From Collaborative RCE Tool Library

Jump to: navigation, search

Categorized by Target Type


Tool name: .netshrink
Rating: 5.0 (1 vote)
Author: Bartosz Wójcik                        
Website: http://www.pelock.com
Current version: 2.3
Last updated: March 29, 2012
Direct D/L link: http://pelock.com/download.php?f=netshrink.exe
License type: Shareware
Description: .netshrink is an executable compressor and DLL binder for .NET applications. It uses LZMA compression library and can decrease your file size by 50%. It can also protect your files with a password.

With .netshrink you can also bind multiple DLL libraries to the output file so you can redistribute your application as a standalone file

.netshrink uses LZMA compression library to achieve maximum compression ratios. Password protection uses verification based on SHA256 hash function and 256 bit AES / Rijndael encryption.

Version history

v2.3
* project files support added
* list of locally stored passwords added
* fixed bugs with handling x64 applications

v2.2
* original assembly CPU architecture preservation
* running compressed assemblies from the UNC paths fixed

v2.1
* virtual DLL libraries binding to the output executable file
* detection of cracking and unpacking tools
* backup file creation
* original assembly name, copyright and company information preservation

v2.01
* detection of already compressed applications
* minor bugs fixed

v2.0
* resources preservation (all resources, including icons, manifests etc.)
* compression of command line executables
* support added for .NET Framework 3.0, 3.5 and 4.0
* .NET Framework auto detection
* updated password query dialogs
* enter password from the command line for protected files
* minor bugs fixed
* help file updated to .chm format

v1.0
* first public release
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AdmiralDebilitate
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/admiraldebilitate
Current version: 0.2
Last updated: June 16, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AdmiralDebilitate is a tool for removing .NET strong name signing, particularly suited for large projects consisting of multiple nested dependencies. The interface is fairly simple: open up all relevant executables simultaneously (or all PEs if late-binding is in use) and ‘mark’ those that are to be modified. AdmiralDebilitate will determine the minimal area of the dependency tree that requires fixing and execute things appropriately. Any mismatching references will be listed in the ‘Problem Areas’ pane. Please report any bugs, after reading the following list of notes and caveats:

* All dependencies on mscorlib and System.* are ignored. I don’t see why this should be a problem, but bear it in mind if something isn’t working.
* Only exe and dll files are supported.
* The tool searches only the current folder for DLLs referenced by the seeding assemblies. If the system is relying on environment variables being set or suchlike, then AdmiralDebilitate will probably fail to load all the assemblies. A workaround is to temporarily place all the files in the same directory.

Updates:

* 17/06/08 - A silly little fencepost error was causing problems with assemblies having AssemblyRef as their last table. That’s fixed in version 0.2.


Thanks go out to Dan Pistelli, without whose .NET specification this wouldn’t have happened.
Also listed in: .NET Signature Changers, .NET Signature Removers, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COM VfTable Dumper
Rating: 5.0 (1 vote)
Author: Ronnie Johndas                        
Website: N/A
Current version: 1.0
Last updated: February 2, 2010
Direct D/L link: Locally archived copy
License type: GPL
Description: This parses the TLB info and gets method addresses in the registered interfaces of the COM component.
Also listed in: COM Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Class Informer
Rating: 5.0 (1 vote)
Author: Sirmabus                        
Website: http://www.macromonkey.com/bb/viewforum.php?f=65
Current version: 1.02
Last updated: March 28, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.
Also listed in: COM Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (6 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 6.1
Last updated: April 8, 2011
Direct D/L link: http://95.211.133.202/files/idademo_windows60.exe
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, IPhone Tools, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers, Symbian Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rebel.NET
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/rebelnet.php
Current version: 1.6.0.1
Last updated: September 3, 2010
Direct D/L link: http://ntcore.com/files/RebelDotNET.zip
License type: Free
Description: Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Also listed in: .NET Code Injection Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflector for .NET
Rating: 5.0 (1 vote)
Author: Lutz Roeder (current owner Red Gate Software)                        
Website: http://www.reflector.net/
Current version: 7.7
Last updated: July 18, 2009
Direct D/L link: http://shop.reflector.net/download
License type: Free until 6.8.2.5
Description: From website:

"Reflector is a very powerful class browser, explorer, analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic and IL."

This is one of the most powerful .NET decompilers that you can't buy - just download :)
Many of the popular commercial tools achieving the same goal "suddenly" got a boost when this masterpiece of work saw a daylights (and besides that those are commercial, still have hard time with obfuscators).

Just give it a try, it will last literally five minutes - load some well known assembly of yours, choose target .NET language (!) and let'em work. Then compare it with the original.

You'll surely not forget this one.
Also listed in: .NET Decompilers, .NET Disassemblers, Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexil
Rating: 5.0 (1 vote)
Author: Sebastien Lebreton                        
Website: http://reflexil.net
Current version: 1.2
Last updated: March 7, 2011
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, a great tool for .NET developers. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection.
Also listed in: .NET Disassemblers, .NET Executable Editors, .NET MSIL Dumpers, .NET Signature Changers, .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rohitab API Monitor
Rating: 5.0 (1 vote)
Author: Rohitab Batra                        
Website: http://www.rohitab.com/apimonitor
Current version: v2 (Alpha-r13)
Last updated: March 14, 2013
Direct D/L link: http://www.rohitab.com/downloads
License type: Freeware
Description: API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification
Also listed in: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: whoknows NET patcher
Rating: 5.0 (1 vote)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.448
Current version: 0.7
Last updated: January 2, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: The purpose of this utility is to make something like dUP for NET assemblies.
also patches the target and resign it to user machine.
Also you can save and load Projects.
Also listed in: .NET Patcher Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinApiOverride
Rating: 5.0 (3 votes)
Author: Jacquelin POTIER                        
Website: http://jacquelin.potier.free.fr/winapioverride32/
Current version: 6.4.1
Last updated: April 14, 2014
Direct D/L link: http://jacquelin.potier.free.fr/exe/winapioverride32_bin.zip
License type: Free / Open Source (GPL v2)
Description: WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- A library is provided for developers who intend to build their one hooking software
Also listed in: .NET Tracers, API Monitoring Tools, COM Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFF Explorer
Rating: 4.8 (4 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: 7.9
Last updated: August 2, 2010
Direct D/L link: http://www.ntcore.com/Files/CFF_Explorer.zip
License type: Freeware
Description: The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!
Also listed in: .NET Executable Editors, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMView
Rating: 4.0 (1 vote)
Author: japheth                        
Website: http://www.japheth.de/COMView.html
Current version: 2.9.12
Last updated: February 25, 2011
Direct D/L link: http://www.japheth.de/Download/COMView.zip
License type: Free
Description: COMView is a tool for viewing and handling Windows COM (Component Objects Model) things.
It is intended to be used by programers, although it might also be useful for experienced end users.
The following functions are included:

shows COM related entries in the registry
build in registry editor to modify these entries
consistency check of COM related registry information
shows type library information
can generate assembly include files (Masm style) from type libraries
"dispatch helper" assembly includes (Masm) may be generated to simplify using IDispatch and events.
COM objects can be created and interfaces exposed are shown
OLE container is implemented allowing to view and test OLE/activeX controls
object properties may be edited and methods be executed.
object model exposed by an application/control may be walked.
may connect to source interfaces and display events

Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: EDB Linux Debugger
Rating: 4.0 (2 votes)
Author: Evan Teran                        
Website: http://codef00.com/projects#debugger
Current version: 0.9.20
Last updated: January 15, 2014
Direct D/L link: http://codef00.com/projects/debugger-0.9.20.tgz
License type: GPL
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Debuggers, Linux Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIX with callstack patch
Rating: 4.0 (1 vote)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?t=12696
Current version:
Last updated: May 1, 2012
Direct D/L link: Locally archived copy
License type: Free
Description: MSDN describes the DirectX tool "PIX" as follows (at http://msdn.microsoft.com/en-us/library/bb173085(VS.85).aspx):
"PIX is a debugging and analysis tool that captures detailed information from a Direct3D application as it executes. PIX can be configured to gather data, such as the list of Direct3D APIs called, timing information, mesh vertices before and after transformations, screenshots, and select statistics. PIX can also be used for debugging vertex and pixel shaders, including setting breakpoints and stepping through shader code."

Thus, a highly useful tool right from the MS DirectX SDK for e.g. finding the cause of a rendering problem: for any captured frame, you can click through the executed DX API functions and see how the frame is being built up, eventually finding out what part is to blame.

But what about reversing a closed source application's renderer? PIX does not store a call stack; it merely logs *what* DX functions are called, but not from *where*. Therefore it is not very useful for reversing by default.

I didn't want to let such a great tool go to waste. After some reversing work I ended up patching PIX to log and show (part of) the call stack for each DirectX call that the target program makes. Each call stack entry has both the virtual address and the module name.

Example usage of the resulting modified tool is finding out about and messing with a game's renderer, or more simply locating the HUD rendering code and quickly finding the data that it represents (e.g. health, money) rather than having to resort to memory scanning.
Also listed in: API Monitoring Tools, DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET DeObfuscator
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11810
Current version: 0.5
Last updated: June 11, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Hook Library
Rating: 0.0 (0 votes)
Author: shokshok                        
Website: http://dotnethook.sourceforge.net
Current version: 2.1
Last updated: May 30, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).
Also listed in: .NET Code Injection Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Methods Parser
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://portal.b-at-s.info/download.php?view.463
Current version: 0.2
Last updated: July 19, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: A simple tool to analyze the "Methods" metadata table.
It has a good error and invalid data handling code so it will open most weird files.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET PE Alignments resizer
Rating: 0.0 (0 votes)
Author: yaroved                        
Website: http://emicrox.net
Current version: *
Last updated: January 14, 2011
Direct D/L link: http://emicrox.net/source/uper.zip
License type: Free
Description: .NET PE Alignments resize`r

change FileAlignment/SectionAlignment, resize image data

and recalculate the appropriate references

For

x86:

http://emicrox.net/source/uper.zip

x64:

    / Will be added on January, 18th /

http://emicrox.net/utils.asp
Also listed in: .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bad Net Opcodes Finder
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.439
Current version: 0.6 beta
Last updated: December 18, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: A tool used to fix a nasty anti-decompiler trick, the trick is based on using invalid opcodes to make the decompilation process impossible with tools like Reflector.
So you can use this tool to kill these nasty invalid opcodes and see the code again in Reflector, You will find a small video which explains how to use this tool.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bastard
Rating: 0.0 (0 votes)
Author:                         
Website: http://bastard.sourceforge.net
Current version: 0.16
Last updated: 2002
Direct D/L link: N/A
License type: Free / Open Source
Description: The Bastard is a disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burneye
Rating: 1.0 (1 vote)
Author: TESO                        
Website: https://teso.scene.at/releases.php
Current version: 1.0.1
Last updated: December 24, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burneye ELF encryption program, with full source and docs.
Also listed in: Packers, Linux Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMRaider
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: November 8, 2006
Direct D/L link: https://github.com/dzzie/COMRaider/raw/master/COMRaider_Setup.exe
License type: Free
Description: Update: This tool is no longer available through the iDefense website. The author has made a copy available through github.

COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc.

Features include:

* Capability to easily enumerate safe for scripting objects
* Ability to scan for COM objects by path, filename, or guid
* Integrated type library viewer
* Integrated debugger to monitor exceptions, close windows,log api
* External vbs script allows you to easily edit fuzzer permutations
* Built in webserver to test exploits on the fly
* Enumerate and view controls with killbit set
* Distributed auditing mode to allow entire teams to work together
* Ability to upload crash files to central server for group analysis
* Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CSharpFuscator
Rating: 0.0 (0 votes)
Author: papanyquiL                        
Website: http://portal.b-at-s.info/news.php
Current version: 1.0
Last updated: June 24, 2009
Direct D/L link: http://portal.b-at-s.info/request.php?275
License type: Free
Description: The CSharpFuscator tool scrambles .NET source code to make it very difficult to understand or reverse-engineer. This provides significant protection for source code intellectual property, and even provides protection against the all-too-disassembly of .NET object code.
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoClassSyms
Rating: 0.0 (0 votes)
Author: Matt Pietrek                        
Website: http://www.microsoft.com/msj/0399/comtype/comtype.aspx
Current version: 1.0
Last updated: March 1999
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: "CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer).

The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG.

Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem.

If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Damn Vulnerable Linux
Rating: 0.0 (0 votes)
Author: Zero                        
Website: http://www.DamnVulnerableLinux.org
Current version: Damn Vulnerable Linux 1.5 (Infectious Disease)
Last updated: January 26, 2009
Direct D/L link: http://www.computerdefense.org/dvl/DVL_1.5_Infectious_Disease.iso
License type: Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
Description: Release date: 01/26/2009. Fixed many bugs (e.g. wrong postgres path), added several tools.

This release contains 99% of all available Linux RCE tools!

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system.

The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.

Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system.
Also listed in: Linux Tools, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: de4dot
Rating: 0.0 (0 votes)
Author: 0xd4d                        
Website: https://bitbucket.org/0xd4d/de4dot/
Current version: 2.0.3
Last updated: January 12, 2013
Direct D/L link: https://bitbucket.org/0xd4d/de4dot/downloads
License type: GPLv3
Description: de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features:
-Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
-Decrypt strings statically or dynamically
-Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
-Decrypt methods statically or dynamically
-Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
-Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
-Devirtualize virtualized code
-Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
-Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
-Remove tamper detection code
-Remove anti-debug code
-Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
-Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
-Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
-Removes most/all junk classes added by the obfuscator.
-Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
-Restore the types of method parameters and fields

Supported obfuscators/packers:
Agile.NET (aka CliSecure)
Babel.NET
CodeFort
CodeVeil
CodeWall
CryptoObfuscator
DeepSea Obfuscator
Dotfuscator
.NET Reactor
Eazfuscator.NET
Goliath.NET
ILProtector
MaxtoCode
MPRESS
Rummage
Skater.NET
SmartAssembly
Spices.Net
Xenocode
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Deblector
Rating: 0.0 (0 votes)
Author: Felice Pollano, Matthew Yee                        
Website: http://www.codeplex.com/deblector
Current version: 1.1
Last updated: March 1, 2010
Direct D/L link: http://www.codeplex.com/Project/Download/FileDownload.aspx?ProjectName=deblector&DownloadId=18153
License type: Free / Open Source
Description: Plug-in for .NET Reflector that allows you to debug .NET processes from within .NET Reflector.
Also listed in: .NET Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Website: http://ntinfo.biz
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link: https://www.dropbox.com/s/h3sjlmhgcx7qfx2/DIE_1.01_win.zip?dl=1
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Entropy Analyzers, Exe Analyzers, Linux Tools, Mac OS Tools, PE EXE Signature Tools, PE Executable Editors, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DisasMSIL
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/Files/disasmsil.htm
Current version: 1.0
Last updated: April 30, 2008
Direct D/L link: http://ntcore.com/Files/disasmsil/DisasMSIL.zip
License type: Free / Open source
Description: DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.
Also listed in: .NET Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dot Net String Decoder
Rating: 0.0 (0 votes)
Author: DARKER                        
Website: http://progress-tools.x10.mx/dnsd.html
Current version: 1.10
Last updated: April 17, 2013
Direct D/L link: http://progress-tools.x10.mx/dnsd.zip
License type: Freeware
Description: Description:
Program can list or decrypt strings used in .NET executable based on user decryption plugins and rebuild new assembly with decoded strings. Method names, control flow etc. are unchanged in assembly!

Features:
- List all strings that are used in .NET executable
- Generic search for decoding function like: DecodeFunction(Byval Coded_String as String) As String
- Decrypt strings based on your own plugin
- Very simple plugin interface (C#, VB.NET)
- Preview of string decryption (checking results)
- Rebuild application with decoded strings (removing decoding function)
- Explorer with all methods for fast navigation
- Export method tree to text file
- Fast string extraction
- Very good and easy searching
- Export strings to text file for further processing
- DisAssemble selected method
- Instruction coloring for fast navigation (Strings, Numbers, Calls, Jumps)
- See real file offset and opcode bytes
- Jump from opcode to file with hexeditor (patching)
Also listed in: .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotFuckScator v1.3
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: v1.3
Last updated: May 9, 2009
Direct D/L link: http://reteam.org/tools/tf35.zip
License type: Free
Description: DotFuckScator.V1.3

DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

Hope this tool is of any use

Changes:
* v1.1 has a minor bugfix that prevented some strings from proper decrypting
* v1.2 small bugfix in re-signing, added indicator to show the amount of
strings decrypted so far
* v1.3 Fixed royal fuck-up in string decryption code replacement function
meaning the output will now run after string decryption removal ;x
Also listed in: .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNET Tracer
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11859
Current version: 1.1
Last updated: February 15, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

This version can handle all .net assemblies from 2.0 up to 4.0.

I hope it's useful and as always bug reports are welcome.
Also listed in: .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Protector Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Fonctions.aspx
Current version: 5.5.3972
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotnetprotector5/dotNetProtectorX86.msi
License type: Commercial (with full featured trial)
Description: dotNet Protector is a powerful .NET code protection system that prevents your assemblies from being decompiled. With dotNet Protector, your application is not simply obfuscated, but method bodies are encrypted. EXE DLL, ASPNET and SQL assemblies can be protected. You can protect a whole application (main exe, referenced dlls) in a single executable. Your .NET code will run entirely from memory, without temporary disk storage.

Protection can be done interactively with an intuitive graphical interface, or automated, using the command-line functionalities of dotNet Protector.

dotNet Protector includes a powerful hardware sensitive anti-piracy system and extensions to help you develop your own software activation system. dotNet Protector is self-protected and uses its internal software activation system.
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Sniffer Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 2.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetSnifferWin32.msi
License type: Free
Description: dotNet Sniffer 2 uses the .NET profiler API to save assemblies loaded from memory. Once a module is handled by the .NET Framework, dotNet Sniffer saves it to disc if it was loaded from memory. Some tools are changing the module (decrypt methods ...) after loading; dotNet Sniffer allows you to save the module again during the execution of the first method (JIT). The profiler will be active only for the process to start; installing dotNet Sniffer will not affect the performance of other .NET programs. dotNet Sniffer 2 is available for 32-bit and 64-bit processors. 64-bit versions also install the 32-bit profiler and can save indifferently 32-bit and 64-bit processes. If you use 64-bit Windows, install only the 64-bit version suitable for your processor.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNetasploit
Rating: 0.0 (0 votes)
Author: Jon McCoy                        
Website: http://digitalbodyguard.com/DotNetasploit.html
Current version: 2.5
Last updated: August 2010
Direct D/L link: Locally archived copy
License type: Free
Description: DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotPeek
Rating: 0.0 (0 votes)
Author: Jetbrains                        
Website: http://www.jetbrains.com/decompiler/
Current version: 1.4
Last updated: April 8, 2015
Direct D/L link: http://download.jetbrains.com/resharper/dotPeek32_1.4.exe
License type: Free
Description: A free replacement of Reflector

- Decompiling .NET 1.0-4.5 assemblies to C#
- Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files
- Quick jump to a type, assembly, symbol, or type member
- Effortless navigation to symbol declarations, implementations, derived and base symbols, and more
- Accurate search for symbol usages with advanced presentation of search results
- Overview of inheritance chains
- Support for downloading code from source servers
- Syntax highlighting
- Complete keyboard support
Also listed in: .NET Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dotnet IL Editor (DILE)
Rating: 0.0 (0 votes)
Author: zsozsop                        
Website: http://sourceforge.net/projects/dile
Current version: 0.2.6
Last updated: September 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.
Also listed in: .NET Debuggers, .NET Disassemblers, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dumbassembly
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?13739-smartassembly-protection-analysis-unpacker-(with-source)
Current version: 0.5.8
Last updated: January 14, 2012
Direct D/L link: http://www.mediafire.com/?lunow30hx22wao1
License type: Open source
Description: DumbAssembly is an automatic unpacker for the RedGate SmartAssembly .NET protector. It supports versions of SmartAssembly up to 6.5.1 and removes the following protections:
* Code flow obfuscation
* Import obfuscation
* String encryption
* Resource encryption
* Assembly embedding and encryption
* Tamper detection

If the input assembly was signed, the unpacked assembly is automatically re-signed with a randomly generated (or manually specified) strong name key pair.

All occurrences of the original public key or public key token in the binary are replaced by the new ones.

The archive contains binaries and the complete source code.
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.82b2
Last updated: September 13, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Guid Scanner
Rating: 0.0 (0 votes)
Author: ajron                        
Website: http://ajron.vtools.pl/en/guidscanner.html
Current version: build 101114
Last updated: November 14, 2010
Direct D/L link: http://vtools.pl/pliki/scan4g.rar
License type: Free
Description: This tool scans PE files (exe, dll, etc.) for Globally Unique IDentifiers (Classes and Interfaces) in 16-bytes binary form. The results can be copied to the clipboard or saved as a script for the IDA disassembler and applied in the IDA database.

Usage:
scan4g.exe [path]
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HT Editor
Rating: 0.0 (0 votes)
Author: Stefan Weyergraf (steveman), Sebastian Biallas (seppel)                        
Website: http://hte.sourceforge.net/
Current version: 2.0.21
Last updated: November 20, 2012
Direct D/L link: http://hte.sourceforge.net/downloads.html
License type: GPL2
Description: General features

Supported file formats
common object file format (COFF/XCOFF32)
- header
- image with code/data analyser (x86)

executable and linkable format (ELF)
- header
- section headers
- program headers
- symbol tables
- image with code/data analyser (x86, AMD64, IA-64, Alpha, PowerPC, ARM) and relocations

linear executables (LE)
- header
- VxD descriptor
- object table
- page table
- image with code/data analyser (x86)
- auto-relocation layer (only internal refs for now)

standard dos executables (MZ)
- header
- relocations
- image (disassembly only)

new executables (NE)
- header
- segments
- names
- entrypoints
- image with code/data analyser (x86)
- auto-relocation layer (pretty complete)

portable executables (PE32, PE64)
- header
- import section
- delay-import section
- export section
- resources
- image with code/data analyser (x86, AMD64, PowerPC, IA-64, Alpha, ARM)
- preliminary support for .net executables

java class files (CLASS)
- header
- image with code/data analyser (java bytecode disassembler)

Mach exe/link format (MachO)
- header
- image with code/data analyser (x86, AMD64, PowerPC, ARM)

X-Box executable (XBE)
- header
- imports
- image with code/data analyser (x86)

Flat (FLT)
- header
- image with data analyser (no disassembler yet)

PowerPC executable format (PEF)
- header
- imports - image with code/data analyser (PowerPC)

Still some to be implemented (M$-OBJ, ARCH, LX)

Code & Data Analyser
- finds branch sources and destinations recursively
- finds procedure entries
- creates labels based on this information
- creates xref information
- allows to interactively analyse unexplored code (press 'c')
- allows to create/rename/delete labels (press 'n')
- allows to create/edit comments (press '#')

Target systems
- DJGPP
- GNU/Linux
- FreeBSD
- Win32
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ILSpy
Rating: 0.0 (0 votes)
Author: David Srbecky                        
Website: http://wiki.sharpdevelop.net/ILSpy.ashx
Current version: 1.0.0.729
Last updated: April 12, 2011
Direct D/L link: http://build.sharpdevelop.net/BuildArtefacts/#ILSpy
License type: Open-source
Description: ILSpy is the open-source .NET assembly browser and decompiler.

Development started after Red Gate announced that the free version of .NET Reflector would cease to exist by end of February 2011.

ILSpy Features:

Assembly browsing
IL Disassembly
Decompilation to C#
Supports lambdas and 'yield return'
Saving of resources
Search for types/methods/properties (substring)
Hyperlink-based type/method/property navigation
Base/Derived types navigation
Navigation history
BAML to XAML decompiler
Save Assembly as C# Project
Find usage of field/method
Extensibile via plugins (MEF)
Also listed in: .NET Decompilers, .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: lida
Rating: 0.0 (0 votes)
Author: Mario Schallner                        
Website: http://lida.sourceforge.net
Current version: 00.03.00
Last updated: December 5, 2004
Direct D/L link: N/A
License type: Free / Open Source
Description: lida is basically a disassembler and code analysis tool. It uses the bastards libdisasm for single opcode decoding (see http://bastard.sourceforge.net/libdisasm.html). It allows interactive control over the generated deadlisting via commands and builtin tools.


Short Overview of (planned) features:

* ELF, RAW file disassembly (generating stringtable, symboltable, crossreferences, ... )
* trace execution flow of binary
* work with symbolic names: interactive naming of functions, labels, commenting of code
* scan for known anti-debugging, anti-disassembling techniques
* scan for user defined code sequences
* integrated patcher
* integrated cryptoanalyzer
* handy ("intelligent") browsing
* openssl support (customizeable "init values", apply to programs datablocks)


Why lida?

The project lida was initiated because of the lack of handy reverse engineering software for linux. Therefore it is designed to (and should) fit several needs of some typical reverse-engineering sessions.
lida addresses people who like to work on deadlistings, and should be especially useful for people with previous experience in windows reverse engineering. lida should be a good "entry point" for examining the "new targets".
A typical use is to run it while debugging your program and comment the deadlisting / name functions with the information gathered.

So basically it is a disassembler. Why another one? :)

Many disassemblers out there use the output of objdump - lida tries a more serious approach. The several limitations of objdump (see 3.1) are broken by using libdisasm (thx to HCUNIX!), and by tracing the execution flow of the program.
Further, by having the control over the disassembly - more features can be included. Everybody who has already worked on some deadlisting will immediate feel a need to work interactive with the code - and be able to change it.
Therefore lida will have an integrated patcher, resolves symbolic names, provides the ability to comment the code, serves efficient browsing methods, ...
The more exotic features of lida should be on the analysis side. The code can be scanned for custom sequences, known antidebugging techniques, known encryption algorithms, ... also you will be able to directly work with the programs data and for example pass it to several customizable en-/decryption routines.
This of course only makes limited sense as it is not a debugger. Tough often I really missed this functionality.
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Linice
Rating: 0.0 (0 votes)
Author: Goran Devic                        
Website: http://www.linice.com
Current version: 2.6
Last updated: July 28, 2005
Direct D/L link: Locally archived copy
License type: GPL
Description: What is Linice?

Linice is an Intel x86-based, Linux source-level kernel debugger with the look and feel of SoftIce for MS Windows.

Linice is designed to be used by the people who have SoftIce experience. Linice provides a major subset of SoftIce commands, and adds a few new ones. For that reason the documentation describing individual commands is not provided. There are a number of good resources on the Web that describe all SoftIce commands (Google "SoftIce" keyword.)

What can I use it for?

You can use Linice to debug a kernel module or a user application. You can also debug a Linux kernel. Kernel does not need to be recompiled or patched in any way. The debugger proper loads as a module into the running kernel and supports debugging using the following devices:
local VGA frame buffer
X-Window
remote serial terminal
monochrome monitor

You can break into a running kernel at any time by a hotkey. Place breakpoints, single step, watch variables etc. Multiple international keyboard layouts are supported.
Also listed in: Linux Debuggers, Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MetaPuck
Rating: 0.0 (0 votes)
Author: y0da                        
Website: http://y0da.cjb.net
Current version: 1.0
Last updated: 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code.
Also listed in: COM Debugging Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: NetAsm
Rating: 0.0 (0 votes)
Author: Alexandre Mutel                        
Website: http://www.codeplex.com/netasm
Current version: 1.0
Last updated: July 25, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: NetAsm provides a hook to the .NET JIT compiler and enables to inject your own native code in replacement of the default CLR JIT compilation. With this library, it is possible, at runtime, to inject x86 assembler code in CLR methods with the speed of a pure CLR method call and without the cost of Interop/PInvoke calls.

NetAsm can be used to integrate optimized native code using CPU extended instructions (SSE,MMX) into your managed code. The NetAsmDemo sample provides two benchmarks that unveil the power of using native code injection with NetAsm.

For more information about NetAsm, code injection techniques and recommendations, please consult the NetAsm-UserGuide.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OLE RE Tools
Rating: 0.0 (0 votes)
Author: Joe Stewart                        
Website: http://www.openrce.org/articles/full_view/17
Current version: 1.0
Last updated: September 12, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Some utils to assist in reverse-engineering OLE applications.
Use on Win32 may require addition of BINMODE.

guidextract.pl - find and label OLE GUIDs in an executable
guids.txt - list of GUIDs and interface names from my registry
reg2guidlist.pl - make your own guids.list from a registry export file
listmethods.pl - list interface methods and offsets in Vtbl
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OLE/COM Object Viewer (OLEview)
Rating: 0.0 (0 votes)
Author: Microsoft                        
Website: http://www.microsoft.com/downloads/details.aspx?familyid=5233b70d-d9b2-4cb5-aeb6-45664be858b6
Current version: 1.00.0.1
Last updated: October 18, 2000
Direct D/L link: N/A
License type: Free
Description: Browses, configures, and tests Microsoft Component Object Model classes installed on a computer.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oStudio - Live Tuning
Rating: 0.0 (0 votes)
Author: Objectis                        
Website: http://www.objectis-software.com/product/ostudio-live-tuning-live-debugging-functional-tests/
Current version: 1.3
Last updated: January 17, 2014
Direct D/L link: http://www.objectis-software.com/download-ostudio-2013/
License type: Free
Description: Accelerates the integration, testing and development phase by a factor of 2 to 10, in one easy-to-use application.
oStudio - Live Tuning brings a new development and real time debugging method. It's easy to connect embedded systems, automation and .NET applications to oStudio - Live Tuning, and to interact with them LIVE!

Traditional step by step debugging techniques are now history. A system doesn’t need to be halted to verify and validate its behavior anymore! This method, called live debugging, consists of observing and interacting with a real-time system while it’s still running. oStudio – Live Tuning is a new generation of debugger. It regroups new debugging tools for embedded systems and the machine industry with automated testing.
Also listed in: .NET Debuggers, .NET Tools, .NET Tracers, API Monitoring Tools, COM Debugging Tools, COM Monitoring Tools, Debug Output Monitoring Tools, Debuggers, FPGA Tools, Microcontroller Tools, Non-Intrusive Debuggers, Visual Basic Debuggers, Visual Basic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PEBrowse Professional
Rating: 0.0 (0 votes)
Author: SmidgeonSoft                        
Website: http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
Current version: 10.1.5
Last updated: April 14, 2011
Direct D/L link: http://www.smidgeonsoft.com/download/PEBrowseV10_1_5.zip
License type: Free
Description: PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.
Also listed in: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.05
Last updated: April 22, 2016
Direct D/L link: Locally archived copy
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
A companion plugin is also provided to take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

In new version:
- .Net assembly VtableFixup support
- Control Flow Guard support
- New highlighting scheme
- Treeview icon added
- Neater Listview
- Major bug fixes


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PgcEdit
Rating: 0.0 (0 votes)
Author: r0lZ                        
Website: http://download.videohelp.com/r0lZ/pgcedit/index.html
Current version: 9.3
Last updated: March 22, 2010
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: PgcEdit is a DVD IFO and Menu editor designed to allow the modification of the navigation commands and parameters of an already authored DVD structure.
PgcEdit is also an excellent tool to learn how a DVD works, with its powerful Trace function.

PgcEdit v9 has a new function to automatically simplify the DVD, remove useless PGCs and commands, convert useless menus to dummies, etc... The resulting DVD is usually simpler to analyse and understand.

The possibilities of PgcEdit are so numerous that it is simply impossible to list them all. Just try it, and see!

PgcEdit is free. However, to boost the donations, a nag screen is displayed during some seconds at its startup. The donors will receive a code to disable it.
As a consequence, the source code of PgcEdit is no longer available. It will be released later, but only a previous version will be available. If you want to run the latest update, you must donate. Sorry.

PgcEdit runs under all versions of Windows (including Vista), and with some limitations under Linux.
----------------------------------------------------------------------------------------------------
PgcEdit is a DVD IFO and Menu editor designed to allow the modification of the navigation commands and parameters of an already authored DVD structure.
PgcEdit is also an excellent tool to learn how a DVD works, with his powerful Trace function.

Since v0.6.0, PgcEdit is also the first program able to burn a Double Layer DVD-Video on DL DVD+R or DL DVD-R, with an interactive interface (including a preview), to select the position of the layer break.

See e.g. this for a little introduction:

http://www.woodmann.com/forum/showthread.php?t=11188

Many more third-party guides are linked from the homepage though.
Also listed in: DVD Movie Logic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Phoenix Protector
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/phoenix.php
Current version: 1.8.0.1
Last updated: June 2, 2008
Direct D/L link: http://ntcore.com/Files/Phoenix_Protector.msi
License type: Free
Description: The Phoenix Protector was created to protect .NET assemblies and it's the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and Control Flow Obfuscation. The last feature is particularly important since it prevents the .NET assembly from being decompiled into an understandable language. The Name Obfuscation is provided with an exclusion list.

I first wrote the core of the Phoenix Protector for a company when I was 19. That project didn't work out for internal reasons not related to the quality of the product itself. I then wrote the Phoenix Protector, which was basically a new GUI for the now improved core. However, during the years (one has to consider that I was quite young when I developed the .NET obfuscator) I became ever more conscious that I didn't want to spend my life writing protections and also that I was not convinced by protections for the .NET technology in the first place. That's partly why I wrote Rebel.NET. By combining Rebel.NET with the DisasMSIL engine it is very easy to write a code obfuscator for .NET assemblies. The only thing which would be missing is name obfuscation and string encryption, which are even easier as protections. That's why I'm releasing the Phoenix Protector for free: nowadays, writing a commercial obfuscator doesn't make much sense to me. The code obfuscation provided by the Phoenix Protector is quite good when compared to other commercial obfuscators. I noticed that most obfuscators provide a very easy to reverse code obfuscation scheme. I'm not saying that the Phoenix Protector's code obfuscation can't be reversed. Every .NET code obfuscation scheme can be reversed somehow and the rebuilding task becomes very easy through Rebel.NET.
Also listed in: .NET Packers, Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog DeObfuscator Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/DeObfuscatorWin32.zip
License type: Free
Description: PvLog Deobfuscator is a MSIL code optimizer. One side effect of the optimizer is that it can make more readable obfuscated code. PvLog DeObfuscator can also rename the types and names of members to further improve readability. This tool does not require installation: you just need to run the executable. DeObfuscator is also available in 32 and 64 bit, but we recommend you use the version that corresponds to the architecture of the assembly to optimize. The assembly generated by Deobfusctator may not always run because of protective measures implemented in the assembly (protection against code modification), but should be able to load in reflector. NOTE: the attribute that prevents ILDASM is not removed by DeObfuscator... but it could !
Also listed in: .NET Deobfuscation Tools, .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog LicenseManagerKiller Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/LicenseManagerKillerWin32.zip
License type: Free
Description: The purpose of PvLog LicenseManagerKiller is to warn against the inefficiency of managing licenses in 100% managed code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. This tool is rudimentary and releases only most naive protections, but you can imagine that PvLog DeObfuscator and Reflector would allow a determined attacker to remove more sophisticated license controls.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-Sign
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 0.1
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: RE-Sign is a tool to help u re-sign .NET assemblys with your own StrongName key,
and no need todo any manual patching anymore and no need to have sn.exe installed
If u don't have a StrongName keypair file u do need sn.exe to generate one,
but i will include a keypair file generator in the next version.
Also listed in: .NET Signature Changers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: REZiriz
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated: August 28, 2007
Direct D/L link: http://www.reteam.org/tools/tf33.zip
License type: Free
Description: REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

Also added support to remove NecroBits protection that prevents
the decompilation of unpacked assemblys
And support to unpack v3.3.1.1 of Eziriz .NET Reactor

Unpacker features:
---------------------------
[*] Unpacking Eziriz .NET Reactor v3.3.1.1
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

[*] Added NecroBit Protection Remover
Also listed in: Automated Unpackers, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resourcer for .NET
Rating: 0.0 (0 votes)
Author: Lutz Roeder                        
Website: http://www.aisto.com/roeder/dotnet/
Current version: 1.0
Last updated:
Direct D/L link: N/A
License type: Free
Description: Resourcer is an editor for .resources binaries and .resX XML file formats used with the .NET platform. Resourcer allows editing of name/string pairs, import of bitmaps/icons and and merging of resources from different sources.
Also listed in: .NET Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SNSRemover
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://www.ntcore.com/utilities.php
Current version: 1.0
Last updated: November 29, 2005
Direct D/L link: http://www.ntcore.com/Files/SNSRemover.zip
License type: Free
Description: This tool removes the Strong Name Signature from .NET Assemblies.
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Skpd
Rating: 0.0 (0 votes)
Author: Albert Sellarès                        
Website: https://www.wekk.net
Current version: 1.3
Last updated: 13/07/2009
Direct D/L link: https://www.wekk.net/code/attachments/download/1/skpd.tar.gz
License type: none yet
Description: <nowiki>Skpd is a process dumper for x86 and x64 ELF binaries

Features:

static binaries.
dynamic binaries.
compressed files (at least upx)
elfuck encrypted.
32 and 64 bits support.
Generates an ELF file from a running process.
If the original file was encrypted, the new one will not.
i386, x86_64, MIPSEL platforms

Usage:

./skpd {-p pid
Also listed in: Linux Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strong Name Helper
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: N/A
Current version: 0.9 beta
Last updated: November 02, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Purpose of util is to help you with the boring EXE/DLL strong name validation tied....
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strong Name Remove
Rating: 0.0 (0 votes)
Author: Andrea Bertolotto                        
Website: http://www.codeproject.com/KB/security/StrongNameRemove20.aspx
Current version: 2.1.0.0
Last updated: July 19, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Good application for removing strong name signatures in .NET executables.
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Telerik JustDecompile
Rating: 0.0 (0 votes)
Author: Telerik                        
Website: http://www.telerik.com/
Current version: 2014.1.225.0
Last updated:
Direct D/L link: http://www.telerik.com/downloads/productfiles/bgkht/JustDecompile_2014.1.225.0.msi
License type: Developer Licence is Free
Description: An alternative to Reflector and IlSpy.
JustDecompile is .NET assembly browser and decompiler.

- Fast code navigation
- Create Visual Studio projects
- Extract resources from assemblies
- Easy assembly management
- Zip file distribution
- Visual Studio Extension - decompile referenced assemblies
- Visual Studio inline decompilation (through JustCode)
- Command line support
- Integrate with Windows Explorer Context Menu
- SL XAP decompilation from URL
- Open API (extensible)
- Edit assemblies with Reflexil
- Deobfuscate with de4dot
- C#5 (WinRT) support
- APPX and WinMD support
Also listed in: .NET Decompilers, .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TypeLib Browser
Rating: 0.0 (0 votes)
Author: José Roca                        
Website: http://www.com.it-berater.org/typelib_browser.htm
Current version: 2.05
Last updated: July 18, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: The TypeLib Browser is a tool designed to let you to examine the contents of COM servers and ActiveX controls and to provide alternate ways to use them or to give workarounds to features still not available in the Power Basic compilers, such events sink.

Besides letting you to inspect all the information available in the typelibs, it generates wrapper functions that use direct VTable calls.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Valgrind
Rating: 0.0 (0 votes)
Author:                         
Website: http://valgrind.org
Current version: 3.2.3
Last updated: January 29, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.
Also listed in: Code Injection Tools, Linux Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wintruder
Rating: 0.0 (0 votes)
Author: FutureVision                        
Website: http://mitglied.lycos.de/wintruder/wintruder.zip
Current version: 1.0.0.1
Last updated: October 17, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Wintruder is an extendable debugger for Windows 9x and Windows XP.
By default, it includes debug interfaces for:
- Win32 Debug API
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine (XP only)
- Win32 Stealth (XP only)
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine
- Microsoft .Net (.Net 1.0 and up)
- .Net CIL

You can use Wintruder for free. For more information read license.txt. If this file does not exist, type wintruder.exe -l


This version of Wintruder is a development snapshot and far from being a final release.

Most important limitations:
- You may encounter several bugs and deficiencies.
- The use of debug information is limited to bare function definitions.
- The native .Net debugger is missing.
- The script engine is not really working.
- Much, much more…

By the way:
- The DiaDbg plug-in requires the Microsoft Debug Interface Access library. (msdia80.dll, msdia71.dll or msdia20.dll)
- To be more precise: None of the libraries Wintruder is bound to is included in this distribution.
Also listed in: .NET Debuggers, Ring 3 Debuggers, Visual Basic Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 18 subcategories to this category.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views