From Collaborative RCE Tool Library
Anti Anti Test Tools
| Tool name: | xADT eXtensible Anti-Debug Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.3 | |||
| Last updated: | November 5, 2007 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=33 | |||
| License type: | Free | |||
| Description: | The tool is thought to be an unique extensible platform for integrating all the anti-debugging tricks you might see around, using an unique extensible interface you also might easily extend using plugins. The tool is useful to test the hiding features of the debugging tools and custom loaders as well as the hiding of any other reversing tool: see how well they're hidden or not. The second advantage is to finally have an unique testing program and to not have hundreds of spare tiny programs. The easiness of adding new external tests, writing new plugins is also one important feature, which finally frees the author of new anti-debugging tools to concentrate on the logic of the test without having to spend a single second on its user's interface. Do you think your Olly is well hidden? Try this tool from Olly and all the possible hiding tools around, up to today there's always one test which detects Olly! Version 1.3 includes several plugins contributed by different authors as well as sources of sample plugins in Delphi, C, ASM. | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Olly Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-nigurrath | |||
| Website: | http://arteam.accessroot.com/releases/ | |||
| Current version: | 1.0 | |||
| Last updated: | August 25, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds. Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg. Detects Debugging programs through different methods all connected to the execution environment. * Method 1: see if one of the currently running processes' Windows name is blacklisted or not * Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted * Method 3: tests the processes paths and see if it is blacklisted * Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklistof process and words * Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has oneblacklisted word * Method 6: test export directory of the running processes, if there's something connected with Olly. * Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist * Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any contains blacklisted words (either UNICODE or ASCII) The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around. The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests. The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick. Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex". | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | GMER |
| ||
|---|---|---|---|---|
| Author: | Przemyslaw Gmerek | |||
| Website: | http://www.gmer.net | |||
| Current version: | 1.0.14.14205 | |||
| Last updated: | March 5, 2008 | |||
| Direct D/L link: | http://www.gmer.net/gmer.zip | |||
| License type: | Free | |||
| Description: | GMER is an application that detects and removes rootkits . It scans for: * Hidden processes * Hidden threads * Hidden modules * Hidden services * Hidden files * Hidden Alternate Data Streams * Hidden registry keys * Drivers hooking SSDT * Drivers hooking IDT * Drivers hooking IRP calls * Inline hooks GMER also allows to monitor the following system functions: * Processes creating * Drivers loading * Libraries loading * File functions * Registry entries * TCP/IP connections GMER runs on Windows NT/W2K/XP/VISTA | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | HookExplorer |
| ||
|---|---|---|---|---|
| Author: | David Zimmer | |||
| Website: | http://labs.idefense.com/software/malcode.php | |||
| Current version: | ||||
| Last updated: | March 16, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | HookExplorer is a small utility designed to scan a target process and identify any user land hooks that may be installed by unknown code. Detects IAT and detours style hooks, and allows the user to define an 'ignore list' to help cut through results. | |||
| Also listed in: | Anti Hook Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | RAIDE |
| ||
|---|---|---|---|---|
| Author: | petersilberman | |||
| Website: | http://www.rootkit.com/project.php?id=33 | |||
| Current version: | Beta 1 | |||
| Last updated: | August 6, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool. RAIDE offers unique features like process dumping/firewall identification etc. | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Rootkit Unhooker |
| ||
|---|---|---|---|---|
| Author: | EP_X0FF | |||
| Website: | http://rku.nm.ru | |||
| Current version: | 3.7.300.509 | |||
| Last updated: | November 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista. The project was discontinued when it was bought up by Microsoft in November 2007. | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SSDT Revealer |
| ||
|---|---|---|---|---|
| Author: | ZaiRoN | |||
| Website: | http://zairon.wordpress.com/2007/03/20/tool-system-service-descriptor-table-revealer/ | |||
| Current version: | 1.0 | |||
| Last updated: | March 20, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This is little tool I’ve coded some times ago. The name says it all, it reveals System Service Dispatch Table showing possible hooks over one or more functions. It was born as a part of a more complex tool, which is still unfinished.. SSDT revealer is nothing special but could come in handy. The program has been developed under Win-XP. It should run on other OSs but I really don’t know. Again, it’s a personal program and I didn’t spend nights and nights trying to find one or more bug, when a bug occours I fix it. If you find a bug or something else, please, don’t hesitate to contact me. | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SourPill VM Detector |
| ||
|---|---|---|---|---|
| Author: | TiGa | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | August 17, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Here is a little program I made to help with VM detection. It reads the cpu name and checks the average RDTSC timing of the CPUID instruction over 100000 executions. CPUID takes around 350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM. It should also notice a timing difference if VMX is enabled and used for intel cpus due to the TLB having to be rewritten in part. The only thing i think that could fool it is Blue Chicken in the New Blue Pill. I hope it can be of use to somebody. | |||
| Also listed in: | VM Detection Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
Subcategories
There are 3 subcategories to this category.
