1EXAMINER(1) User Contributed Perl Documentation EXAMINER(1)
2
6 examiner - A ELF binary executable analyzer
7
9 examiner [ -hvVsHRLq ] [ -d directory ] [ -C coroner.conf ] [ -o
10 outfile ] [ -c 'comment char' ] -x executable
11
13 The examiner is a program used to analyze and comment on ELF
14 executables. Its purpose is mainly intended for forensic analysis but
15 can be used for general reverse engineering. The goal is to take a
16 foreign executable and analyze it without running it. The examiner
17 relies on objdump to do its disassembly and then it parses the assembly
18 output and attempts to put human readable comments to help facilitate
19 analysis of the binary.
20 The commented file will be created with the name of the target binary
22 with the extension of .commented. By default the Examiner creates
23 $HOME/examiner-data directory to store its output. This can be
24 overridden with the -d option. Also if The Coroners Toolkit (TCT) is
25 installed the examiner will use the directory specified by TCT. See
26 below for more information for using the Examiner with TCT. You may
27 use the -o option to specify a seperate file for the commented source.
28 If you use -o - Then Examiner will print the commented source to
29 STDOUT.
30 The examiner requires that you use the -x option to specify an
32 executable to analyze. By default the examiner only reports what Phase
33 of analysis it is currently working on. The examiner analyzes binaries
34 in four phases.
35 PHASE 1 - Initial analysis and parsing
37 PHASE 2 - Passes over the information and collects info
38 PHASE 3 - Manipulates collected data to draw conclusions
39 PHASE 4 - Generate the commented output
40 If the -v option is used then the program will report on each step
42 within the phase as well. You can also have a brief summary reported
43 that will give you some information about the total number of functions
44 found, etc. If you don't want any output you can use the -q option.
45 The examiner will attempt to read ASCII strings from the .rodata
47 section headers. It will then cross references this information in its
48 output. It attempts to only print the printable characters and display
49 hex or C style representations for special characters such as '\n'. In
50 the commented output the examiner will restrict the length of the
51 string. This feature can be overridden with the -L option. This is
52 really not recommended.
53 You can generate additional reports that may help in analysis. If the
55 -H option is supplied it will dump each section in the executable. The
56 files are stored in the working directory. These files will have the
57 target executables name with the section as an extension, eg:
58 binary.rodata.
59 You can generate Reference files with the -R option. These files are
61 generated for help in cross referencing information. Currently it will
62 create three files: functions, interrupts, and sections. The function
63 file contains the guessed function name and it's address. The
64 interrupts file list any interrupts that are called and what the stack
65 would look like at the time (sort of). The section file contains a
66 list of all section and their memory ranges.
67 For a brief summary of all the options you can use the -h option. If
69 you supply the -V option examiner will print its version info and then
70 exit.
71
73 The examiner can optionally be run on a system that has The Coroners
74 Toolkit (TCT) installed. The Examiner will use some executables when
75 the are installed. The paths to these may be specified in TCT paths.pl
76 file. The Examiner will also read in the coroner.conf file to locate
77 the section it should use as its working directory. You can specify a
78 different coroner.conf file with the -C option.
79 The newer version of the Examiner will read in an optional hash
81 library. This library is simply hash references that would normally be
82 generated by parsing the net.h and unistd.h files. This file
83 examiner_hashes.pl will be parsed if its in the current directory or
84 /usr/share/tct. unistd.h is substituted for syscall.h on BSD based
85 systems. Check the os directory for some pre-created examiner hashes.
86
88 coroner.conf - (optional conf file)
89 examiner_hashes.pl - (optional) If present won't parse header files
90
92 The program is copyrighted by Craig Smith under the terms of the GPL
93
95 Craig Smith
96perl v5.32.1 2021-01-26 EXAMINER(1)