From Collaborative RCE Tool Library

Jump to: navigation, search

Dependency Analyzer Tools


Tool name: AdmiralDebilitate
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/admiraldebilitate
Current version: 0.2
Last updated: June 16, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AdmiralDebilitate is a tool for removing .NET strong name signing, particularly suited for large projects consisting of multiple nested dependencies. The interface is fairly simple: open up all relevant executables simultaneously (or all PEs if late-binding is in use) and ‘mark’ those that are to be modified. AdmiralDebilitate will determine the minimal area of the dependency tree that requires fixing and execute things appropriately. Any mismatching references will be listed in the ‘Problem Areas’ pane. Please report any bugs, after reading the following list of notes and caveats:

* All dependencies on mscorlib and System.* are ignored. I don’t see why this should be a problem, but bear it in mind if something isn’t working.
* Only exe and dll files are supported.
* The tool searches only the current folder for DLLs referenced by the seeding assemblies. If the system is relying on environment variables being set or suchlike, then AdmiralDebilitate will probably fail to load all the assemblies. A workaround is to temporarily place all the files in the same directory.

Updates:

* 17/06/08 - A silly little fencepost error was causing problems with assemblies having AssemblyRef as their last table. That’s fixed in version 0.2.


Thanks go out to Dan Pistelli, without whose .NET specification this wouldn’t have happened.
Also listed in: .NET Signature Changers, .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/exsuite.php
Current version: III
Last updated: August 19, 2009
Direct D/L link: http://ntcore.com/Files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: APIScan
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/forums/posts/456
Current version: 2.2
Last updated: April 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2: Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.


TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dependency Walker
Rating: 0.0 (0 votes)
Author: Steve P. Miller                        
Website: http://www.dependencywalker.com
Current version: 2.2
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.

Dependency Walker is also very useful for troubleshooting system errors related to loading and executing modules. Dependency Walker detects many common application problems such as missing modules, invalid modules, import/export mismatches, circular dependency errors, mismatched machine types of modules, and module initialization failures.

Dependency Walker runs on Windows 95, 98, Me, NT, 2000, XP, 2003, and Vista. It can process any 32-bit or 64-bit Windows module, including ones designed for Windows CE. It can be run as graphical application or as a console application. Dependency Walker handles all types of module dependencies, including implicit, explicit (dynamic / runtime), forwarded, delay-loaded, and injected. A detailed help is included.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Export Log
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org
Current version: 1.0
Last updated: September 15, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Program for runtime logging of used/imported external functions (i.e. in other DLLs) in target modules/processes.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:Dependency_Analyzer_Tools"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (192)
   Categorized by Tool Type  (1095)
   Anti Anti Test Tools  (15)
   Assemblers  (18)
   Code Coverage Tools  (13)
   Code Injection Tools  (35)
   Code Ripping Tools  (2)
   Crypto Tools  (12)
   Data Extraction Tools  (19)
   Debuggers  (47)
   Decompilers  (20)
   Deobfuscation Tools  (14)
   Dependency Analyzer Tools  (5)
   Diff Tools  (40)
   Disassemblers  (53)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (35)
   Executable File Editors & Patchers  (85)
   Firefox Extensions  (3)
   GUI Manipulation Tools  (17)
   Hardware Reversing Tools  (24)
   Hex Editors  (13)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (12)
   Memory Data Tracing Tools  (7)
   Memory Patchers  (4)
   Memory Search Tools  (7)
   Monitoring Tools  (124)
   Network Tools  (18)
   Packers  (16)
   Patch Packaging Tools  (11)
   Profiler Tools  (11)
   Programming Libraries  (39)
   Regular Expression Tools  (3)
   Resource Editors  (12)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (7)
   Technical PoC Tools  (7)
   Test and Sandbox Environments  (21)
   Tool Extensions  (157)
   Tool Hiding Tools  (5)
   Tool Signatures  (16)
   Tracers  (18)
   Unpacking Tools  (67)
   Needs New Category  (2)