From Collaborative RCE Tool Library
API Monitoring Tools
| Tool name: | APIScan |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.openrce.org/forums/posts/456 | |||
| Current version: | 2.2 | |||
| Last updated: | April 28, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | APIScan is a simple tool to gather a list of APIs that a target process uses. You can use this list in an initial analysis to help determine a target's general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump. There are similar tools, often more robust (like "Dependency Walker"), but most of these just parse the target IAT ("Import Address Table") alone. APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list. ============================================================ Example dump for a module: Code: Library Flags Function ==================================== -- COMCTL32.DLL [I...] ImageList_Add [I...] ImageList_Create [I...] ImageList_Destroy [I.O.] InitCommonControls [.D..] InitCommonControlsEx [.D.F] ImNotHere ... ... Explanation: APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx". That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal". Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()"). Changes: -------- 2.2 Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess. TODO: 1. Add intra-module support. API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus. 2. Optional real time output to DBGVIEW. | |||
| Also listed in: | Dependency Analyzer Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Auto Debug |
| ||
|---|---|---|---|---|
| Author: | ||||
| Website: | http://www.autodebug.com | |||
| Current version: | 4.3 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Shareware | |||
| Description: | Auto Debug software is an API monitor tool which can automatic trace all APIs and ActiveX interface to input and output parameters. After setting the API which you want to monitor easily, this application will auto trace the target program and monitor the function of inputting and outputting calling. It analysises PDB files automatic while monitoring any DLL and ActiveX interface. Different from others apispy or API monitor tools, Auto Debug software doesn't need the user to develop any DLL or hook DLL. It's easy to use --- Only setting the APIs which we want to monitor with ON, once the target application running and calling these APIs, it will monitor their parameters of inputting and outputting automaticly! Don't need to develop any DLL, once installing the software, we can start to monitor APIs NOW! If we have the API prototype(often from the .h file), we can build the PDB file without origin source easily. For example, we can found a sample for generating comdlg32.dll PDB file at ($InstallPath\PDBsample). --- (need Professional Version, it also generates over 30 windows system DLL's PDB files in the Professional Version). News: Auto Debug for Windows x64 version is available. Features It doesn't need to rebuild the source code while monitoring inputting parameters and outputting results of the traced APIs in the target program automaticly, only monitoring the input and output of APIs. * Source Code level monitor.(new in Professional V4.1). * Automatic analysis parameter type with PDB files.(new in V4.0). Support for Visual Studio 2005, Visual Studio .NET 2003 and Visual C++ 6.0. * Very easy to generate PDB files without source code if you know the api prototype.(new in Professional V4.0). * Tracing your application with release version. * The best API monitor tool. * Tracing Release version with mapfile. * Supporting Debug version and Release version, not need source code. * Supporting tracing COM Interface. * Supporting multithread. * Not need to know the prototype of the functions. * Not only trace for exported APIs, but also be effect for undocumented APIs. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | BoundsChecker |
| ||
|---|---|---|---|---|
| Author: | Compuware | |||
| Website: | http://www.compuware.com/products/devpartner/visualc.htm | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Commercial | |||
| Description: | Among many things, BoundsChecker is actually a pretty decent API monitor/logger. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Detours |
| ||
|---|---|---|---|---|
| Author: | Microsoft | |||
| Website: | http://research.microsoft.com/sn/detours | |||
| Current version: | 2.1 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code. Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary. Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software. We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry. Detours 2.1 is now available. Detours 2.1 includes the following new features: * Complete documentation of the Detours API. * Transactional model for attaching and detaching detours. * Support for updating peer threads when attaching or detaching detours. * Unification of dynamic and static detours into a single API. * Support for detection of detoured processes. * Significant robustness improvements in APIs that start a process with a DLL containing detour functions. * New APIs to copy payloads into target processes. * Support for 64-bit code on x64 and IA64 processors (available in Professional edition only). * Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7). | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DynLogger |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/dynlogger.php | |||
| Current version: | 1.1.0.1 | |||
| Last updated: | April 14, 2008 | |||
| Direct D/L link: | http://ntcore.com/Files/DynLogger_x86.zip | |||
| License type: | Free | |||
| Description: | DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules. Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version. I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | KaKeeware Application Monitor (KAM) |
| ||
|---|---|---|---|---|
| Author: | KaKeeware | |||
| Website: | http://www.kakeeware.com/i_kam.php | |||
| Current version: | 1.32 | |||
| Last updated: | May 24, 2007 | |||
| Direct D/L link: | http://www.kakeeware.com/download.php?f=kam.exe | |||
| License type: | Freeware | |||
| Description: | KaKeeware Application Monitor is a very small API monitor that allows the user to monitor the APIs called by the given application. KAM supports 5577 different APIs as for now. KAM works as an API spy that may help the developers and localization engineers to find the bugs in the release versions of the software. It can be also used by malware analysts to check which APIs are used by the sample they analyse. The executable file is packed with Upack. Since v1.04, KAM can rerieve object names (filenames, registry keys) and shows them on UI instead of handles, making the listing more readable. 1.10 shows more information about monitored APIs. 1.20 added groups to APIs window and added support for command line for monitored program. 1.21 hopefully fixes the problem with some XP versions. 1.30 introduces a lot of new APIs (now it's over 5000!). 1.31 finally conquers Vista. 1.32 adds some APIs (as per request :). Please be aware that some AV programs may flag kam.exe as malicious. This is a problem known as FP (False Positive). kam.exe is not malicious and it doesn't contain any malicious code. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Malcode Analysis Pack |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/map/ | |||
| Current version: | ||||
| Last updated: | November 13, 2006 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=8 | |||
| License type: | GPL2 | |||
| Description: | The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are: • ShellExt - 4 explorer shell extensions • socketTool - manual TCP Client for probing functionality. • MailPot - mail server capture pot • fakeDNS - spoofs dns responses to controlled ip's • sniff_hit - HTTP, IRC, and DNS sniffer • sclog - Shellcode research and analysis application • IDCDumpFix - aids in quick RE of packed applications • Shellcode2Exe - embeds multiple shellcode formats in exe husk • GdiProcs - detect hidden processes | |||
| Also listed in: | Malware Analysis Tools, Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, Reverse Engineering Frameworks | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Rohitab API Monitor |
| ||
|---|---|---|---|---|
| Author: | Rohitab | |||
| Website: | http://www.rohitab.com/apimonitor/index.html | |||
| Current version: | 1.5 | |||
| Last updated: | January 7, 2001 | |||
| Direct D/L link: | http://www.rohitab.com/apimonitor/apimonitor.msi | |||
| License type: | Freeware | |||
| Description: | API Monitor is a software that monitors and displays API calls made by applications. Its a powerful tool for seeing how Windows and other applications work or tracking down problems that you have in your own applications. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SysAnalyzer |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/SysAnalyzer/ | |||
| Current version: | ||||
| Last updated: | January 19, 2007 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=15 | |||
| License type: | GPL2 | |||
| Description: | SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: * Running Processes * Open Ports * Loaded Drivers * Injected Libraries * Key Registry Changes * APIs called by a target process * File Modifications * HTTP, IRC, and DNS traffic SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: * Create a memory dump of target process * parse memory dump for strings * parse strings output for exe, reg, and url references * scan memory dump for known exploit signatures Full GPL source for SysAnalyzer is included in the installation package. | |||
| Also listed in: | Disk Monitoring Tools, Registry Monitoring Tools, Network Monitoring Tools, Install Monitoring Tools, File Monitoring Tools, Memory Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Win32 API Monitor |
| ||
|---|---|---|---|---|
| Author: | N/A | |||
| Website: | http://www.apimonitor.com | |||
| Current version: | 1.2.1 | |||
| Last updated: | 3 dec 2007 | |||
| Direct D/L link: | http://www.apimonitor.com/download/APIMonitorTrial.exe | |||
| License type: | Shareware | |||
| Description: | API Monitor is a software that allows you to spy and display Win32 API calls made by applications. It can trace any exported APIs and display wide range of information, including function name, call sequence, input and output parameters, function return value and more. A useful developer tool for seeing how win32 applications work and learn their tricks. Main Features Trace any exported APIs- Including win32 APIs and other 3rd-Party APIs, unnecessary to know the prototype of the functions. Display wide range of information, including function name, call sequence, input and output parameters, function return value, GetLastError code and more. Predefine 82 DLLs and nearly 4000 APIs' prototype. Filter Profiles are a powerful way of storing your favorite monitor settings for use in other sessions. API Monitor preset 27 API Filter Profiler, including Handles and Objects, Dynamic-Link Libraries, Event Log, Pipes and Mailslots, Debugging, Windows Classes, COMM, Application Related, Shell, Dialog Boxes, File System, Services Related, Remote Access Service, Memory Management, Print Related, Windows, Registry, Processes and Threads, File IO, WinInet, Windows Sockets, Multimedia API, Windows GUI, Network Management, WinNT Security, Access Control Functions. Allow content to be viewed and exported-Log content can be viewed within API Monitor, and exported to another application or saved to a file. Support debug version and release version with no modifications to the target application. Support Unicode and ANSI APIs. Monitor Running Process-Spy APIs in a background or console process that is already running. Support multithread. Display API calls originating from ActiveX controls and COM objects instanced by an application. MS Excel® style data filtering, customize filter criteria against any data item. Automatic click-sorting against an unlimited number of columns, descending or ascending. Automatic data grouping - an extremely powerful data viewing and manipulation metaphor. Automatic runtime column selection - easily customize the columns visible on-screen with intuitive drag and drop. Instant Online MSDN Help - This feature allows you to view online MSDN context-sensitive help for the currently selected API. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
