If the -v option is used then the program will report on each step
42       within the phase as well.  You can also have a brief summary reported
43       that will give you some information about the total number of functions
44       found, etc.  If you don't want any output you can use the -q option.
45
46       The examiner will attempt to read ASCII strings from the .rodata
47       section headers.  It will then cross references this information in its
48       output.  It attempts to only print the printable characters and display
49       hex or C style representations for special characters such as '\n'.  In
50       the commented output the examiner will restrict the length of the
51       string.  This feature can be overridden with the -L option.  This is
52       really not recommended.
53
54       You can generate additional reports that may help in analysis.  If the
55       -H option is supplied it will dump each section in the executable.  The
56       files are stored in the working directory.  These files will have the
57       target executables name with the section as an extension, eg:
58       binary.rodata.
59
60       You can generate Reference files with the -R option.  These files are
61       generated for help in cross referencing information.  Currently it will
62       create three files: functions, interrupts, and sections.  The function
63       file contains the guessed function name and it's address.  The
64       interrupts file list any interrupts that are called and what the stack
65       would look like at the time (sort of).  The section file contains a
66       list of all section and their memory ranges.
67
68       For a brief summary of all the options you can use the -h option.  If
69       you supply the -V option examiner will print its version info and then
70       exit.
71

USING EXAMINER WITH TCT

73       The examiner can optionally be run on a system that has The Coroners
74       Toolkit (TCT) installed.  The Examiner will use some executables when
75       the are installed.  The paths to these may be specified in TCT paths.pl
76       file.  The Examiner will also read in the coroner.conf file to locate
77       the section it should use as its working directory.  You can specify a
78       different coroner.conf file with the -C option.
79
80       The newer version of the Examiner will read in an optional hash
81       library.  This library is simply hash references that would normally be
82       generated by parsing the net.h and  unistd.h files.  This file
83       examiner_hashes.pl will be parsed if its in the current directory or
84       /usr/share/tct.  unistd.h is substituted for syscall.h on BSD based
85       systems.  Check the os directory for some pre-created examiner hashes.
86

FILES

88       coroner.conf - (optional conf file)
89       examiner_hashes.pl - (optional) If present won't parse header files
90

LICENSE

92       The program is copyrighted by Craig Smith under the terms of the GPL
93

AUTHOR(s)

95       Craig Smith
96
97
98
99perl v5.28.1                      2002-07-29                       EXAMINER(1)
Impressum