From Collaborative RCE Tool Library
Categorized by Tool Type
| Tool name: | Explorer Suite |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/exsuite.php | |||
| Current version: | III | |||
| Last updated: | March 2, 2008 | |||
| Direct D/L link: | http://ntcore.com/Files/ExplorerSuite.exe | |||
| License type: | Free | |||
| Description: | A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium. Features: * Process Viewer * Windows Viewer * PE and Memory Dumper * Full support for PE32/64 * Special fields description and modification (.NET supported) * PE Utilities * PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) * View and modification of .NET internal structures * Resource Editor (full support for Windows Vista icons) * Support in the Resource Editor for .NET resources (dumpable as well) * Hex Editor * Import Adder * PE integrity checks * Extension support * Visual Studio Extensions Wizard * Powerful scripting language * Dependency Walker * Quick Disassembler (x86, x64) * Name Unmangler * Extension support * File Scanner * Directory Scanner * Deep Scan method * Recursive Scan method * Multiple results * Report generation * Signatures Manager * Signatures Updater * Signatures Collisions Checker * Signatures Retriever | |||
| Also listed in: | .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | xADT eXtensible Anti-Debug Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.3 | |||
| Last updated: | November 5, 2007 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=33 | |||
| License type: | Free | |||
| Description: | The tool is thought to be an unique extensible platform for integrating all the anti-debugging tricks you might see around, using an unique extensible interface you also might easily extend using plugins. The tool is useful to test the hiding features of the debugging tools and custom loaders as well as the hiding of any other reversing tool: see how well they're hidden or not. The second advantage is to finally have an unique testing program and to not have hundreds of spare tiny programs. The easiness of adding new external tests, writing new plugins is also one important feature, which finally frees the author of new anti-debugging tools to concentrate on the logic of the test without having to spend a single second on its user's interface. Do you think your Olly is well hidden? Try this tool from Olly and all the possible hiding tools around, up to today there's always one test which detects Olly! Version 1.3 includes several plugins contributed by different authors as well as sources of sample plugins in Delphi, C, ASM. | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFF Explorer |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://www.ntcore.com/exsuite.php | |||
| Current version: | VII | |||
| Last updated: | January 17, 2008 | |||
| Direct D/L link: | http://www.ntcore.com/Files/CFF_Explorer.zip | |||
| License type: | Freeware | |||
| Description: | The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format. Also includes a cool new scripting engine! | |||
| Also listed in: | .NET Executable Editors, PE Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DeDe |
| ||
|---|---|---|---|---|
| Author: | DaFixer | |||
| Website: | http://dafixer.cjb.net | |||
| Current version: | 3.50.04 (build 1635) | |||
| Last updated: | June 25, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | DeDe is a very fast application that allows you to analyze executables compiled with Delphi 2,3,4,5,6,7, C++ Builder, Kylix and Kol, and gives you the following: · All .dfm files of the target. You will be able to open and edit them with Delphi. · All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit, Try-Except and Try-Finally blocks. (By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu.) · A lot of additional information the files. · You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled ! You can also: · View the PE Header of all PE Files and change/edit the sections flags. · Use the opcode-to-asm tool for translating intel opcode to assembler. · Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses. · Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files. · Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with DeDe disassembler. · Disassemble a target EXE directly from memory in case of a packed exe. ------------ NOTE: The original site seems to be gone (or at least DeDe seems to be gone from it), and the locally archived copy here in this CRCETL entry is not the version with source code included. If someone has a copy of the version with source included, or a version higher than 3.50.02 build 1619 (which is the one we have locally archived, even though at least 3.50.04 build 1635 exists), please upload it here! | |||
| Also listed in: | Decompilers, Delphi Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Ultimate Hooking Engine |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | ||||
| Last updated: | August 10, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine allows anyone to hook APIs very easily using their hooking dll. Each hooking dll might have 3 types of exports: 1. prefixed HOOK 2. prefixed Detoured 3. hookmain (optional) 1. Whenever you want to hook some API you will put this kind of export: HOOK_kernel32_GetModuleHandleA HOOK_user32_MessageBoxA Also note that inline hook will point to this procedure so this procedure will have all of your code responsible for certain API. 2. To be able to call original API from your hook you should export also this variable (in C/C++ it will be function pointer): Note how variables are prefixed with "Detoured_" Detoured_GetModuleHandleA Detoured_MessageBoxA Here is one example from C/C++ code: extern "C" __declspec(dllexport) HMODULE (__stdcall *Detoured_GetModuleHandleA)(LPCTSTR modulename) = NULL; extern "C" HMODULE __declspec(dllexport) __stdcall HOOK_kernel32_GetModuleHandleA(LPCTSTR modulename){ return Detoured_GetModuleHandleA(modulename); } Note also that this is optional, if you don't need to call orignal proc, then you don't need this export. Note that when working with MSVC2005 it will always screw export name for procedures while function pointers are properly exported, so add this line to your .def file: HOOK_kernel32_GetModuleHandleA = _HOOK_kernel32_GetModuleHandleA@4 Detoured_GetModuleHandleA 3. hookmain hookmain is export which has this prototype: void __stdcall hookmain(); This procedure will be called before program jumps to entrypoint of target, here you may add some extra code, it isn't very useful and all initialization you may perfrom in DllEntry, but I leave this here just in case that you want to start your own tracer before code jmps to entrypoint. At least that's why I'm using it. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | .NET Hook Library |
| ||
|---|---|---|---|---|
| Author: | shokshok | |||
| Website: | http://dotnethook.sourceforge.net | |||
| Current version: | 2.1 | |||
| Last updated: | May 30, 2002 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it. The download contains detailed documentation about how it works and what it is. I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies). | |||
| Also listed in: | .NET Code Injection Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | AQtime |
| ||
|---|---|---|---|---|
| Author: | AutomatedQA, Corp. | |||
| Website: | http://automatedqa.com/products/aqtime/index.asp | |||
| Current version: | 5.40 | |||
| Last updated: | January 11, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Commercial (with demo) | |||
| Description: | This tool does reportedly not work at all without having the source code for the analyzed program, which sadly makes it relatively useless for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- AQtime is AutomatedQA's award-winning performance profiling and memory and resource debugging toolset for Microsoft, Borland, Intel, Compaq and GNU compilers. The latest version of AQtime, AQtime 5, includes dozens of productivity tools that help you easily isolate and eliminate all performance issues and memory/resource leaks within your code by generating comprehensive and detailed reports for your .NET and Windows applications. AQtime supports .NET 1.0, 1.1, 2.0, 3.0 applications and Windows 32- and 64-bit applications. AQtime is built with one key objective - to help you completely understand how your programs perform during execution. Using its integrated set of performance and debugging profilers, AQtime collects crucial performance and memory/resource allocation information at runtime and delivers it to you both in summarized and detailed forms, with all of the tools you need to begin the optimization process. This is all done without modifying the application's source code! | |||
| Also listed in: | Code Coverage Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Olly Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-nigurrath | |||
| Website: | http://arteam.accessroot.com/releases/ | |||
| Current version: | 1.0 | |||
| Last updated: | August 25, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds. Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg. Detects Debugging programs through different methods all connected to the execution environment. * Method 1: see if one of the currently running processes' Windows name is blacklisted or not * Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted * Method 3: tests the processes paths and see if it is blacklisted * Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklistof process and words * Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has oneblacklisted word * Method 6: test export directory of the running processes, if there's something connected with Olly. * Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist * Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any contains blacklisted words (either UNICODE or ASCII) The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around. The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests. The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick. Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex". | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Boomerang |
| ||
|---|---|---|---|---|
| Author: | The Boomerang Decompiler Project | |||
| Website: | http://boomerang.sourceforge.net/ | |||
| Current version: | 0.3.1 | |||
| Last updated: | 2006 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | A general, open source, retargetable decompiler of machine code programs. This project is an attempt to develop a real decompiler for machine code programs through the open source community. A decompiler takes as input an executable file, and attempts to create a high level, compilable, possibly even maintainable source file that does the same thing. It is therefore the opposite of a compiler, which takes a source file and makes an executable. However, a general decompiler does not attempt to reverse every action of the decompiler, rather it transforms the input program repeatedly until the result is high level source code. It therefore won't recreate the original source file, probably nothing like it. It does not matter if the executable file has symbols or not, or was compiled from any particular language. (However, declarative languages like ML are not considered.) The intent is to create a retargetable decompiler (i.e. one that can decompile different types of machine code files with modest effort, e.g. X86-windows, sparc-solaris, etc). It was also intended to be highly modular, so that different parts of the decompiler can be replaced with experimental modules. It was intended to eventually become interactive, a la IDA Pro, because some things (not just variable names and comments, though these are obviously very important) require expert intervention. Whether the interactivity belongs in the decompiler or in a separate tool remains unclear. By transforming the semantics of individual instructions, and using powerful techniques such as Static Single Assignment dataflow analysis, Boomerang should be (largely) independent of the exact behaviour of the compiler that happened to be used. Optimisation should not affect the results. Hence, the goal is a general decompiler. | |||
| Also listed in: | Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFSearch |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11306&page=2 | |||
| Current version: | 1.0A | |||
| Last updated: | February 15, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors. Not released yet, but we're awaiting it with great anticipation! | |||
| Also listed in: | Tracers, Code Coverage Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CRC Calculator |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.1 | |||
| Last updated: | January 6, 2005 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=14 | |||
| License type: | Free | |||
| Description: | Just drag & drop files to it or use the button to calculate the CRC, then select and paste. Adapted from existing sources, small and easy. History -1.0 initial version -1.1 added command-line support ideal for integration into Total Commander | |||
| Also listed in: | Executable CRC Calculators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CheckSum Fixer |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.0 | |||
| Last updated: | January 5, 2006 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=12 | |||
| License type: | Free | |||
| Description: | The PE files headers include a CheckSum field which is located into the IMAGE_NT_HEADER->IMAGE_OPTIONAL_HEADER->CheckSum This value is an overall checksum of the whole file, often not set and left to 0x0000 by most compilers and thus doesn't happens often to worry about it, but sometimes this value is used to check if there have been alterations in the executable file. There is for example an API, MapFileAndCheckSum(), which calculates the real checksum of a PE file and reports also the value stored into the PE Header. It is then simple for simple protectors to detect alterations of a PE file, even of a single byte. It's a simple technique that advanced protector doesn't use too often and you can of course intercept this API and modify it online or skip its call, but for example with PocketPC smartphones or system drivers this check is done by the operative system, so you simply have no choice to intercept this check and the only way is to fix the value stored in the PE file header. This program simply does this conveniently. Already other tools have this functionality (LordPE for example), but I just wanted a fast program able to fix this checksum in a click (e.g. with LordPE you have to do at least 5, 6 clicks). It is very handy with ring0 drivers which test this checksum value! | |||
| Also listed in: | Executable CRC Calculators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CodeAnalyst Performance Analyzer |
| ||
|---|---|---|---|---|
| Author: | AMD | |||
| Website: | http://developer.amd.com/tools/codeanalystwindows/Pages/default.aspx | |||
| Current version: | 2.76 | |||
| Last updated: | November 19, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | This tool works without having any source code or debug information for the analyzed program, which makes it very good for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- The AMD CodeAnalyst Performance Analyzer is a suite of powerful tools that analyzes software performance on AMD microprocessors. These tools are designed to support Microsoft® Windows XP®, Windows 2003 and Vista® distribution on x86 and AMD64 architectures. Although most users will choose the Graphical User Interface, the profiler is also offered as a command line utility to facilitate the use in batch files. * System-Wide Profiling : CodeAnalyst is designed to profile the performance of binary modules, including user mode application modules and kernel mode driver modules. Timer-Based Profiling and Event-Based Profiling collect data from multiple processors in a multi-processor system. * Timer-Based Profiling (TBP) : o The application to be optimized is run at full speed on the system that is running CodeAnalyst. EIP samples are collected at predetermined intervals and can be used to identify possible bottlenecks, execution penalties, or optimization opportunities. o On APIC enabled systems, the finest time resolution is 0.1ms and 1.0ms non-APIC enabled systems. * Event-Based Profiling (EBP) : CodeAnalyst EBP is designed to profile the hardware performance events on AMD Athlon™, AMD Athlon™ XP, AMD Opteron™, AMD Athlon™ 64 and AMD “Barcelona” (AMD Family 10h). With event multiplexing technique, CodeAnalyst EBP is able to profile more than 4 events simultaneously. * Instruction-Based Sampling (IBS) : Instruction-based Sampling is a new performance measurement technique supported by AMD Barcelona (Family 10h) processors. IBS has these advantages: o IBS precisely associates hardware event information with the instructions that cause the events. A data cache miss, for example, is associated with the AMD64 instruction performing the memory read or write operation that caused the miss. o IBS collects a wide range of hardware event information in a single measurement run. o IBS collects new information such as retire delay and data cache miss latency. * Call Stack Sampling (CSS) : Combining with TBP or EBP, Call Stack Sampling is able to collect data on caller-callee relationship on the hotspots. * Pipeline Simulation : Used during the second stage of an optimization effort to find the causes of bottlenecks. During simulation, application execution is first traced, and then simulated on a selected target processor. The detailed data on the execution of each instruction takes into account the previous instructions executed and the state of the processor caches. Simulation only supports single processor execution. Pipeline Simulation supports the simulation of 32-bit code on: o AMD Athlon™ XP processor o AMD Opteron™ processor o AMD Athlon™ 64 processor Pipeline Simulation also supports the simulation of 64-bit code on: o AMD Opteron™ processor o AMD Athlon™ 64 processor * Thread Profile : CodeAnalyst thread profiling views show the thread chart and non-local memory access. * Post Process : CodeAnalyst shows sample distribution without module debug information. o Interpret performance measurements rather than display raw performance data o Flexible view configuration and management --------------- This tool reportedly only works for AMD processors, while its Intel counterpart is the VTune Performance Analyzer. | |||
| Also listed in: | Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Codename ASLAN (4514N) |
| ||
|---|---|---|---|---|
| Author: | Piotr Bania | |||
| Website: | http://www.piotrbania.com/all/4514N/ | |||
| Current version: | (not yet released) | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | I'm currently working on my masterpiece project (school project), a first gui oriented and the most advanced integrating-metamorphic engine so far. Integration engine allows user to integrate any code to any PE binary file (x86 processors), including device drivers etc. etc. 4514N engine can rebuild all the PE structure, internal offsets (jumps,refferences), any type of PE sections relocs, imports, exports, resources...), moreover it even can keep the align of variables. Integration means that firstly target file is disassembled to pieces (it creates a chain which connects the body of target file), then we move that chain, we do everything we want (i call this step InverseKinematics, just because i'm an 3d graphics hobbyst) and then we compile the chain again. Such horrible modified application runs perfectly, moreover it is almost impossible to disinfect the modified target. So tell me, do you want to compile a rootkit inside of yours ndis.sys? :) I don't want to speak much about the metamorphic engine since it is not 100% ready yet. But the main thing you should know it is mostly based on the emulation process (and as far as i know it is the first metamorphic engine which does so), and many of the muation states are based on the Automaton Theory (which inspired me a lot). Lets consider the rest of the features as an future surprise :) | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Conditional Branch Logger |
| ||
|---|---|---|---|---|
| Author: | Blabberer / dELTA / Kayaker | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | June13, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints. | |||
| Also listed in: | Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DE Decompiler |
| ||
|---|---|---|---|---|
| Author: | GPcH Soft | |||
| Website: | http://www.de-decompiler.com | |||
| Current version: | 2.0 (updated) | |||
| Last updated: | March 2, 2008 | |||
| Direct D/L link: | http://www.de-decompiler.com/files/de_decompiler_lite.zip | |||
| License type: | Commercial (with demo) | |||
| Description: | DE Decompiler is the unique solution for decompiling the Delphi generated programs (EXE, DLL, OCX). As you know the Delphi programs is the native win32 executable files. DE Decompiler restores most parts of the compiled code and helps you to recover most parts of the lost sources. It contans the powerful disassembler which supports Pentium Pro commands including MMX and SSE extensions. Also it has a useful smart assembler code emulation engine. The build-in disassembler allows you to disassemble a lots of functions and represents it in semi-decompiled mode. DE Decompiler has a wonderful code analyzer which makes your work easy and fast. In addition to all it can search for all the API function's calls and the string references in the disassembled code and comment them out for analyzed strings. If you lost your source codes - DE Decompiler save your time and helps you to restore it. In general, DE Decompiler is the ideal tool for analyzing programs and it is perfect if you lose your source code and need to partially restore the project. | |||
| Also listed in: | Decompilers, Delphi Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DLL Injection Framework |
| ||
|---|---|---|---|---|
| Author: | Admiral | |||
| Website: | http://www.ring3circus.com/downloads/dll-injection-framework | |||
| Current version: | 1.0 | |||
| Last updated: | December 20, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | The process of remote function hooking via a DLL is notoriously messy, so I’ve tried to encapsulate as much of the mess as possible into a C++ class. Here’s an example of some client code that injects a DLL into Windows Calculator, then installs two hooks (one by name and another by address): ----------------------------------------------------------------- // Create the injection object DLLInjection injection("E:/Temp/HookDLL.dll"); // Find Calc.exe by its window DWORD process_id = injection.GetProcessIDFromWindow( "SciCalc", "Calculator"); // Inject the DLL HMODULE remote_module = injection.InjectDLL(process_id); // Hook a DLL function (User32!SetWindowTextW) HDLLHOOK swtw_hook = injection.InstallDLLHook( "C:/Windows/System32/User32.dll", "SetWindowTextW", "SetWindowTextHookW"); // Hook a function manually (Calc!0100F3CF) HDLLHOOK manual_hook = injection.InstallCodeHook( reinterpret_cast (0×0100F3CF), “SomeOtherHook”); // Remove the hooks injection.RemoveHook(swtw_hook); injection.RemoveHook(manual_hook); ----------------------------------------------------------------- Testing has been limited so don’t be surprised to find bugs. If you do find any, please report them. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Desquirr - Decompiler Plugin for IDA Pro |
| ||
|---|---|---|---|---|
| Author: | David Eriksson | |||
| Website: | http://desquirr.sourceforge.net/desquirr/ | |||
| Current version: | 20070130 (desquirr-20070130-bin-ida_v5_0.zip) | |||
| Last updated: | November 13, 2003 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Desquirr is a decompiler plugin for IDA Pro. Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf | |||
| Also listed in: | IDA Extensions, Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DetourXS |
| ||
|---|---|---|---|---|
| Author: | Sinner | |||
| Website: | http://forum.gamedeception.net/showthread.php?t=10649 | |||
| Current version: | 1.0 | |||
| Last updated: | June 16, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | DetourXS is a library for function detouring. Example usage code: --------------------------------------------------------- #include <detourxs.h> typedef DWORD (WINAPI* tGetTickCount)(void); tGetTickCount oGetTickCount; DWORD WINAPI hGetTickCount(void) { printf("GetTickCount hooked!"); return oGetTickCount(); } // To create the detour oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP); // ...Or an address oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP); // ...You can also specify the detour len oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5); // To remove the detour DetourRemove(oGetTickCount); --------------------------------------------------------- | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Detours |
| ||
|---|---|---|---|---|
| Author: | Microsoft | |||
| Website: | http://research.microsoft.com/sn/detours | |||
| Current version: | 2.1 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code. Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary. Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software. We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry. Detours 2.1 is now available. Detours 2.1 includes the following new features: * Complete documentation of the Detours API. * Transactional model for attaching and detaching detours. * Support for updating peer threads when attaching or detaching detours. * Unification of dynamic and static detours into a single API. * Support for detection of detoured processes. * Significant robustness improvements in APIs that start a process with a DLL containing detour functions. * New APIs to copy payloads into target processes. * Support for 64-bit code on x64 and IA64 processors (available in Professional edition only). * Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7). | |||
| Also listed in: | API Monitoring Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DevPartner Studio |
| ||
|---|---|---|---|---|
| Author: | Compuware | |||
| Website: | http://www.compuware.com/products/devpartner/studio.htm | |||
| Current version: | 8.2 | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Commercial (with trial) | |||
| Description: | This tool does reportedly not work at all without having the source code for the analyzed program, which sadly makes it relatively useless for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- Performance Analysis: --------------------- DevPartner Studio performance analysis takes you where few profiling tools can go, to the individual line of source code to identify and analyze slow code and performance bottlenecks line by line. Using DevPartner Studio performance profiling, you can: * profile Visual C++, Visual Basic, .NET, C#, VBScript and JScript code from top to bottom * trace running applications and differentiate between application and operating system calls, all through an intuitive user interface * isolate performance bottlenecks in single and multi-tiered applications at machine, process, component or source line levels * receive recommendations and corrective actions from one key source—DevPartner Studio. Code Coverage Analysis: ----------------------- No more relying on relatively subjective reports to test code. DevPartner Studio Professional Edition code coverage analysis tells you how much code was tested, how well it tested and what was never tested at all. You get the answers you need to focus testing where it's needed most, whether it's code check-in, unit testing, integration testing or final release. To zero-in on untested code for you, DevPartner Studio: * captures and combines testing sessions for applications, components and web pages * traces both .NET and native code across users, languages and application tiers * pinpoints the portions of an application left unexecuted during one or more tests * merges sessions to present a clear picture of testing progress over time. | |||
| Also listed in: | Profiler Tools, Code Coverage Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Direct3D Hooking |
| ||
|---|---|---|---|---|
| Author: | Admiral | |||
| Website: | http://www.ring3circus.com/downloads/direct3d-hooking | |||
| Current version: | 1.1 | |||
| Last updated: | November 27, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | A sample for hooking a Direct3D 9 program and drawing on its viewport. Translating this to Direct3D 8 should be trivial. Notes: * Vista support added with version 1.1 * This is not safe for 64-bit consumption, though that should be obvious. * While there’s no reason it can’t be made to work with Unicode, I’ve written everything in ASCII, for simplicity. * By default, the DLL will increase its own reference count to prevent it being unloaded prior to termination of the host process. This is because there is a small risk of the DLL being unloaded by one thread, while a hooked function in another returns to the now dead memory. I figured that it’s best to waste a little bit of everybody’s memory than to crash unnecessarily. * The d3d9.dll function addresses (and prologues) are hard-coded, or at least their offsets are. While this may look very unprofessional and rather risky, I can assure you that it’s quite safe. The alternative would be to hack up some virtual-function tables and that’s a whole other story for a whole other post. * You may notice that the compiled DLL is dependent upon D3DX. This isn’t necessary for the hook itself, but I used ID3DXFont in my example for demonstrative purposes. The only reason I mention this is that there is no way to guarantee the existence of any D3DX DLLs on a DirectX 9 machine, and distributing them yourself is in violation of the DirectX Runtime EULA. So if you happen to need to distribute this code, you’ll either need to carry the huge runtime installer around, or avoid using D3DX altogether. * The soft-hooks used here will cause problems with PunkBuster if applied to any of its monitored functions. If you need to do this then you’ll have to be a bit cleverer. * The source assumes that the graphics device will never become invalid. If you suspect that this isn’t the case (which will be true for any full-screen game at a minimum) then you’ll need to add the appropriate sanity checks (see IDirect3DDevice9::TestCooperativeLevel) before attempting to render anything, lest you want to crash and burn. | |||
| Also listed in: | DirectX Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DynamoRIO |
| ||
|---|---|---|---|---|
| Author: | Hewlett-Packard Laboratories & MIT | |||
| Website: | http://www.cag.lcs.mit.edu/dynamorio/ | |||
| Current version: | 0.9.4 (beta) | |||
| Last updated: | February 26, 2005 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science. The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications. The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract: In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ERESI Framework |
| ||
|---|---|---|---|---|
| Author: | The ERESI Project | |||
| Website: | http://www.eresi-project.org | |||
| Current version: | 0.8a23 | |||
| Last updated: | November 30, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS. ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information. The ERESI framework includes: * The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files. * The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace). * The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps. * The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language. * The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet). Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program: * libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based. * libe2dbg : the embedded debugger library which operates from inside the debuggee program. * libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands. * libmjollnir : the code fingerprinting and graph manipulation library. * librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library. * libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs. * libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types. | |||
| Also listed in: | Reverse Engineering Frameworks, Linux Debuggers, Linux Disassemblers, Tracers, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | eXeScope |
| ||
|---|---|---|---|---|
| Author: | Toshifumi Yamamoto | |||
| Website: | http://hp.vector.co.jp/authors/VA003525/Eindex.htm | |||
| Current version: | 6.50 | |||
| Last updated: | March 23, 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Shareware | |||
| Description: | Do you want to customize an application? For example, * to change font, * to change menu, * to change an arrangement of dialog, * etc., But you think that it is impossible because you have not source files ? eXeScope can analyze, display various information, and rewrite resources of executable files, that is, EXE, DLL, OCX, etc. without source files. | |||
| Also listed in: | Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Easy Code |
| ||
|---|---|---|---|---|
| Author: | ||||
| Website: | http://www.easycode.cat/English/index.htm | |||
| Current version: | 1.01.0.0007 | |||
| Last updated: | November 28, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Easy Code is the visual assembly programming environment made to build 32-bit Windows applications. The Easy Code interface, looking like Visual Basic, allows you to program a Windows assembler application done in an easy way as was never possible before. Download and test this application which is distributed with a setup program and includes the source code of a nice CD player, a complete and fast text editor in a dll file (to be able to program your own editor), a complete and excellent text editor ready to use, a file shredder, a MIDI pla | |||