From Collaborative RCE Tool Library

Jump to: navigation, search

Data Search and Extraction Tools


Tool name: Codetective Analysis Tool
Rating: 5.0 (1 vote)
Author: Francisco Gama Tabanez Ribeiro                        
Website: https://github.com/blackthorne/Codetective
Current version: 0.8.2
Last updated: September 20, 2014
Direct D/L link: N/A
License type: GPL
Description: Sometimes we run into hashes and other artefacts and can't figure out where did they come from and how they were generated. This tool is able to recognise the output format of many different algorithms in many different possible encodings for analysis purposes. It also infers the levels of certainty for each finding based on traces of its representation .

This may be useful e.g. when you are testing systems from a security perspective and are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory. This may also be useful as a part of a fingerprinting process or simply to verify valid implementations of different algorithms. You may also try running this tool against network traffic captures or large source code repositories to look out for interesting stuff.

You can either use a generic version or as a plugin for the Volatility framework. The usage is similar.
Currently supports:
web-cookie
mssql2000
md5
URL
md4
phone number
credit cards
mssql2005
lm hash
ntlm hash
MySQL4+
MySQL323
base64
SAM(*:ntlm)
SAM(lm:*)
SAM(lm:ntlm)
RipeMD320
sha1
sha224
sha256
sha384
sha512
whirpool
CRC
des-salt-unix
sha256-salt-django
sha256-django
sha384-salt-django
sha384-django
sha256-salt-unix
sha512-salt-unix
apr1-salt-unix
md5-salt-unix
md5-wordpress
md5-phpBB3
md5-joomla2
md5-salt-joomla2
md5-joomla1
md5-salt-joomla1
blowfish-salt-unix
uuid
Also listed in: Crypto Libraries, Data Extraction Tools, Dongle Analysis Tools, Dongle Crypto Solver Tools, Memory Data Tracing Tools, Memory Search Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OfficeMalScanner
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: v0.51
Last updated: February 5, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: OfficeMalScanner v0.51 is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis. The "inflate" feature extracts Ms Office 2007 documents into a directory and marks potentially malicious files. Also included in this package is a tool called MalHost-Setup, some kind of MS Office runtime emulation environment to debug shellcode in malicious documents in realtime.
Also listed in: Code Ripping Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PDF Stream Dumper
Rating: 0.0 (0 votes)
Author: dzzie                        
Website: http://sandsprite.com/blogs/index.php?uid=7
Current version: 0.9.170
Last updated: July 21, 2010
Direct D/L link: http://sandsprite.com/CodeStuff/PDFStreamDumper_Setup.exe
License type: unknown
Description: Full feature list
supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
Integrated shellcode tools:
sclog gui (Shellcode Analysis tool I wrote at iDefense)
scTest gui libemu based Shellcode analysis tool
Shellcode_2_Exe functionality
Export unescaped bytes to file
supports filter chaining (ie multiple filters applied to same stream)
supports unescaping encoded pdf headers
scriptable interface to process multiple files and generate reports
view all pdf objects
view deflated streams
view stream details such as file offsets, header, etc
save raw and deflated data
search streams for strings
scan for functions which contain pdf exploits (dumb scan)
format javascript using js beautifier (see credits in readme)
view streams as hex dumps
zlib compress/decompress arbitrary files
replace/update pdf streams with your own data
basic javascript interface so you can run parts of embedded scripts
PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
Basic Javascript de-obsfuscator
can hide: header only streams, duplicate streams, selected streams
js ui also has access to a toolbox class to
simplify fragmented strings
read/write files
do hexdumps
do unicode safe unescapes
disassembler engine
replicate some common Adobe API (new)
Current Automation scripts include:
csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files

Current Plugins include:
Build_DB.dll - Search and sort data inside multiple samples, move and organize files
obj_browser.dll - view layout and data inside pdf in text form
Also listed in: Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PowerGREP
Rating: 0.0 (0 votes)
Author: Just Great Software Co.                        
Website: http://www.powergrep.com
Current version: 3.5.2
Last updated: March 11, 2009
Direct D/L link: N/A
License type: Shareware
Description: PowerGREP is a very powerful Windows grep tool. Quickly search through large numbers of files on your PC or network, including text and binary files, compressed archives, MS Word documents, Excel spreadsheets and PDF files, etc. Find the information you want with powerful text patterns (regular expressions) specifying the form of what you want, instead of literal text. Search and replace with one or many regular expressions to comprehensively maintain web sites, source code, reports, etc. Extract statistics and knowledge from logs files and large data sets.
Also listed in: Regular Expression Tools, Source Code Search Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strings2
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.2
Last updated: April 21, 2013
Direct D/L link: http://split-code.com/files/strings2_x86_v1-2.zip
License type: Freeware
Description: Strings2 is a Windows command-line tool for extracting ascii and unicode strings from binary data. On top of the classical Sysinternals strings approach, this improved version is also able to dump strings from process address spaces and also reconstructs hidden assembly local variable assignment ascii/unicode strings.

The Windows 64 bit binary is available here:
http://split-code.com/files/strings2_x64_v1-2.zip

and the Windows 32 bit binary is available here:
http://split-code.com/files/strings2_x86_v1-2.zip


Example Usage:
strings2 malware.exe
strings2 *.exe > strings.txt
strings2 *.exe -nh -f -t -asm > strings.txt
strings2 -pid 419 > process_strings.txt
strings2 -pid 0x1a3 > process_strings.txt
strings2 -system > all_process_strings.txt
cat abcd.exe | strings2 > out.txt
Also listed in: String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)