From Collaborative RCE Tool Library

Jump to: navigation, search

Categorized by Target Type


Tool name: Explorer Suite
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/exsuite.php
Current version: III
Last updated: March 2, 2008
Direct D/L link: http://ntcore.com/Files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (3 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 5.2
Last updated: November 26, 2007
Direct D/L link: N/A
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rebel.NET
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/rebelnet.php
Current version: 1.0.0.1
Last updated: April 25, 2008
Direct D/L link: http://ntcore.com/Files/RebelDotNET.zip
License type: Free
Description: Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Also listed in: .NET Code Injection Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFF Explorer
  • Currently4.6666666666667/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 4.7 (3 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: VII
Last updated: January 17, 2008
Direct D/L link: http://www.ntcore.com/Files/CFF_Explorer.zip
License type: Freeware
Description: The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!
Also listed in: .NET Executable Editors, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DeDe
Rating: 4.0 (1 vote)
Author: DaFixer                        
Website: http://dafixer.cjb.net
Current version: 3.50.04 (build 1635)
Last updated: June 25, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: DeDe is a very fast application that allows you to analyze executables compiled with Delphi 2,3,4,5,6,7, C++ Builder, Kylix and Kol, and gives you the following:

· All .dfm files of the target. You will be able to open and edit them with Delphi.
· All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit, Try-Except and Try-Finally blocks. (By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu.)
· A lot of additional information the files.
· You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled !

You can also:
· View the PE Header of all PE Files and change/edit the sections flags.
· Use the opcode-to-asm tool for translating intel opcode to assembler.
· Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses.
· Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files.
· Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with DeDe disassembler.
· Disassemble a target EXE directly from memory in case of a packed exe.

------------
NOTE:
The original site seems to be gone (or at least DeDe seems to be gone from it), and the locally archived copy here in this CRCETL entry is not the version with source code included. If someone has a copy of the version with source included, or a version higher than 3.50.02 build 1619 (which is the one we have locally archived, even though at least 3.50.04 build 1635 exists), please upload it here!
Also listed in: Decompilers, Delphi Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Hook Library
Rating: 0.0 (0 votes)
Author: shokshok                        
Website: http://dotnethook.sourceforge.net
Current version: 2.1
Last updated: May 30, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).
Also listed in: .NET Code Injection Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: All-Seeing Eye
Rating: 0.0 (0 votes)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BCEL
Rating: 0.0 (0 votes)
Author: The Apache Jakarta Project                        
Website: http://jakarta.apache.org/bcel
Current version: 5.2
Last updated: June 6, 2006
Direct D/L link: N/A
License type: Free / Open Source
Description: The Byte Code Engineering Library is intended to give users a convenient possibility to analyze, create, and manipulate (binary) Java class files (those ending with .class). Classes are represented by objects which contain all the symbolic information of the given class: methods, fields and byte code instructions, in particular.

Such objects can be read from an existing file, be transformed by a program (e.g. a class loader at run-time) and dumped to a file again. An even more interesting application is the creation of classes from scratch at run-time. The Byte Code Engineering Library (BCEL) may be also useful if you want to learn about the Java Virtual Machine (JVM) and the format of Java .class files.

BCEL contains a byte code verifier named JustIce, which usually gives you much better information about what's wrong with your code than the standard JVM message.

BCEL is already being used successfully in several projects such as compilers, optimizers, obsfuscators, code generators and analysis tools. Unfortunately there hasn't been much development going on over the past few years.
Also listed in: Java Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bastard
Rating: 0.0 (0 votes)
Author:                         
Website: http://bastard.sourceforge.net
Current version: 0.16
Last updated: 2002
Direct D/L link: N/A
License type: Free / Open Source
Description: The Bastard is a disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burneye
Rating: 1.0 (1 vote)
Author: TESO                        
Website: https://teso.scene.at/releases.php
Current version: 1.0.1
Last updated: December 24, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burneye ELF encryption program, with full source and docs.
Also listed in: Packers, Linux Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burp Suite
Rating: 0.0 (0 votes)
Author: PortSwigger                        
Website: http://www.portswigger.net/suite/
Current version: 1.1
Last updated:
Direct D/L link: http://portswigger.net/suite/download.html
License type: Free / Open Source
Description: Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

Key features unique to Burp Suite include:

* Ability to "passively" spider an application in a non-intrusive manner, with all requests originating from the user's browser.
* One-click transfer of interesting requests between tools, e.g. from the Burp Proxy request history, or the Burp Spider results tree.
* Detailed analysis and rendering of requests and responses.
* Extensibility via the IBurpExtender interface, which allows third-party code to extend the functionality of Burp Suite. Data processed by one tool can be used in arbitrary ways to affect the behaviour and results of other tools.
* Centrally configured settings for downstream proxies, web and proxy authentication, and logging.
* Tools can run in a single tabbed window, or be detached in individual windows.
* All tool and suite configuration is optionally persistent across program loads.
* Runs in both Linux and Windows.

New features in version 1.1 include:

* Improved analysis of HTTP requests and responses wherever they appear, with browser-quality HTML and media rendering.
* Burp Sequencer, a new tool for analysing session token randomness.
* Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data.
* Burp Comparer, a new utility for performing a visual diff of any two data items.
* Support for custom client and server SSL certificates.
* Ability to follow 3xx redirects in Burp Intruder and Repeater attacks.
* Improved interception and match-and-replace rules in Burp Proxy.
* A "lean mode", for users who prefer less functionality and a smaller resource footprint.

Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.
Also listed in: Web Application Tools, HTTP Proxy Tools, SSL Proxy Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMRaider
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://labs.idefense.com/software/fuzzing.php#more_comraider
Current version:
Last updated: November 8, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc.

Features include:

* Capability to easily enumerate safe for scripting objects
* Ability to scan for COM objects by path, filename, or guid
* Integrated type library viewer
* Integrated debugger to monitor exceptions, close windows,log api
* External vbs script allows you to easily edit fuzzer permutations
* Built in webserver to test exploits on the fly
* Enumerate and view controls with killbit set
* Distributed auditing mode to allow entire teams to work together
* Ability to upload crash files to central server for group analysis
* Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMView
Rating: 4.0 (1 vote)
Author: japheth                        
Website: http://www.japheth.de/COMView.html
Current version: 2.98
Last updated: July 2007
Direct D/L link: http://www.japheth.de/Download/COMView.zip
License type: Free
Description: COMView is a tool for viewing and handling COM (Component Objects Model) things.
It is intended to be used by programers, although it might also be useful for experienced end users.
The following functions are included:

* Shows COM related entries in the registry
* Build in registry editor to modify these entries
* Consistency check of COM related registry information
* Shows type library information
* Can generate ASM include files from type libraries
* "Dispatch helper" ASM includes may be generated to simplify using IDispatch and events.
* COM objects can be created and interfaces exposed are shown
* OLE container is implemented allowing to view and test OLE/ActiveX controls
* Object properties may be edited and methods be executed.
* Object model exposed by an application/control may be walked.
* May connect to source interfaces and display events

Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoClassSyms
Rating: 0.0 (0 votes)
Author: Matt Pietrek                        
Website: http://www.microsoft.com/msj/0399/comtype/comtype.aspx
Current version: 1.0
Last updated: March 1999
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: "CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer).

The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG.

Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem.

If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: D3DLookingGlass
Rating: 0.0 (0 votes)
Author: Admiral                        
Website: http://www.ring3circus.com/gameprogramming/d3dlookingglass-v01
Current version: 0.1
Last updated: May 5, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The topic of debugging full-screen Direct3D applications came up a little while ago. If you’ve ever tried it on a single-monitor setup (or even multi-monitor if the app wasn’t designed to handle it) then you’ll know how much of a pain it is. Windows just can’t handle focus being stolen from a suspended exclusive-mode program. The solution’s exactly what you’d expect - to intercept the relevant window- and device-creation calls and coax the debuggee into running in a window. This works, but fiddling with the calls manually each time you restart the process quickly gets boring. So here’s my first attempt at a generic solution.

D3DLookingGlass is a DLL which, if injected into a Direct3D process early enough, will make sure that all video devices are created in windowed mode, allowing the hosting process to coexist with a debugger without any bother. If you can inject this DLL into the target process before the first call to CreateWindow, then everything should go smoothly. I think. Any later than this and your mileage may vary.

I’ve also written a ‘loader’ program that installs the DLL as a system-wide CBT hook, so that you don’t need to inject it manually. This kind of worked for my limited set of test-cases, but there seems to be no Windows-hooks method of injecting a DLL globally and beating the call to CreateWindow. Windows installs the DLL containing the hook at the latest possible moment for its function, and I can find no type of hook that needs to be around before a window is created. I’d love for somebody to prove me wrong (or suggest another way to install the DLL system-wide), but by the looks of things, my loader is of limited use.

In particular, I recall a situation where the game (Call Of Duty 4 Demo, I think) creates a non-overlapped window, which works fine for full-screen mode, but causes problems when you try force the device to bind as windowed. This will still be a problem unless the call to CreateWindow can be intercepted (and a well-formed window induced), which means that D3DLookingGlassLoader will struggle. Confirmation would be nice.

Here’s the small-print:

* The DLL hooks CreateWindowExW and ShowWindow in its DLLMain. I think this is kosher in terms of loader-lock, but it’s obviously not too cool with regard to system stability. Especially if it’s being installed in every running process. If d3d9.dll isn’t found in the address-space then the hooks fall straight through, so that shouldn’t be too much of a problem. But if it is found then all attempts to create or show (or hide) a window will be overridden - possibly to the demise of the process if it’s doing anything but the basic behaviour. So in all cases, watch out, and make sure you aren’t running anything important in the background (in particular, I’ve noticed that it doesn’t play nice with Firefox).
* The loader uses a system-wide hook, and you hate system-wide hooks. I trust that anybody who needs this tool has some degree of technical expertise and is aware of the stability concerns inherent in installing somebody else’s barely-tested system-wide hook.
* This was harder to put together than I anticipated, and that’s probably evident from the slightly shabby code. Again, I intend for this only to be used for debugging purposes, so you’ll have to forgive me for the sub-production-quality code.
* Despite my focus on Direct3D, I’m not really a gamer and I don’t actually have any commercial games installed on this machine. So I only got a chance to test this against my own programs. Obviously, there are several ways to skin the metaphorical Direct3D-initialisation cat, so please leave a comment when you find a game that this chokes on.
Also listed in: DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DE Decompiler
Rating: 0.0 (0 votes)
Author: GPcH Soft                        
Website: http://www.de-decompiler.com
Current version: 2.0 (updated)
Last updated: March 2, 2008
Direct D/L link: http://www.de-decompiler.com/files/de_decompiler_lite.zip
License type: Commercial (with demo)
Description: DE Decompiler is the unique solution for decompiling the Delphi generated programs (EXE, DLL, OCX). As you know the Delphi programs is the native win32 executable files.

DE Decompiler restores most parts of the compiled code and helps you to recover most parts of the lost sources. It contans the powerful disassembler which supports Pentium Pro commands including MMX and SSE extensions. Also it has a useful smart assembler code emulation engine. The build-in disassembler allows you to disassemble a lots of functions and represents it in semi-decompiled mode. DE Decompiler has a wonderful code analyzer which makes your work easy and fast. In addition to all it can search for all the API function's calls and the string references in the disassembled code and comment them out for analyzed strings.

If you lost your source codes - DE Decompiler save your time and helps you to restore it.

In general, DE Decompiler is the ideal tool for analyzing programs and it is perfect if you lose your source code and need to partially restore the project.
Also listed in: Decompilers, Delphi Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DXWnd
Rating: 0.0 (0 votes)
Author: Nightwolve                        
Website: N/A
Current version: 1.20
Last updated:
Direct D/L link: Locally archived copy
License type: Freeware
Description: Quote from readme:

"Want to force a game or application into windowed mode that doesn't support it through its own interface? Now you can, to an extent. Results will vary depending on how your DirectX application was written."

DirectX (D3D) applications are usually written to use full screen mode for their display. This makes debugging and target analysis difficult due to specific DirectX considerations. DXWnd attempts to force a D3D app to use windowed mode, making it much easier for reversers to work with.

This app can't always force a full screen D3D app into windowed mode, however it is quick and easy to try. If this tool fails for you it's still perfectly possible to manually force windowed mode in your target. Search the Woodmann forum for further information.
Also listed in: DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Damn Vulnerable Linux
Rating: 0.0 (0 votes)
Author: Zero                        
Website: http://www.DamnVulnerableLinux.org
Current version: Strychnine+E605 1.4
Last updated: February 2008
Direct D/L link: http://www.computerdefense.org/dvl/DVL_Strychnine_E605_1_4.iso
License type: Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
Description: This release contains 99% of all available Linux RCE tools!

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system.

The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.

Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system.
Also listed in: Linux Tools, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: diPacker
Rating: 0.0 (0 votes)
Author: diProtector Software                        
Website: http://www.diprotector.com
Current version: 1.4
Last updated: March 22, 2006
Direct D/L link: N/A
License type: Shareware
Description: diPacker is an advanced executable file compressor for PDA, capable of reducing the file size of programs by as much as 70%. diPacker makes executable files and libraries smaller, increase free space on memory cards, decrease load times across networks, and download times from the internet; it also protects programs against reverse engineering. Programs compressed with diPacker are self–contained and run exactly as before, with no runtime performance penalties.
Also listed in: Mobile Platform Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: diProtector
Rating: 0.0 (0 votes)
Author: diProtector Software                        
Website: http://www.diprotector.com
Current version: 1.3
Last updated: March 22, 2006
Direct D/L link: N/A
License type: Shareware
Description: diProtector is a first software protection tool for PDA developers.

diProtector includes the following features:

* total destruction of the protected code fragments logic, which makes it impossible to analyse by disassembling;
* detection and protection from active debuggers like eVC, eVB debuggers and others;
* protection from code tracing under a debugger;
* protection of application's import table;
* entry point protection;
* protection from code modification;
* protected registry work;
* resource and executable code compression;
* internal short (16 chars) serial number manager with strong encryption (symmetric crypto–algorithm 3DES is used);
* external serial number generator with keygen interface;
* quick addition of trial–features and short serial number support to any applications;
* no more "owner names" needed yet. Unique ID produced by diProtector is a MD5 hash–function of PresetID, PlatformID and random number. Therefor it's unique to each device and protected programs copy.
Also listed in: Mobile Platform Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Direct3D Hooking
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/direct3d-hooking
Current version: 1.1
Last updated: November 27, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A sample for hooking a Direct3D 9 program and drawing on its viewport. Translating this to Direct3D 8 should be trivial.

Notes:

* Vista support added with version 1.1
* This is not safe for 64-bit consumption, though that should be obvious.
* While there’s no reason it can’t be made to work with Unicode, I’ve written everything in ASCII, for simplicity.
* By default, the DLL will increase its own reference count to prevent it being unloaded prior to termination of the host process. This is because there is a small risk of the DLL being unloaded by one thread, while a hooked function in another returns to the now dead memory. I figured that it’s best to waste a little bit of everybody’s memory than to crash unnecessarily.
* The d3d9.dll function addresses (and prologues) are hard-coded, or at least their offsets are. While this may look very unprofessional and rather risky, I can assure you that it’s quite safe. The alternative would be to hack up some virtual-function tables and that’s a whole other story for a whole other post.
* You may notice that the compiled DLL is dependent upon D3DX. This isn’t necessary for the hook itself, but I used ID3DXFont in my example for demonstrative purposes. The only reason I mention this is that there is no way to guarantee the existence of any D3DX DLLs on a DirectX 9 machine, and distributing them yourself is in violation of the DirectX Runtime EULA. So if you happen to need to distribute this code, you’ll either need to carry the huge runtime installer around, or avoid using D3DX altogether.
* The soft-hooks used here will cause problems with PunkBuster if applied to any of its monitored functions. If you need to do this then you’ll have to be a bit cleverer.
* The source assumes that the graphics device will never become invalid. If you suspect that this isn’t the case (which will be true for any full-screen game at a minimum) then you’ll need to add the appropriate sanity checks (see IDirect3DDevice9::TestCooperativeLevel) before attempting to render anything, lest you want to crash and burn.
Also listed in: DirectX Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DisasMSIL
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/Files/disasmsil.htm
Current version: 1.0
Last updated: April 30, 2008
Direct D/L link: http://ntcore.com/Files/disasmsil/DisasMSIL.zip
License type: Free / Open source
Description: DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.
Also listed in: .NET Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dotnet IL Editor (DILE)
Rating: 0.0 (0 votes)
Author: zsozsop                        
Website: http://sourceforge.net/projects/dile
Current version: 0.2.6
Last updated: September 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.
Also listed in: .NET Disassemblers, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: EDB Linux Debugger
Rating: 5.0 (1 vote)
Author: Evan Teran                        
Website: http://www.codef00.com/projects.php#Debugger
Current version: 0.8.22
Last updated: January 17, 2008
Direct D/L link: http://www.codef00.com/projects/debugger-0.8.22.tgz
License type: Free / Open Source
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Linux Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.8a23
Last updated: November 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI