From Collaborative RCE Tool Library

Jump to: navigation, search

Debuggers


Tool name: Firebug
Rating: 5.0 (1 vote)
Author: Joe Hewitt                        
Website: http://getfirebug.com
Current version: 1.11.2
Last updated: February 23, 2013
Direct D/L link: http://addons.mozilla.org/firefox/downloads/latest/1843
License type: BSD / Open Source (JavaScript)
Description: Firebug integrates with Firefox, to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Probably the most advanced web/javascript debugger in existence.
Also listed in: Firefox Extensions, Javascript Debuggers, Web Application Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (6 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 6.1
Last updated: April 8, 2011
Direct D/L link: http://95.211.133.202/files/idademo_windows60.exe
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, IPhone Tools, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers, Symbian Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDbg
Rating: 5.0 (4 votes)
Author: Oleh Yuschuk                        
Website: http://www.ollydbg.de
Current version: 1.10 (and 2.01)
Last updated: September 27, 2013
Direct D/L link: http://www.ollydbg.de/odbg110.zip
License type: Free (disassembler under GPL v3)
Description: The world's most famous ring 3 debugger.

The first public (pre-alpha) version of OllyDbg 2.0 was released on December 25, 2007, so you can now test it yourself if you want!
OllyDbg v2 : http://www.ollydbg.de/version2.html
Also listed in: Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RosAsm
Rating: 5.0 (1 vote)
Author: Betov/Rene, Beyond2K, others                        
Website: http://rosasm.tk
Current version: 2.053g
Last updated: September 13, 2013
Direct D/L link: http://rosasm.freeforums.org/download/file.php?id=125
License type: Free / Open Source / GPLed
Description: Previously known as SpAsm.

The easy way for writing full 32 Bits Applications in Assembly

IDE with full integration of all components. RosAsm is auto-compilable and the Sources are hosted inside the PEs. No installation overhead (the silent auto-install coming with RosAsmFull.zip makes RosAsm the only actual Click&Go Assembler environment).

Real Sources Editor with tons of unique features, specificaly devoted to secure editions and to huge mono-files assembly sources: Tree-view, instant jump to any type of declaration by simple right-click, division of the mono-files into TITLEs, advanced IncIncluder pre-parser, and so on...

The fastest of the actual assemblers, (1.5 Mega/second on a Celeron 1.3 Ghz...) directly outputting PE files on a simple click, with a powerful macros system (a macros unfolder is available by a double-click, through a float menu). Simplified Intel syntax. Does not need any include, prototype or header companion file. Nothing but a single simple source. Complete implementation of the mnemonics set, up to SSE3. RosAsm Bottom-Up Assembler is a true low level Assembler, enabling HLL writing styles by user defined macros and/or by HLL pre-parsers selections.

Selectable Pre-Parsers performing various tasks, like HLL expressions parsing, alternate syntaxes, Includes Managements, ...

Source level Debugger with a state-of-the-art memory inspector and very advanced features, like the dynamic break-points, that can be set/removed by simple clicks, as well as at write-time and/or at run-time, like with the most advanced HLLs. To run the Debugger, You simply click on Run and your application is running through the debugger. Any error (or break-point, enabling advanced stepping modes) is pointed out directly in your source code. Accurate messages are delivered on errors cases.

Disassembler. To date, RosAsm is the one and only two-clicks-disassembler-reassembler ever seen. It is, actually, fully effective on most small files and on many middle size applications: The dream tool for study and/or for porting your works to assembly.

Original Resources Editors, with control of matching styles, outputting as well resources, files, and memory templates.

Integrated Help system, with a complete 32 bits Assembly Tutorials, Opcode help, and RosAsm Manual (2 megas of documentation, more than 600 organised rtf files).

Clip file system, for templates reuse.

Integrated OS Equates, and Structures files, saving from any boring include.

... and much more...

Take care that, as opposed to most RAD/IDEs, RosAsm does not attempt to impress you with multiple windows jumping all over the screen and with insistant features. Instead, RosAsm features implementations have always been made as discreet and as silent as possible, and the overall look-and-feel has always been made as naked and as simple as possible. Many implementations are optional, through the configuration tab.

Though RosAsm is the most accurate tool for learning the marvelous simplicity of Assembly - particulary since the inclusion of the Interactive Visual Tutorials - and though it is the easiest way to jump right into the true thing, it has been thought and designed, first, as a professional tool for real life applications programming in full assembly. Its final purpose is to compete with the current most commonly used HLLs, for serious applications writing. This goal will be achieved, in the near future, with the upcoming implementations of the Visual Components Designers (Wizards) and with the implementations of some Applications builders.
Also listed in: Assembler IDE Tools, Assemblers, Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malzilla
Rating: 4.5 (2 votes)
Author: Boban bobby Spasic                        
Website: http://malzilla.sourceforge.net
Current version: 1.2.0
Last updated: November 2, 2008
Direct D/L link: http://malzilla.sourceforge.net/downloads.html
License type: Free / Open Source
Description: Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
Also listed in: Javascript Debuggers, Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: EDB Linux Debugger
Rating: 4.0 (2 votes)
Author: Evan Teran                        
Website: http://codef00.com/projects#debugger
Current version: 0.9.20
Last updated: January 15, 2014
Direct D/L link: http://codef00.com/projects/debugger-0.9.20.tgz
License type: GPL
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Linux Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Symbol Type Viewer
Rating: 4.0 (1 vote)
Author: Lionel d'Hauenens                        
Website: http://www.laboskopia.com/
Current version: 32Bit/64Bit Version 1.0.0.6 (beta)
Last updated: May 19, 2008
Direct D/L link: http://www.laboskopia.com/download/SymbolTypeViewer_v1.0_beta.zip
License type: Free
Description: Symbol Type Viewer 32Bit/64Bit Version 1.0.0.6 beta

Symbol Type Viewer is a tool which makes it possible to easily visualize the types which can be defined in the symbols of the modules of the systems Microsoft Windows 32/64bit. Moreover, it makes it possible to convert these informations for the C language (.h) and the disassembler IDA of DataRescue (.idc).

Symbol Type Viewer allows to :
- download the symbols (pdb) very simply.
- sail and visualize in a detailed way the types and their members in the form of tree structure
easily find the unused areas in the structures (padding). These areas are theoretically usable to put personal data there
- translate the structures for the C Language (.h) and for IDA script (.idc) of DataRescue (http://www.datarescue.com/idabase/)
- personalize the formatting: addition of suffix in the names of types, freeze the sizes of structures and members (the pointers become ULONG32 for a 32bit system and UINT64 for a 64bit system)
- apply searchs of texts or regular expressions
- do a batch processing by treating all modules met in a directory and its under-directories. For example: C:\Windows;)

CHRONOLOGY

[+] May 18th, 2008 : Version 1.0.0.6 beta (32Bit / 64Bit)
- [bug] Correction of a problem with “_unnamed” structures included in a member of struct array. Those are not defined during a complete translation to the C format. This problem doesn't appear during a translation to IDA script like with Viewer. (Thank to Damien AUMAITRE)

[+] May 10th, 2008 : Version 1.0.0.5 beta (32Bit / 64Bit)
- [bug] Correction of a problem of identification of bitfield structure inside “union” (Thank to mxatone)
- [bug] Correction of a problem with IDA and the too small member names. IDA does not accept the names lower than 3 characters. To solve that, "__” is automatically added at the end of the names with one or two characters. This is applied only for IDA formatting script.

[+] March 20th, 2008 : Version 1.0.0.4 beta (32Bit / 64Bit)
- Addition of a filter allows to limit the translation scan (Thank to Orkblutt and buri)
- [bug] Correction of a problem of inappropriate error message when the symbols don't contain Types (Thank to Orkblutt and memo5)

[+] February 27th, 2008 : Version 1.0.0.3 beta (32Bit / 64Bit)
- Addition of a function of research starting from a text or a regular expression
- Addition of buttons of navigation keeping in memory the 100 last selections
- Possibility of fixing the size of the pointers in the structures for the C language. This option can be very useful when one wishes to make a work with 32bits processes in an 64bits environment.
- Possibility of personalizing a suffix at the end of all the names of the unions, structures, enumerations and functions. This makes it possible to use the entities formatted in projects while avoiding the conflicts of declaration which can appear.
- All the entities deduced or without name (unnamed) met in the members from the structures have a single name then. In order to give a maximum of information making it possible to identify the role of these entities, it is added to the single name the names of all the members dependant on this entity. Each name of added member is separated by a character “_”
- Addition of Exit menu (Thank to ouadji (most crazy of my friends) -> "An application without Exit menu is not a application. It's like the Camenbert… There doesn't exist Alsatian Camembert cheese..." )
- [bug] Correction of a problem of size of pointers in 64bit structures formatted for IDA script
- [bug] Correction of a problem of principal window refresh under Vista.
- [bug] Correction of a problem when one makes “Brut copy” with the “Format view” panel wich is empty. (Thank to ouadji )

[+] January 15th, 2008 : Version 1.0.0.2 beta (32Bit / 64Bit)
- Symbol Type Viewer is now compatible with the versions 32bits and 64bits of Windows.
- The functions met in the structures are now accessible directly since the tree view.
- Preparing of the tree with icons significant.
- In the format C structures, the unused zones appear now clearly in red. These zones are theoretically available to store personal data.
- [bug] Correction of bad size estimate with certain local structures.

[+] December 29th, 2007 : Version 1.0.0.1 beta (32Bit)
- [bug] Correction of a problem giving (with certain parameters of system appearance) a nonwhite background in the formatted structures view. This can be disturbing. Especially when the background appears in black. (Thank to DarKPhoeniX).
- [bug] Correction of a bad management of the variable system _NT_SYMBOLS_PATH when this one isn't completly in lower case (Thank to Neitsa)

[+] December 28th, 2007 : Version 1.0.0.0 beta (32Bit)
- Initial version

Bugs report : stv(at)laboskopia.com

www.laboskopia.com
Also listed in: Symbol Retrievers, Symbol Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Syser
Rating: 4.0 (2 votes)
Author: Syser Software                        
Website: http://www.sysersoft.com
Current version: 1.99.1900.1220
Last updated: July 21, 2011
Direct D/L link: http://www.sysersoft.com/download/SyserSetupTrial.zip
License type: Commercial (with trial)
Description: A new promising ring 0 debugger for Windows,
aiming to take the place of the once almighty SoftICE.

is designed for Windows NT Family based on X86 platform.
It is a kernel debugger with full-graphical interfaces and supports assembly debugging and source code debugging.

Very capable SoftICE alternative, this tool has become truly powerful!
Also listed in: Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinAppDbg (Python module)
Rating: 4.0 (1 vote)
Author: Mario Vilas                        
Website: http://winappdbg.sourceforge.net
Current version: 1.4
Last updated: August 24, 2010
Direct D/L link: http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/
License type: Free / Open Source (BSD)
Description: The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
Also listed in: Debugger Libraries, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinDbg
  • Currently3.6666666666667/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 3.7 (3 votes)
Author: Microsoft                        
Website: http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
Current version: 6.2.9200.16384
Last updated: December 28, 2012
Direct D/L link: N/A
License type: Free
Description: Note: version 6.2 came with Windows 8 and is actually newer than the latest version 6.12.0002.633 for Windows 7.

Microsoft's own ring 0 debugger. Quite unfriendly to use, but one of the remaining stable options since the discontinuation of SoftICE.

You will find some extensions that make it at least somewhat easier to use, in the WinDbg extensions category.
Also listed in: Ring 0 Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro Free
Rating: 3.5 (4 votes)
Author: DataRescue                        
Website: https://www.hex-rays.com/products/ida/support/download_freeware.shtml
Current version: 5.0
Last updated: November 2, 2007
Direct D/L link: http://out7.hex-rays.com/files/idafree50.exe
License type: Free
Description: This is the (crippled) freeware edition of the IDA Pro debugger (see its own entry in the library for more info).

Differences from the commercial version is, among others:

* No remote debugging
* No Linux debugging (disassembling only)
* No other OS support at all (Mac OSX, WinCE)
* Only PE, COFF, OMF, ELF and Dos is supported (not NE)
* No console version (idaw.exe)
* Only x86 family processor module included (metapc)
* No x64 support at all
* Some FLIRT signatures are out-dated
* Fewer included plugins
* Difficulty identifying parameters in some cases (no PIT)
* Buggy WINE support
* Incompatible with plugins for commercial versions (plugins can be patched with another tool available in this library to work with the free version though!)
Also listed in: Disassemblers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Immunity Debugger
Rating: 3.0 (1 vote)
Author: Immunity Inc / Oleh Yuschuk                        
Website: http://debugger.immunityinc.com
Current version: 1.6
Last updated: March 27, 2008
Direct D/L link: N/A
License type: Free
Description: Immunity Debugger is based on OllyDbg.

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

* A debugger with functionality designed specifically for the security industry
* Cuts exploit development time by 50%
* Simple, understandable interfaces
* Robust and powerful scripting language for automating intelligent debugging
* Lightweight and fast debugging to prevent corruption during complex analysis
* Connectivity to fuzzers and exploit development tools
Also listed in: OllyDbg Custom Versions, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: W32DASM
Rating: 2.0 (2 votes)
Author: URsoftware                        
Website: N/A
Current version: 8.94
Last updated: March 11, 2003
Direct D/L link: Locally archived copy
License type: Commercial (abandonware)
Description: Before IDA Pro, W32DASM was the king of Windows 32 bit executable disassemblers.

It also has a ring 3 debugger built-in.
Also listed in: Disassemblers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Compuware DriverStudio Version 3.2 patch
Rating: 0.0 (0 votes)
Author: Compuware / Numega                        
Website: http://www.compuware.com/
Current version:
Last updated: Jan, 2006
Direct D/L link: Locally archived copy
License type: Commercial (Discontinued)
Description: This is the official and final patch released for Compuware DriverStudio Version 3.2.

It was originally located, but is no longer offered, at:
ftp://ftp.compuware.com/pub/driverstudio/outgoing/patch/DS3.2.1.zip

The purpose of this patch is to update DriverStudio – DriverSuite to fix several bugs that have been found. It also has the operating system update patch.
Also listed in: Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Deblector
Rating: 0.0 (0 votes)
Author: Felice Pollano, Matthew Yee                        
Website: http://www.codeplex.com/deblector
Current version: 1.1
Last updated: March 1, 2010
Direct D/L link: http://www.codeplex.com/Project/Download/FileDownload.aspx?ProjectName=deblector&DownloadId=18153
License type: Free / Open Source
Description: Plug-in for .NET Reflector that allows you to debug .NET processes from within .NET Reflector.
Also listed in: .NET Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dotnet IL Editor (DILE)
Rating: 0.0 (0 votes)
Author: zsozsop                        
Website: http://sourceforge.net/projects/dile
Current version: 0.2.6
Last updated: September 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.
Also listed in: .NET Debuggers, .NET Disassemblers, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DynamoRIO
Rating: 0.0 (0 votes)
Author: Hewlett-Packard Laboratories & MIT & Derek Bruening                        
Website: http://dynamorio.org
Current version: 6.0.0.6
Last updated: October 6, 2015
Direct D/L link: https://github.com/DynamoRIO/dynamorio/releases/download/release_6_0_0/DynamoRIO-Windows-6.0.0-6.zip
License type: Free and open source (BSD-type license)
Description: DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.
DynamoRIO's powerful API abstracts away the details of the underlying infrastructure and allows the tool builder to concentrate on analyzing or modifying the application's runtime code stream. API documentation is included in the release package and can also be browsed online.

Previous description:

The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science.

The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications.

The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract:

In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees.
Also listed in: Code Coverage Tools, Code Injection Tools, Debugger Libraries, Disassembler Libraries, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HyperDbg
Rating: 0.0 (0 votes)
Author: Aristide Fattori, Roberto Paleari and Lorenzo Martignoni                        
Website: http://security.dico.unimi.it/hyperdbg/
Current version: 20100325
Last updated: March 25, 2010
Direct D/L link: http://security.dico.unimi.it/hyperdbg/releases/hyperdbg_20100325.zip
License type: GPLv3
Description: HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
Also listed in: Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Jeremy Gordon's Go Tools for Win32 and Win64
Rating: 0.0 (0 votes)
Author: Jeremy Gordon                        
Website: http://www.godevtool.com/
Current version:
Last updated:
Direct D/L link: http://www.godevtool.com/
License type: free
Description: This collection of free tools contains:

* A free assembler (GoAsm.exe), which produces COFF object files ready to be given to a linker to create the final executable. The author's aim has been to make an assembler with clean and obvious syntax, which is very quick, and which always tries to produce the smallest code. GoAsm also has some useful extensions to make programming for Windows easier. It has enhanced support for making Unicode programs and can produce programs for both Win32 and Win64(x64) platforms.

* A free resource compiler (GoRC.exe), which produces RES files from RC files, or OBJ files from RC or RES files, together with documentation.

* A free linker (GoLink.exe), which takes COFF object files and a Res file and creates EXE or DLL executables able to run under Windows Win32 or Win64(x64). This is a full featured but "reduced baggage" linker which keeps files to a minimum. You do not need Lib files to identify what functions reside in the DLLs. Instead GoLink looks inside the DLLs themselves. Used with GoAsm, this linker can report on redundant data and code in your programs. It also allows use of Unicode filenames and labels (exports and imports).

* "GoBug" - A free Win32 symbolic debugger for assembler programmers, together with "Testbug", its accompanying test program and Win32+assembler demo program. It is itself written entirely in assembler, using GoAsm and GoLink.
Also listed in: Assemblers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Linice
Rating: 0.0 (0 votes)
Author: Goran Devic                        
Website: http://www.linice.com
Current version: 2.6
Last updated: July 28, 2005
Direct D/L link: Locally archived copy
License type: GPL
Description: What is Linice?

Linice is an Intel x86-based, Linux source-level kernel debugger with the look and feel of SoftIce for MS Windows.

Linice is designed to be used by the people who have SoftIce experience. Linice provides a major subset of SoftIce commands, and adds a few new ones. For that reason the documentation describing individual commands is not provided. There are a number of good resources on the Web that describe all SoftIce commands (Google "SoftIce" keyword.)

What can I use it for?

You can use Linice to debug a kernel module or a user application. You can also debug a Linux kernel. Kernel does not need to be recompiled or patched in any way. The debugger proper loads as a module into the running kernel and supports debugging using the following devices:
local VGA frame buffer
X-Window
remote serial terminal
monochrome monitor

You can break into a running kernel at any time by a hotkey. Place breakpoints, single step, watch variables etc. Multiple international keyboard layouts are supported.
Also listed in: Linux Debuggers, Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mmBBQ
Rating: 0.0 (0 votes)
Author: Michael Willigens, Rene Laemmert                        
Website: http://web.archive.org/web/20150507114635/http://duschkumpane.org/index.php/mmbbq
Current version: 3.1.0RC1
Last updated: October 16, 2014
Direct D/L link: http://hellgateaus.info/files/mmbbq_3.1.0_RC1.zip
License type: public domain, closed source
Description: mmBBQ injects an interactive codecaving Lua API into a win32 process. It is easy to use, there are no dependencies and only little knowledge is required. It was initially built to create APIs for MMORPGs. However it is fully generic and can attach to any kind of program. It can also inject into many protected processes, as it's meant to bypass some protective mechanisms. It offers debugging functionality, but not being a debugger itself makes it harder to detect.

It's easy to place any form of generic codecaves by using plain Lua code (LuaJIT C-Types). For Example:
codecave.inject(nil, getProcAddress("user32", "GetMessageA"), function(context) print("Hellow World Codecave") end)

It can also call arbitrary functions of the host process:
asmcall.cdecl(getProcAddress("user32", "MessageBoxA"), 0, "Hello World!", "Title", 0)

Aside that it includes a debugging and disassembly module, that can be used to script breakpoints. This can be useful when making packed .exe extractors etc.


64 bit support is underway. And further future maybe also a Linux and Mac version.
Also listed in: Code Injection Tools, Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oStudio - Live Tuning
Rating: 0.0 (0 votes)
Author: Objectis                        
Website: http://www.objectis-software.com/product/ostudio-live-tuning-live-debugging-functional-tests/
Current version: 1.3
Last updated: January 17, 2014
Direct D/L link: http://www.objectis-software.com/download-ostudio-2013/
License type: Free
Description: Accelerates the integration, testing and development phase by a factor of 2 to 10, in one easy-to-use application.
oStudio - Live Tuning brings a new development and real time debugging method. It's easy to connect embedded systems, automation and .NET applications to oStudio - Live Tuning, and to interact with them LIVE!

Traditional step by step debugging techniques are now history. A system doesn’t need to be halted to verify and validate its behavior anymore! This method, called live debugging, consists of observing and interacting with a real-time system while it’s still running. oStudio – Live Tuning is a new generation of debugger. It regroups new debugging tools for embedded systems and the machine industry with automated testing.
Also listed in: .NET Debuggers, .NET Tools, .NET Tracers, API Monitoring Tools, COM Debugging Tools, COM Monitoring Tools, Debug Output Monitoring Tools, FPGA Tools, Microcontroller Tools, Non-Intrusive Debuggers, Visual Basic Debuggers, Visual Basic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Obsidian
Rating: 0.0 (0 votes)
Author: deneke                        
Website: http://www.deneke.biz/obsidian
Current version:
Last updated: January 16, 2010
Direct D/L link: http://www.deneke.biz/obsidian/Obsidian_source.zip
License type: Free / Open Source
Description: Obsidian is a non-intrusive debugger, which means that it doesn't change the targets process as a normal debugger would. Being in beta state there can be some minor issues but it should be mostly stable.

The main advantage would be that you don't have to care anymore about those anti-debugger-tricks like:

* IsDebuggerPresent() which boils down to checking the debugger-flag in the PEB
* self-debugging: creating another thread or process which attaches itself to the target in order to keep other debuggers from doing so and probably doing some code 'corrections' during runtime.
* timing checks to recognize delays due to an attached debugger.


* Windows API

The debugging functions are implemented by using standard Win32-API calls like:

* CreateProcess
* SuspendThread / ResumeThread
* ReadProcessMemory / WriteProcessMemory
* GetThreadContext / SetThreadContext


* Breakpoints

To implement breakpoints I used a trick I learned from a very interesting paper in Codebreakers Journal. Its name is "Guide on How to Play with Processes Memory, Write Loaders and Oraculumns" and was written by Shub Nigurrath. Shub Nigurrath references the trick itself to yates and his paper "Creating Loaders & Dumpers - Crackers Guide to Program Flow Control", so kudos to him too. The trick is to place the opcode EB FE at the address you want to stop. This code stands for "jmp -2" which is the shortest way to code a while(1); loop I know of.


* Dis-/Assembling

To dis-/assemble the opcodes, I used the awesome code of the disasm zip-file Oleh Yuschuk, creator of OllyDbg, has put on his site. OllyDbg has rightfully gained a reputation for being intuitive and a real alternative to SoftICE when it comes to ring 3 applications.


* File-information

To extract some information about code and data segments and other stuff about the process I used the information gained from the paper "Portable Executable File Format – A Reverse Engineer View" written by Goppit. This paper can also be found at Codebreakers Journal.


* Singlestep and stepping into calls

Since I couldn't use debug-events, I chose the simple way out and "just" set a breakpoint on the instruction which would be executed next. This involved checking for jumps, calls and returns to make sure to get the right instruction. Checking for conditional jumps was easy since the disasm files (mentioned above) could already do this for me with the Checkcondition function. The same applies for calls. With the exception of calls that got their destination from a register. After searching for a while I found that the lower nibble of the call-opcode gave away the register that should be used. Last time I wrote about StackWalk-function and I have to admit that I was wrong about using it for returns since intel-documentation states that ret in any case uses the first element form the stack. So there's nothing to be done except reading the DWORD pointed to by the ESP.


* Thread Local Storage (TLS)

The first piece of code that will be executed when a new process is started isn't at the address pointed to by AddressOfEntryPoint. Actually DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS] in the optional header points to a IMAGE_TLS_DIRECTORY32 structure which contains a pointer to a list of functions executed before going to the AddressOfEntryPoint.


* Process dumping

When I started writing the code, I was wondering why there didn't seem to be any tutorial about dumping a running process with your own program. Most tutorials I found used existing tools for it. There are some really good papers about rebuilding the IAT by the way. Which I will keep in mind for one of the next releases. As I began to reread the PE documentation it occurred to me that this is about all you need to dump an unprotected process. You can get the headers directly from the imagebase of the module and from them you can gather all the other parts. So the job is reassembling the parts scattered through process space by the loader and writing them into a file. Just keep boundaries and offsets in mind.


* Symbols

Working with symbols is much easier than I first thought. Most work is done by the Sym*-functions provided by the imagehlp library (for example use SymGetSymFromAddr to get a symbols name by its address). So the only part which requires a bit of work, is to determine the levels of indirection so calls via a jumptable could be resolved correctly. The same goes for applying the IDA map file. Once it is parsed, it's back to analysing references again. By the way, IDA is a very impressive disassembler by Ilfak Guilfanov (DataRescue). It provides a deeper analysis and another view to an executable than most debuggers do. Plus, as the name implies, you don't need to actually execute the target, which is pretty cool, especially for malware analysis.


* Basic block analysis

After the construction of the (more or less) needed basics I decided to take a shot at improving the code analysis. A short research yielded the magical words 'basic block', which is a term that originated from optimization concepts of compilers. But perhaps it's better to first explain what basic blocks are. A basic block is, generally spoken, a sequence of commands that doesn't contain any jumps and isn't jumped into. Where jump doesn't mean the jmp instruction but generally everything that explicitly moves the eip anywhere. The commands I used the determine the end of a basic block are:

* all jumps, conditional and unconditional (e.g. jmp, je...)
* call
* ret

How are blocks and addresses handled? The Analyser contains two lists, where one holds all addresses not analysed yet and the other contains the generated blocks. By doing this there is a clean separation between unknown and known blocks. To avoid an infinite loop e.g. when dealing with backward jumps the analyser only processes addresses that do not lie on the beginning of an already processed code-block. Also no processing of addresses out of the modules scope will be performed. This is done to keep the processing-time at an acceptable level. The analysis of the code starts at the entrypoint and moves onward from there on. Calls and conditional jumps both yield at best two addresses where the analysis of a new block could be started. The 'at best' results from the fact that at the time of analysis indirect addressing with register can't be resolved, so this is a path that can't analysed. When an address points into a known block this means that the block needs to be split, since an address can only come from a jump to this location which means the former block ends there and a new one begins. At the moment the analyser doesn't make any assumptions about what could be meant but only cares for definate information. Thus there are blocks of code which haven't been recognized and therefore are treated as filling. This affects the readability of the disassembled code. Since any opcode not flagged as code will be disassembled in byte steps. For example an opcode like 74 53 at address 00403F52 will result in the following output:

00403F52 74 53 JE 403FA7
00403F53 53 PUSH EBX

Mind the addresses, that is what was meant by 'in byte steps'. This can be fixed by telling the analyser to process the code from the current selection onwards.


* Modular approach

After starting with a single executable, I decided to break it up into the GUI which in itself still contains a lot of intelligence and the basic obsidian class which contains all of the debugger- like functions. The main reason for this was to be able to pass the obsidian class to a plugin. But this way you can also easily use the obsidian class in other programs.


* Plugin interface

At the moment there is only a by call interface available, which means that the plugin will only be called when the user selects the plugin from the list. To write a working plugin for obsidian you need to export the following two functions from a dll.

extern "C" void EXPORT GetName(char* p, unsigned int len);
extern "C" DWORD EXPORT Go(Obsidian* p);


As the name of the first function implies its only purpose is to store the name of the plugin in the supplied buffer. The second function gets called when the user clicks on the menu entry. This is the place where your plugin can do its work. The paramer you receive is a valid class pointer which should be used by you instead of the singleton construct. To make Obsidian recognize a plugin you need to create a folder called "PlugIns" in the Obsidian-directory and put the dlls into that folder.
Also listed in: Non-Intrusive Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OepFinder
Rating: 3.0 (1 vote)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: X.Y.Z
Last updated: March 10, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Generic Oep finder, uses PAGE_GUARD to locate good range. Supports debugging using win32 debug subsystem, and nonintrusive traceing.
Also listed in: OEP Finders, Non-Intrusive Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PaiMei
Rating: 0.0 (0 votes)
Author: Pedram Amini                        
Website: http://paimei.googlecode.com
Current version: 1.1-REV122
Last updated: May 22, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: PaiMei, is a reverse engineering framework consisting of multiple extensible components. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as fuzzer assistance, code coverage tracking, data flow tracking and more. The framework breaks down into the following core components:

* PyDbg: A pure Python win32 debugging abstraction class.
* pGRAPH: A graph abstraction layer with seperate classes for nodes, edges and clusters.
* PIDA: Built on top of pGRAPH, PIDA aims to provide an abstract and persistent interface over binaries (DLLs and EXEs) with separate classes for representing functions, basic blocks and instructions. The end result is the creation of a portable file that when loaded allows you to arbitrarily navigate throughout the entire original binary.

A layer above the core components you will find the remainder of the PaiMei framework broken into the following over-arching components:

* Utilities: A set of utilities for accomplishing various repetitive tasks.
* Console: A pluggable WxPython GUI for quickly and efficiently rolling out your own sexy RE utilities.
* Scripts: Individual scripts for accomplishing various tasks. One very important example of which is the pida_dump.py IDA Python script which is run from IDA to generate .PIDA modules.


The documentation for the framework is available online at: http://pedram.openrce.org/PaiMei/docs

A very informative discussion thread about PaiMei, including a bunch of tutorials on how to use the different aspects of it, can be found at:
http://www.woodmann.com/forum/showthread.php?t=10851
Also listed in: Debugger Libraries, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pokas x86 Emulator for Generic Unpacking
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://sourceforge.net/projects/x86emu/
Current version: 1.2.0 and 1.21 visual C++
Last updated: December 28, 2012
Direct D/L link: http://sourceforge.net/projects/x86emu/files/1.2.0/x86emu-1.2.rar/download
License type: GPL
Description: Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon with the help of your feedback.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Poke
Rating: 0.0 (0 votes)
Author: Toolcrypt Group                        
Website: http://www.toolcrypt.org/tools/poke/index.html
Current version:
Last updated:
Direct D/L link: http://www.toolcrypt.org/tools/poke/poke.zip
License type: Free
Description: Poke is a run-time process examination tool. It reminds slightly of a debugger, but is injected into a running process and does not use the Debug API. This tool can give you some valuable help if the process you want to examine has some heavy anti-debugging features. Poke is under development and is tested and works on Win2K.
Also listed in: Ring 3 Debuggers, Non-Intrusive Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ragweed
Rating: 0.0 (0 votes)
Author: Matasano Security                        
Website: http://www.matasano.com/log/1799/ruby-for-pentesters-the-dark-side-i-ragweed/
Current version:
Last updated:
Direct D/L link: N/A
License type: Free / Open Source
Description: Ragweed is available as a gem through github:

sudo gem install tduehr-ragweed


Why a scriptable debugger?


When reversing, the usual debugging tools for developers aren’t as useful. They’re built for stepping interactively through programs you have source code for. They don’t generally have methods to get data out.

Reversing also requires being able to do mean and nasty things to the running process. When tracing calls, you want to watch how they interact. The last thing you want to do is anything manual. Automation is a requirement.

Also helpful is the ability to automate information gathering tasks, or the ability to dynamically add, remove or change breakpoints. These features are why scriptable debuggers have been created: To play with black boxes in a more dynamic and seedier manner.

What’s available already?


There are already scriptable debuggers out there. The most notable are PaiMei/PyDbg, Immunity Debugger and IDA.

PaiMei is written in Python, bills itself as “a reverse engineer’s swiss army knife” and uses the Python ctypes library for low level win32 calls.

Immunity Debugger is a GUI debuggger for win32 that uses Python for its scripting functionality.

IDA Pro is largely a win32 disassembler, but it is scriptable, again in Python, and includes a debugging module.

Before I get run off by a screaming mob with pitchforks, flightless birds, members of the family bovidae, etc., I will also mention GDB which has a library in development (libgdb) and can be scripted through macros.

With the exception of GDB which runs on most platforms and has its own macro language, these all share two common problems: Win32 and Python. Matasano is a Ruby shop. We like Ruby. It is good to us. We also wanted a tool for non-Win32 applications. But mostly, we just wanted something in Ruby.

Enter Ragweed


I’m going to stick to the OSX side of Ragweed for this article since I’m most familiar with it and there is still work to be done to unify the (currently) three debugging APIs —- Win32, Linux, and OSX —- inside Ragweed.

Under the hood, Ragweed (on OSX) uses Ruby/DL to perform the various low level system calls necessary to create a debugger. (More about that in my post from last year). These calls are abstracted somewhat to provide a smoother, more Ruby-like interface.

There are two caveats for Ragweed in OSX:

* Due to the changes in Ruby 1.9 to DL, it is currently incompatible with 1.9.
* Also, under OSX, Ragweed wants to run as root due to restrictions on
Code:

task_for_pid

.

A quick example (this we can do in IRB):


# debugging ftp using default signal handlers, printing registers every stop and logging calls to _lpwd

require ‘ragweed’
class DebugFtp < Debuggerosx

# print the registers every time the process stops

def on_stop(signal)

puts "Stopped with signal #{signal}"

self.threads.each {|t| self.get_registers(t).dump}

end

end

# no process lookup by name yet

d = DebugFtp.new(pid) # where pid is the id of ftp for this example

# set breakpoint for lpwd

d.breakpoint_set(0x420f,‘lpwd’, (bpl = lambda do | t, r, s | puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"; end))

d.install_breakpoints

d.continue

d.loop #loop until child exits

# now go do stuff in in your other terminal window running ftp

That’s it. We just override the signal handlers for the signals we want to know about (or not), attach to a running process, set and install breakpoints, and it’s off to the traces. A simple hit tracer is only a CSV file and read loop away from this.

Want info on a region of memory?

d.region_info(0x0,:basic).dump

What about:

thread_info

?

d.threadinfo(threadid).dump

Break stuff by playing with registers?

regs = d.get_registers(thread_id) regs.eip = 0x420f d.set_registers(thread_id, regs)

Grope through the child’s memory?

Ragweed::Wraposx::vm_read(d.task, address, size) #returns a string of child's memory

There you have it. It’s not pretty but it’s only begun.
Also listed in: Debugger Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rasta Ring 0 Debugger (RR0D)
Rating: 0.0 (0 votes)
Author: Droids Corporation                        
Website: http://rr0d.droids-corp.org
Current version: 0.3
Last updated: 2006
Direct D/L link: N/A
License type: Open Source
Description: Open source ring 0 debugger for both Windows, Linux and BSD.
Also listed in: Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: scdbg
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152
Current version:
Last updated: March 30, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/scdbg.zip
License type: free
Description: scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.


**************************
New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe
***************************
Also listed in: API Monitoring Tools, Automated Unpackers, Malware Analysis Tools, Monitoring Tools, Needs New Category
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Exe Analyzers, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SoftICE
Rating: 0.0 (0 votes)
Author: Compuware / Numega                        
Website: http://www.compuware.com
Current version:
Last updated: April, 2006
Direct D/L link: Locally archived copy
License type: Commercial (Discontinued)
Description: SoftICE was the king of ring 0 debuggers until Windows XP came along. At that point it turned very unstable on many computers, and never really recovered. It was sadly discontinued in April 2006.

SoftICE began its story already as a DOS debugger, brought to fame by the ORC tutorials. These ancient DOS versions, 2.62 (with snap feature) and 2.80 (snap feature removed), are downloadable here for history preserving reasons.
Also listed in: 16 bit and DOS Debuggers, Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SymChk
Rating: 0.0 (0 votes)
Author: Microsoft                        
Website: http://www.microsoft.com/whdc/devtools/debugging/default.mspx
Current version:
Last updated:
Direct D/L link: N/A
License type: Free
Description: Included in Microsoft Debugging Tools
Also listed in: Symbol Retrievers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Symbol Retriever
Rating: 0.0 (0 votes)
Author: Compuware / Numega                        
Website: http://www.compuware.com
Current version:
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: Included in the (now discontinued) Compuware DriverStudio.
Also listed in: Symbol Retrievers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TRW 2000
Rating: 0.0 (0 votes)
Author: KnlSoft                        
Website: http://www.knlsoft.com
Current version: 1.23
Last updated: December 20, 2002
Direct D/L link: N/A
License type: Commercial (with demo)
Description: Once promising ring 0 debugger, contesting to be the SoftICE replacement.
Also listed in: Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Turbo Debugger
Rating: 0.0 (0 votes)
Author: Borland                        
Website: N/A
Current version: 5.5
Last updated:
Direct D/L link: Locally archived copy
License type: Commercial (abandonware)
Description: Turbo Debugger was the most advanced debugger back in the 16-bit and DOS day.
Also listed in: 16 bit and DOS Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VMKD
Rating: 0.0 (0 votes)
Author: Skywing                        
Website: http://www.nynaeve.net/?page_id=168
Current version: 1.1.1.7
Last updated: October 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: VMKD (Virtual Machine KD Extensions) is a program that provides high speed kernel debugging support for VMware virtual machines. VMKD allows you to debug a VMware VM in a high speed fashion, instead of using the much slower and lower bandwidth virtual serial port mechanism.

When you use VMKD to debug a VM, VMKD creates a named pipe on the machine hosting the VM that you can connect to using the usual kernel debugging over named pipe support in WinDbg. However, unlike conventional VM kernel debugging, which is done by creating a virtual serial port in the VM and exposing it to the host system as a named pipe, VMKD does not internally use a virtual serial port to communicate with the kernel running in the VM. Instead, VMKD uses a high speed interface that takes advantage of the fact that the kernel is running in a VM to enhance the performance and responsiveness of the kernel debugging experience.

VMKD has presently only been tested against VMware Server 1.0.3 and 1.0.4. It is designed in a fashion that is intended to be portable to future VMware versions, however this forwards compatibility is fairly fragile and may break on future releases. VMKD does not support Microsoft Virtual Server or other virtualization products. Do not attempt to use VMKD with other virtualization programs or with a physical machine.

The main benefits of using VMKD instead of conventional serial port debugging are:

1. Responsiveness. VMKD provides a very low latency link between the kernel debugger and the VM if you are running the kernel debugging on the same computer hosting the VM. This means that most kernel debugger commands will respond much quicker than with normal kernel debugging (many commands are typically fairly close to local kernel debugging (lkd) speed, such as !process 0 0, which typically returns in 1-2 seconds or less even with 40-50 running processes when operating with VMKD). This improved response time even makes complex conditional breakpoints on “warm” kernel code paths feasible!

2. Data transfer speed. VMKD can move data to and from a VM much faster than the virtual serial port debugging mechanism. For example, I typically received around ~200KBps throughput while doing bulk memory reads on a VM, far beyond that possible with a virtual serial port. Most of the overhead now remaining in terms of bulk data transfer is reflective of design limitations of the protocol that VMKD uses to talk to the kernel debugger client (DbgEng.dll). Note that 1394 can still write physical memory dumps faster than VMKD, because 1394 KD can essentially DMA the target’s physical memory across the wire due to special support in the 1394 DbgEng KD protocol client. However, in most other aspects, VMKD provides equivalent or superior performance to even 1394 KD.

3. Processor usage. Normally, when you are kernel debugging a computer, the target is spinning on the kernel debugger I/O hardware (such as the serial port or 1394 controller). With a VM, this is a particular problematic condition, as it causes the VM to monopolize one CPU with useless polling. VMKD allows the VM to sleep while waiting for input from the kernel debugger, eliminating the tendancy of conventional virtual serial port debugging to severely degrade overall system performance on the host computer.

However, VMKD is not perfect. Because it was written without the assistance of either VMware or Microsoft, integration with the Windows kernel and VMware is a bit rough around the edges. Due to this, there are some steps that need to be followed to use VMKD. For some kernel debugging tasks, it may simply be easier to just use virtual serial port debugging and live with the limitations of the virtual serial port than to set up a VMKD debugging session.
Also listed in: VM Debugging Tools, WinDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Visual DuxDebugger
Rating: 0.0 (0 votes)
Author: Douglas Schillaci                        
Website: http://www.duxcore.com
Current version: 3.6
Last updated: May 22, 2012
Direct D/L link: http://www.duxcore.com/fs_files/VisualDuxDbgSetup.zip
License type: Freeware
Description: Visual DuxDebugger is a 64-bit debugger disassembler for Windows.

Main features
Fully support 64-bit native processes
Fully support 64-bit managed processes
Full code analysis
Full memory analysis
Code edition
Memory edition
Module export formats (EXE/DLL/CSV)
Debug multiple processes
Debug multiple child processes

Minimum Requirements
O.S: W7(64) / WS2008-R2
Processor: Pentium 4 3.0 GHz

Recommended Requirements
O.S: W7(64) / WS2008-R2 or higher
Processor: Dual Core 2.5 GHz or higher
Display: 1920 x 1080 or higher
Also listed in: Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: W32Dasm 8.94 Full
Rating: 0.0 (0 votes)
Author: URSoft                        
Website: http://N/A
Current version: 8.94
Last updated: March 9, 2002
Direct D/L link: Locally archived copy
License type: Retail/abandonware
Description: W32DASM is a program disassembler designed for educational purposes. It provides you with the possibility to take a look at the code of any application, thus giving you some insight into the world of programming.

It includes save, print and search functions and bundles an easy-to-use 32-bit program debugger. Other abilities consist of full cross referencing for Call / Jump instructions, functions for importing and exporting and a hex utility.

There is no installation process, so your efforts are reduced to simply launching an executable file. The user interface has a rather basic appearance, but simplicity in terms of look is what makes it intuitive and easy-to-use.

There’s nothing complicated about the program’s usage: just load the file of interest, disassemble it and use the additional functions that the application offers. Once you open a project, you might be struck by the strange looking font. Make sure to switch to another one in the Disassembler menu by checking with the font sample.

You are going to love W32DASM if you're a fan of reverse engineering (start with the ending and work through the beginning). What can you do with it? For example, you can create a key generator.

In addition, the application takes up minimum CPU and memory resources, so the costs involve only your attention. Possibilities to learn about code are endless with this application.

So, if you want to get the true programmer experience and “time travel to low-level programming”, then use W32DASM with confidence.
Also listed in: Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Whiskey Kon Tequilla VB P-Code Debugger
Rating: 0.0 (0 votes)
Author: WKT Team                        
Website: N/A
Current version: 1.3e
Last updated: Around 2001
Direct D/L link: Locally archived copy
License type: Free
Description: Also known as "WKT Debugger".

At the time it showed up, the one and only P-Code disassembler / debugger mankind was able to use.

Before it, debugging of the P-Code (Runtime interpreted Pseudo-VB code) with ordinary disassemblers / debuggers was really pain in your neck. This one saved me a lot of time, and probably helped postpone my deportation to the psychiatric research facility.
Also listed in: Disassemblers, Visual Basic Debuggers, Visual Basic Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wintruder
Rating: 0.0 (0 votes)
Author: FutureVision                        
Website: http://mitglied.lycos.de/wintruder/wintruder.zip
Current version: 1.0.0.1
Last updated: October 17, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Wintruder is an extendable debugger for Windows 9x and Windows XP.
By default, it includes debug interfaces for:
- Win32 Debug API
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine (XP only)
- Win32 Stealth (XP only)
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine
- Microsoft .Net (.Net 1.0 and up)
- .Net CIL

You can use Wintruder for free. For more information read license.txt. If this file does not exist, type wintruder.exe -l


This version of Wintruder is a development snapshot and far from being a final release.

Most important limitations:
- You may encounter several bugs and deficiencies.
- The use of debug information is limited to bare function definitions.
- The native .Net debugger is missing.
- The script engine is not really working.
- Much, much more…

By the way:
- The DiaDbg plug-in requires the Microsoft Debug Interface Access library. (msdia80.dll, msdia71.dll or msdia20.dll)
- To be more precise: None of the libraries Wintruder is bound to is included in this distribution.
Also listed in: .NET Debuggers, Ring 3 Debuggers, Visual Basic Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 11 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)