From Collaborative RCE Tool Library

Jump to: navigation, search

.NET Tools

Tool name:

Explorer Suite

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Daniel Pistelli

Website:

http://ntcore.com/exsuite.php

Current version:

III

Last updated:

March 2, 2008

Direct D/L link:

http://ntcore.com/Files/ExplorerSuite.exe

License type:

Free

Description:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Also listed in:

.NET Executable Editors, .NET Resource Editors, .NET Signature Removers, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

IDA Pro

Currently5/5
1
2
3
4
5

Rating: 5.0 (3 votes)

Author:

Ilfak Guilfanov

Website:

http://www.hex-rays.com/idapro

Current version:

5.2

Last updated:

November 26, 2007

Direct D/L link:

N/A

License type:

Commercial

Description:

The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.

Also listed in:

.NET Disassemblers, Disassemblers, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Rebel.NET

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Daniel Pistelli

Website:

http://ntcore.com/rebelnet.php

Current version:

1.0.0.1

Last updated:

April 25, 2008

Direct D/L link:

http://ntcore.com/Files/RebelDotNET.zip

License type:

Free

Description:

Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

Also listed in:

.NET Code Injection Tools, .NET Executable Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

CFF Explorer

Currently4.6666666666667/5
1
2
3
4
5

Rating: 4.7 (3 votes)

Author:

Daniel Pistelli

Website:

http://www.ntcore.com/exsuite.php

Current version:

VII

Last updated:

January 17, 2008

Direct D/L link:

http://www.ntcore.com/Files/CFF_Explorer.zip

License type:

Freeware

Description:

The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!

Also listed in:

.NET Executable Editors, PE Executable Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

.NET Generic Unpacker

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Ntoskrnl

Website:

http://ntcore.com/netunpack.php

Current version:

1.0.0.1

Last updated:

Direct D/L link:

http://ntcore.com/Files/NETUnpack.zip

License type:

Description:

This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.

Also listed in:

.NET Unpackers, Automated Unpackers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

.NET Hook Library

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

shokshok

Website:

http://dotnethook.sourceforge.net

Current version:

2.1

Last updated:

May 30, 2002

Direct D/L link:

Locally archived copy

License type:

Free / Open Source

Description:

.Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).

Also listed in:

.NET Code Injection Tools, Code Injection Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

DisasMSIL

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Daniel Pistelli

Website:

http://ntcore.com/Files/disasmsil.htm

Current version:

1.0

Last updated:

April 30, 2008

Direct D/L link:

http://ntcore.com/Files/disasmsil/DisasMSIL.zip

License type:

Free / Open source

Description:

DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.

Also listed in:

.NET Disassembler Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Dotnet IL Editor (DILE)

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

zsozsop

Website:

http://sourceforge.net/projects/dile

Current version:

0.2.6

Last updated:

September 30, 2007

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.

Also listed in:

.NET Disassemblers, .NET Executable Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

MetaPuck

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

y0da

Website:

http://y0da.cjb.net

Current version:

1.0

Last updated:

2005

Direct D/L link:

Locally archived copy

License type:

Free / Open Source

Description:

MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code.

Also listed in:

COM Debugging Tools, .NET Executable Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

PEBrowse Professional

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

SmidgeonSoft

Website:

http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html

Current version:

9.2.5

Last updated:

28 December, 2007

Direct D/L link:

http://www.smidgeonsoft.com/download/PEBrowse.zip

License type:

Free

Description:

PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.

Also listed in:

Disassemblers, .NET Disassemblers, COM Tools, Delphi Tools, Exe Analyzers, Memory Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

RE-Sign

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

LibX

Website:

http://www.reteam.org/tools.html

Current version:

0.1

Last updated:

March 20, 2007

Direct D/L link:

Locally archived copy

License type:

Free

Description:

RE-Sign is a tool to help u re-sign .NET assemblys with your own StrongName key,
and no need todo any manual patching anymore and no need to have sn.exe installed
If u don't have a StrongName keypair file u do need sn.exe to generate one,
but i will include a keypair file generator in the next version.

Also listed in:

.NET Signature Changers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

REZiriz

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

LibX

Website:

http://www.reteam.org/tools.html

Current version:

2.0

Last updated:

August 28, 2007

Direct D/L link:

http://www.reteam.org/tools/tf33.zip

License type:

Free

Description:

REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

Also added support to remove NecroBits protection that prevents
the decompilation of unpacked assemblys
And support to unpack v3.3.1.1 of Eziriz .NET Reactor

Unpacker features:
---------------------------
[*] Unpacking Eziriz .NET Reactor v3.3.1.1
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

[*] Added NecroBit Protection Remover

Also listed in:

Automated Unpackers, .NET Unpackers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Reflector for .NET

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Lutz Roeder

Website:

http://www.aisto.com/roeder/dotnet

Current version:

5.0.50.0 (with autoupdate feature)

Last updated:

Frequently

Direct D/L link:

http://www.aisto.com/roeder/dotnet/Download.aspx?File=Reflector

License type:

Free

Description:

From website:

"Reflector is a very powerful class browser, explorer, analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic and IL."

This is one of the most powerful .NET decompilers that you can't buy - just download :)
Many of the popular commercial tools achieving the same goal "suddenly" got a boost when this masterpiece of work saw a daylights (and besides that those are commercial, still have hard time with obfuscators).

Just give it a try, it will last literally five minutes - load some well known assembly of yours, choose target .NET language (!) and let'em work. Then compare it with the original.

You'll surely not forget this one.

Also listed in:

.NET Disassemblers, Decompilers, .NET Decompilers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Resourcer for .NET

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Lutz Roeder

Website:

http://www.aisto.com/roeder/dotnet/

Current version:

1.0

Last updated:

Direct D/L link:

N/A

License type:

Free

Description:

Resourcer is an editor for .resources binaries and .resX XML file formats used with the .NET platform. Resourcer allows editing of name/string pairs, import of bitmaps/icons and and merging of resources from different sources.

Also listed in:

.NET Resource Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

SNSRemover