From Collaborative RCE Tool Library

Jump to: navigation, search

Exe Analyzers


Tool name: CRC Calculator
Rating: 5.0 (1 vote)
Author: Shub-Nigurrath                        
Website: http://arteam.accessroot.com
Current version: 1.1
Last updated: January 6, 2005
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=14
License type: Free
Description: Just drag & drop files to it or use the button to calculate the CRC, then select and paste.

Adapted from existing sources, small and easy.

History
-1.0 initial version
-1.1 added command-line support ideal for integration into Total Commander
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ent
Rating: 5.0 (1 vote)
Author: Gynvael Coldwind                        
Website: http://gynvael.coldwind.pl/?id=158
Current version: 0.0.3
Last updated: March 9, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Ent does two things:
1) it measures entropy of a file
2) it measures density of FPU instructions in the code section, if the file is a PE
(Why file entropy measurement is interesting is a story for another day (follow the link in 'related URLs') ;>)

The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post.

Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient.

Below in the screen shot you can see a chart of a sample PE file.
Also listed in: Entropy Analyzers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Neil's Collection of Packer Signatures
Rating: 5.0 (1 vote)
Author: Asterix                        
Website: N/A
Current version:
Last updated: September 5, 2012
Direct D/L link: Locally archived copy
License type:
Description: Neil's Collection of Packer Signatures
Also listed in: Packer Identifier Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Protection ID
Rating: 5.0 (2 votes)
Author: CDKiLLER and Tippex                        
Website: http://pid.gamecopyworld.com
Current version: 6.1.3
Last updated: December 26, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The ultimate Game Protection Scanner

The current version does detect more than
250 exe-packers, PC ISO Protections, Dongles, Licenses and Installers in
such an exact and fake proof way you haven´t seen before in any scanning tool due the detailed checks.
False reports and detection where other tools fail are history.

Features

* Scanning of PC Games & Application files to detect the protection used(s)
* Detects most of the available executable compressor / crypter and it´s up to date in detecting the newest PC-Game protections
* Scanning CDs / DVDs for Tagés (only available on win2k / winxp, but no ASPI drivers required)
* Scan folders with all the included files
* Coded in 100% Win32 Assembly language, allowing it to run on every WinOS since Windows 95
* Easy scanning with the shell context menu 'Scan with Protection ID...' or drag & drop files into the (simple to use) GUI
* Ability to scan a cracked file and to get possible information which protection was originally used
* Check for the newest update and download it
* More strong scanning routines allowing it to detect multiple (!) protections in one file
* No additional files like VB Runtimes, MSVC dlls or ASPI drivers are required, you simply need one exe file !
* Constantly updated to detect the newest protections available for PC Games & Applications (hey which other tool has this feature too ? ;-)

* Detection for most of the available PC Game Protections
- 3P Lock
- CDCops
- CDLock
- Codelok
- JoWood X-Prot
- Laserlok / Laserlok Marathon
- Protect DiSC
- Ring-Protech
- Safedisc
- SecuROM
- Settec Alpha ROM
- SmartE
- SolidShield
- StarForce
- Sysiphus
- Tages
- VOB Protect CD/DVD


* PC Game Trial Protections
- ActiveMARK
- GameHouse Trial Wrapper
- INTENIUM Try & Buy detection
- KochMedia ePolice
- ReflexiveArcade Wrapper
- SVKP Online
- WildTangent Wrapper
- Zylom Wrapper


* Dongles
- DinKey
- Hardlock
- Guardant
- HASP Hardware Lock
- HASP Hardware Lock Envelope
- Key-Lok II
- SENTiNEL
- SENTiNEL SUPER PRO
- SmartKey
- WIBU


* Licenses
- CrypKey Instant
- CrypKey SDK
- eLicense
- FlexLM
- FlexNET
- HASP SL Licensing System
- InterLok
- nTitles Activator
- Protection Plus
- Release Software Corporations SalesAgent
- Safecast
- Sentinel License Manager


* .NET protectors
- {smartassembly}
- .NetZ
- dotFuscator
- DotNet Guard
- dotNet Protector v4 & v5
- dotNet Reactor v2.x / v3.x
- Sixxpack .Net Compressor
- XHEO CodeVeil


* EXE Packers / Protectors (freeware)
- ABC Crypt v1.0
- Alex Protector v1.0 Beta 2
- ANDpakk2
- Anslym Packer
- ARM Protector v0.1, v0.2, v0.3
- ASDPack v2
- Aver Cryptor v1.00, v1.02 Beta
- BamBam v0.0.1
- BeRoEXEPacker v1.00
- Beria v0.0.7
- Berio v1.0
- BitShape PE Crypt v1.5
- BJFNT v1.1, v1.2, v1.3
- CDS SS 1.0 Beta 1
- Celsius Crypter v2.1
- cEXE 1.0a / 1.0b
- CICompress v1.0
- CodeCrypt v0.15, v0.16 - v0.161, v0.163 - v0.164, [unknown version]
- Cryptic v2.0
- CRYPToCRACks PE Protector v0.9.2, v0.9.3
- DalKrypt v1.0
- Daemon Protect v0.6.7
- DEF v1.0
- DePack
- Dot Fix Fake Signer
- DragonArmor v0.0.4.1
- Dual´s EXE Encryptor v1.0, v1.1b
- Encrypt PE v1.2003.5.18, v2.2004.8.10 / 2.2006.1.15, v2.2006.10.1, v2.2007.4.11
- EP (EXE Pack)
- EP Protector v0.3 [AHTeam]
- Excalibur v1.03
- EXE Evil v1.0
- EXE ReFactor v0.2
- fEaRz Crypter v1.0 Beta 1
- fEaRz Packer v0.3
- FishPe Shield v2.0.1
- Forgot v1.0
- Frensh Layor v1.81
- FSG v1.0, v1.2, 1.3 - v1.31, 1.3.3, 1.33, v1.33a, 2.0
- Goat´s PE Mutilator v1.6
- Hide PE (ASProtect 1.2 [New Strain] method, VBOX 4.3 MTE method)
- hmimys PE-Pack v0.1
- JD Pack v1.01, v2.00
- KByS Packer v0.28 Beta
- KaOs PE eXecutable Undetecter
- kkrunchy
- Krypton v0.2, v0.3, v0.4, v0.5
- LameCrypt
- marcrypt v0.1
- MarjinZ ScramblerSE
- Mew 5 EXE Coder 0.1
- Mew 10
- Mew 11 SE v1.1 - v1.2
- mkfPack
- Morphine v1.2 - v1.3, 1.4 - v2.7
- mPack v0.0.2 & v0.0.3
- MSLRH v0.31a, v0.32
- MuCruncher
- MZ0oPE v1.0.6b
- MZ Crypt v1.0
- NFO v1.0
- Noodlecrypt v2
- nPack v1.1.250.2006 Beta, v1.1.300.2006 Beta
- Packanoid v1.0, v1.1
- PackItBitch v1.0
- Packman v0.0.0.1, v1.0
- Pack Master v1.6
- Passlock 2000
- PE 123 v2006.4.4
- PE-Armot (Hying) v0.x
- PEQuake v0.06
- PE Crypt v1.0x
- PE Diminisher v0.1
- PE LockNT v2.01, v2.02, v2.04
- PE Mangle
- PE Nguincrypt v1.0
- PE Nightmare
- PE Ninja
- PE Pack v0.99, v1.0
- PE Shield v0.1d, v0.2, v0.25, [unknown version]
- PE Shrink
- PE Spin v0.0b, v0.3, v0.41, v0.7, v1.0, v1.1, v1.3, [unknown version]
- PE Stub OEP v1.x (Entry Point Faker)
- PE Zip v1.0
- Perplex PE Protector v1.01
- PEX v0.99
- Poisen Ivy Crypter v1
- PolyCrypt PE
- PolyEnE
- Program Protector v1.x - v2.x
- Protect v0.1.3
- Protect EXE v0.4a Beta
- Punisher v1.5 (DEMO)
- QrYPt0r v1.0
- RLPack v1.16, v1.17, v1.18, v1.19, [unknown version]
- Sexe Crypter v1.1
- Shrink Wrap v1.4
- SimplePack v1.11
- Simple PE Crypter
- SLVc0deProtector v0.61, v1.1, v1.11
- Smokes EXE Shield v0.5
- Ste@lth PE v1.x, v2.x
- Stones PE Crypter v1.13
- TELock v0.42, v0.51, v0.60, v0.70, v0.71, v0.80, v0.85f, v0.90, v0.92a, v0.95, v0.96, v0.98b1, v1.00
- The Best Cryptor [by FsK]
- Thunderbolt v0.0.2
- TPP Pack
- unkOwn Crypter v1.0
- UPack v0.10 - v0.12, v0.20, v0.21, v0.22 - v0.23, v0.24 - v0.28, v0.29 - v0.33, v0.34 - v0.35, v0.36 - v0.39
- UPX, UPX Mutator, Visual UPX v0.2, [unknown / modified UPX]
- UPX Mutanter v0.2
- UPX Protector v1.0e
- UPX Scrambler
- UPX$HiT 0.0.1
- USSR v0.31
- VCrypt v0.9b
- Virogen Crypt v0.75
- VPacker v0.02.10
- WinKrypt v1.0
- XCR v0.12, v0.13
- xxPack v0.1
- Yoda´s Crypter v1.1, v1.2, v1.3
- Yoda´s Protector v1.0b, v1.02b, v1.02d, v1.02.05, v1.03.01 BETA, v1.03.02 BETA, v1.03.3
- YZPack v1.1 & v1.2
- Z-Code v1.01


* EXE Packers / Protectors (commercial)
- ACProtect v1.09, v1.10, v1.20, v1.21, v1.22, v1.23, v1.3c, v1.32, v1.35 - v1.40, v2.0
- Air EXE Lock
- Akala EXE Lock
- Armadillo (lots of specific versions and version ranges)
- ASPack v1.00b, v1.01b, v1.02b, v1.03b, v1.05b, v1.06b / v1.061b, v1.07b, v1.08.00, v1.08.01, v1.08.02, v1.08.03, v1.08.04, v2.000, v2.001, v2.1, v2.11, v2.11c / v2.11d, v2.12, v2.12b
- ASProtect v1.0, v1.1, v1.11, v1.2, v1.22 - v1.23, 1.23 RC4 - v1.3.08.24, v1.23 RC4 (Registered), v1.31 Build 2004.04.27, v1.32, v2.0, v2.1 SKE, v2.2, v2.3, 2.1 - v2.3, 2.x [unknown version]
- Bit-Arts Crunch v5.0
- CopyMinder
- Cryptolock
- DBPE v2.33
- Enigma Protector v1.02 Build 3.10, v1.02 Build 4.00, v1.11, v1.12, v1.14, v1.16
- EXE32Pack v1.37, v1.38, v1.42
- EXE Cryptor v1.5.x
- EXE Cryptor 2.0.0 - 2.1.0, 2.2.0 - v2.2.6, 2.3.0 - v2.3.9, 2.2.0 - 2.4.0, 2.4.0 (or newer), 2.xx [unknown version]
- EXE Guard v1.3
- EXE Password 2004 v1.111, 1.112, v1.114, [unknown version]
- EXE Password Lock v1.01
- EXE Prot v1.x
- EXE Protector v2.x
- EXE Safe v2.0
- EXE Shield 2.7, v2.7b, v2.8a, v2.9, v3.6, v3.7
- EXEStealth v2.70, v2.73, v2.74, v2.75, v2.75a
- ExPressor v1.0, v1.1, v1.2, v1.3, v1.4, v1.5
- E-Zip v1.0
- Ion Ice EXE Lock v1.0
- KasperSky Pack
- MazePath EXELockout v3.0
- MoleBox 2.0.0 - v2.3.0, 2.2.3, 2.2.4, 2.2.5, v2.2.6, v2.2.8, v2.3.0, v2.3.3 v2.4.0, v2.5.0, v2.5.5, v2.5.12 - v2.6.3, 2.3.3 - v2.6.4
- Neolite v1.x - v2.x
- NSPack 2.3 - v2.7, v2.9, v3.0, v3.1, v3.3, v3.4, v3.5, v3.6, v3.7, [unknown version]
- nTitles Verifier for .NET
- NTkernelPacker v0.1 (exe + dlls)
- Obsidium v1.0.0.61, v1.1.1.0, v1.1.1.4, v1.2.0.0, v1.2.5.0, v1.3.0.0, v1.3.0.4, v1.3.3.4, v1.3.3.7, v1.3.3.9, v1.3.4.1, [unknown version]
- ORiEN v2.12
- PC Guard v4.06, v5.00, v5.01
- PEBundle v3.xx
- PE Compact v1.00 - v1.3x, v1.40 - v1.50, v1.55, v1.56 - v1.65, v1.66 - v1.84 v2.0 Beta Build 52, v2.00 - v2.10, v2.20 - v2.79, 2.xx [unknown version]
- PE Lock v1.0x
- Petite v1.2, v1.3, v1.4, v2.2, v2.3, [unknown version]
- PKLite32 v1.1
- Private EXE v2.x
- SD Protector v1.12, v1.16
- Special EXE Password Protector
- Shegerd EXE Protector & Anti-Debugger
- Shrinker v3.4, v3.5, [unknown version]
- Softdefender v1.0 - v1.1
- Soft Sentry v3
- Software Compress v1.2, v1.4
- SoftWrap
- SVKP v1.051, v1.11, v1.3x - v1.4x, [unknown version]
- Themida v1.0.0.0 - v1.8.1.0, v1.8.2.0 (or newer)
- Trial Master v2.x
- VBO Watch 3
- Visual Protect
- Vcasm-Protector v1.0
- VM Protect 1.00 - v1.10, 1.20 - v1.50
- WinLicense v1.0.0.0 - v1.8.1.0, v1.8.2.0 (or newer)
- WWPack32 v1.xx
- X-treme Protector v1.00 - v1.06, 1.07 - v1.08, 1.07 BUiLD 12-12-03, 1.08 BUiLD 15-12-03, 1.08 FiNAL


* Installers
- 7 - Zip SFX Setup Module
- AKInstaller Module
- Aquarius Soft Self-Extractor Archive
- Astrum Install Wizard
- AW Install Engine
- BinPatch
- Bitarts Install Wrap
- Blizzard PrePatch Module
- Clickteam Install Maker
- Clickteam Patch Maker
- Create Install 2003
- Gentee Installer
- Ghost Installer
- GKWare SFX Setup
- Inno Setup
- InstallAware Setup Module
- Installer 2 Go
- InstallShield v5.53.168.0, v6.31.100.1221, v7.1.100.1242, v7.7.0.262, v8.x, v9.1.0.429, v10, v10.5, v11, v12
- Install Zip Setup
- IZarc Self Extractor
- Microsoft SFX CAB Module
- Nullsoft SFX Setup
- Paquet Builder - Enhanced Self-Extracting Zip Module
- Patch Wise
- PKSFX Module
- Power Archiver 2003 v8.x SFX Module
- QSetup SFX Kernel
- Red Shift Installation System
- RTPatch Module
- Setup Factory
- SFX Factory!
- Silicon Realms Install Module
- Sony Self-Extracting Packager Archive
- Spoon Installer
- Tarma Installer Module
- VISE Mindvision Wizard
- WinAce Self-Extractor Module
- WinRAR SFX Archive
- WinZip SFX
- Wise Installation Wizard
- Zip Central SFX Module
- Zip SFX Archive
- Z-Up Maker SFX Archive
- Zylom Games Setup Module
Also listed in: Packer Identifiers, Protection Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AT4RE FastScanner
Rating: 4.4 (5 votes)
Author: AT4RE Team                        
Website: http://www.at4re.com
Current version: 3.0 Final
Last updated: December 18, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Yet another Win32 PE Packer/Protector Identifier.

[ Description ]

- FastScanner is a Detector for most packers, cryptors and compilers for PE Files Programmed in ASM and designed for ‎fast access to most needed plugins.

####################################################################
FastScanner v3.0 Final Change log:
07/01/2010

1- Update signature Database file.
2- Add Tricks Finder function in the Information dialog. [Still Beta]
3- Fixed Bug when click in the Smart-Scan button twice.
4- Fixed Bug with Overlay size.
5- Many Bug Fixed in the program.

####################################################################
FastScanner v3.0 Beta 3 Change log:
18/12/2009

1- Update and optimize signature Database file.
2- Update SmartScan method.
3- Improve the information dialog.
4- Add Overlay signature detection in the Information dialog.
5- Add number of sections detection method.
6- Add JunckCode Detection.
7- AT4RE Overlay Tool v0.2 by STRELiTZIA.
8- Hash & Crypto Detector v1.4 by Mr.Paradox.
9- Signature Manager v1.1 by GamingMasteR.
10- Fixed Bug in Smart-Scan with some protectors.
11- Fixed Bug with ToolTip when using Smart-Scan.
12- Fixed Bug when scanning a Folder.
13- Fixed Bug in the scanning algorithm.

####################################################################
FastScanner v3.0 Beta 2 Change log:
26/10/2009

1- Add colors to the disassembler by GamingMasteR.
2- Add SmartScan method.
3- Add Overlay Detection method.
4- Fixed Bug in ScanDirectory.
5- Fixed Bug in Scanning an opened file.
6- Fixed Bug with RLPack protected files.
7- Fixed Bug in Detecting Overlay.
8- Fixed Bug in Detecting Fake-Signature.
9- Fixed Bug in Matches number in the Total-Scan.

####################################################################
FastScanner v3.0 Beta Change log:
25/09/2009

1- Change Signature DataBase for more accuracy.
2- Updating the scanning algorithm.
3- New and powerful Signature Manager plugin.
4- New Hash & Crypto detector plugin by Mr.Paradox.
5- New GFX for version 3 by RobenHoodArab.
6- Add new PEHeader-Viewer dialog to main window in FS.
7- Add Hex-Viewer and Resource-Viewer on the PEHeader-Viewer Dialog.
8- Add tooltips with information about the content of PEHeader-Viewer dialog.
9- Add Unpacking Information dialog (still Beta).
10- Add ScanDirectory dialog.
11- Add Compiler Detection Mechanism.
12- Add Anti-FakeSignature algorithm.
13- Update the Export and Import Viewer dialogs.
14- Fixed Bug in ImportTable Viewer with Upack.
15- PE Editor : Fixed Bug in Resource Viewer.
16- PE Editor : Fixed Bug in ImportTable Viewer.
17- PE Editor : Fixed Bug in ExportTable Viewer.
18- PE Editor : Add ReadOnly-Mode and FullAccess-Mode.
19- PE Editor : Add 16Edit HexEditor by yoda.
Also listed in: Compiler Identifiers, Packer Identifier Signatures, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PEiD
  • Currently4.3333333333333/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 4.3 (3 votes)
Author: BoB                        
Website: http://www.woodmann.com/BobSoft/
Current version: 0.95
Last updated: March 31, 2008
Direct D/L link: http://www.woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip
License type: Free
Description: PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

PEiD is special in some aspects when compared to other identifiers already out there!

1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.
Also listed in: Compiler Identifiers, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DiE (Detect it Easy)
Rating: 4.0 (1 vote)
Author: Hellsp@wn                        
Website: http://hellspawn.nm.ru
Current version: 0.64
Last updated: May 6, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Packer identifier that is supposed to be good.
Also listed in: Packer Identifiers, Compiler Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RDG Packer Detector
Rating: 3.5 (2 votes)
Author: RDGMax                        
Website: http://www.rdgsoft.8k.com
Current version: 0.6.7
Last updated: June 26, 2011
Direct D/L link: http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar
License type: Free
Description: RDG Packer Detector is a detector packers, Cryptors, Compilers,
Packers Scrambler,Joiners,Installers.

-Holds Fast detection system..
-Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases.
-You can create your own Signatures detection.
-Holds Crypto-Graphic Analyzer.
-Allows you to calculate the checksum of a file.
-Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not.
-OEP-Detector (Original Point of Entry) of a program.
-You can Check and download and you always signaturas.RDG Packer Detector will be updated.
-Plug-ins Loader..
-Signatures converter.
-Detector distortive Entry Point.
-De-Binder an extractor attachments.
-System Improved heuristic.

What's New! v0.6.6

-New Interface!

-Fast Mode Detection and Mode Powerful Improved!
-Super base signatures Updated!
-Heuristic detection of Binders
-Detection and Extraction Overlay!
-Check and Auto-Update of signatures!
-Super Fast Detection of MD5 Hash!
-Support for Multiple Plug-ins for both RDG Packer Detector and other detectors!
-Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc..
-Detection and removal of attachments!
Also listed in: Compiler Identifiers, Entropy Analyzers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex Workshop
Rating: 3.0 (1 vote)
Author: BreakPoint Software                        
Website: http://www.hexworkshop.com
Current version: 5.02
Last updated: January 6, 2008
Direct D/L link: http://www.bpsoft.com/downloads/hw32v502.msi
License type: Shareware
Description: A quite good and competent hex editor.
Also listed in: Executable CRC Calculators, Hex Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pynary
Rating: 1.0 (1 vote)
Author: c1de0x                        
Website: http://code.google.com/p/openrce-snippets/wiki/pynary
Current version: 0.0.1
Last updated:
Direct D/L link: N/A
License type: Open Source
Description: pynary will become a powerful platform independent framework for binary code analysis.

The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible.

Once the initial goal is achieved, a number of cool features are planned:

* stack frame analysis
* un-inliner
* exception handling parsing/analysis
* 'functionally equivalent' matching
* c++ template function matching
* meta-data transfer between IDBs
* c++ class reconstruction (with/without RTTI)
* ...

This project is still in its infancy, and looking for volunteers.
Also listed in: Deobfuscation Tools, Executable Diff Tools, Reverse Engineering Frameworks, Programming Libraries, Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)
Rating: 0.0 (0 votes)
Author: Nacho-Dj/ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.1
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=43
License type: Free
Description: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)

Released Summer/2008

Features:
- Provides information about ActiveMARK protection on any file.
- Identifies the protection version.
- Unpacks & decrypts the content of any ActiveMARK protected file.
- Extraction of the main key
- Now it shows information about Only Buy / Trial Limited Version
- Information messages
- Allows an internal analysis of the content of every compressed file within the encrypted container.
- It works statically (none executable is launched).
- Detects automatically the language in your system. :)

How to use:
Select first any executable. Then you can decrypt any external file associated to it, using the Uncompress key.

Note: Any ActiveMARK encrypted file is similar to a .zip or .rar file, containing several files in its inside.

Coded & designed by Nacho_dj/ARTeam
Also listed in: Automated Unpackers, Protection Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ActiveMARK Version Viewer
Rating: 0.0 (0 votes)
Author: Nacho_Dj                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.2
Last updated: February 24, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: ActiveMARK Version Viewer 1.2 - 2009/01/14 - Bilingual edition (English/Spanish)

Updated for the new version AM6.50.767.


History
-------

*** version 1.1 - 2008/08/14 - Bilingual edition (English/Spanish)

When checking an ActiveMARK license file, it shows the Activation Code.


*** version 1.0 - 2008/04/13 - Bilingual edition (English/Spanish)

Tool for detecting if a target is protected with ActiveMARK protection.

Available for any kind of file.

Running on an executable will launch it with the proper arguments to show the version by using the ActiveMARK internal engine.

It permits a static analysis (not executing anything), by checking 'Do not launch executables' checkbox. This option will prevent your system from getting neither new hidden registry entries that the protection adds to your system, nor hidden files, too, both of them being used by the protection for memorize the trial uses of the target.

For getting the possibility of use from a contextual menu, check 'Add to contextual menu' checkbox.

It detects if your system language is english or spanish before showing you all strings.


I hope you enjoy it :)

Nacho_dj / ARTeam


Coded & Developed by Nacho_dj / ARTeam
Also listed in: Packer Identifiers, Protection Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Androguard
Rating: 0.0 (0 votes)
Author: Anthony Desnos                        
Website: http://code.google.com/p/androguard/
Current version: 0.9
Last updated: September 25, 2011
Direct D/L link: http://androguard.googlecode.com/files/androguard-0.9.tar.gz
License type: LGPL
Description: Androguard (Android Guard) is primarily a tool written in full python to play with :
- .class (JavaVM)
- .dex (DalvikVM)
- APK
- JAR
- Android's binary xml

Androguard has the following features :
- Map and manipulate (read/write) DEX/CLASS/APK/JAR files into full Python objects,
- Native support of DEX code in a c++ library,
- Access to the static analysis of your code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool,
- Check if an android application is present in a database (malwares, goodwares ?),
- Open source database of android malwares,
- Diffing of android applications,
- Measure the efficiency of obfuscators (proguard, ...),
- Determine if your application has been pirated (rip-off indicator),
- Risk indicator of malicious application,
- Reverse engineering of applications (goodwares, malwares),
- Transform Android's binary xml (like AndroidManifest.xml) into classic xml,
- Visualize your application into cytoscape (by using xgmml format), or PNG/DOT output,
- Patch JVM classes, add native library dependencies,
- Dump the jvm process to find classes into memory,
- ...
Also listed in: Android Tools, Binary Diff Tools, Disassembler Libraries, Disassemblers, Entropy Analyzers, Java Disassembler Libraries, Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BDS S.I.C.K
Rating: 0.0 (0 votes)
Author: VDR-Software                        
Website: http://vdr-soft.at.ua/index/0-5
Current version:
Last updated: March 26, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: BDS S.I.C.K (Some Info Collection Kit) is a tool designed to help you to analyze compiled Delphi applications. It may be helpful when you need to know what units are inside, used classes, methods and the addresses. When you know this you can open it with your favorite disassembler or debugger and explore it. You don't need to vaste time for routine work.

* SICK has simple internal disassembler for quick analysis.
* Collecting info about objects, forms and classes.
* Objects are represented in tree form, so you can easily navigate
* Search objects by full or partial name (F3 in objects window)
* Exporting names and procedures to IDA
* Supporting all Win32 Delphi editions

Features to be added:

* Improving classes info collection
* Smart functions disassembly (analysis during disassembly)
* Plugins API (in development)
* VCL recognition (allow recognize well known functions)
* Reading PACKAGE info and some stuff from resources.

This tool is developed to be used with clean Delphi executables.
Also listed in: Delphi Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CheckSum Fixer
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: January 5, 2006
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=12
License type: Free
Description: The PE files headers include a CheckSum field which is located into the
IMAGE_NT_HEADER->IMAGE_OPTIONAL_HEADER->CheckSum

This value is an overall checksum of the whole file, often not set and left to 0x0000 by most compilers and thus doesn't happens often to worry about it, but sometimes this value is used to check if there have been alterations in the executable file.
There is for example an API, MapFileAndCheckSum(), which calculates the real checksum of a PE file and reports also the value stored into the PE Header. It is then simple for simple protectors to detect alterations of a PE file, even of a single byte.

It's a simple technique that advanced protector doesn't use too often and you can of course intercept this API and modify it online or skip its call, but for example with PocketPC smartphones or system drivers this check is done by the operative system, so you simply have no choice to intercept this check and the only way is to fix the value stored in the PE file header.

This program simply does this conveniently. Already other tools have this functionality (LordPE for example), but I just wanted a fast program able to fix this checksum in a click (e.g. with LordPE you have to do at least 5, 6 clicks).

It is very handy with ring0 drivers which test this checksum value!
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dELTA EXE Analyzer
Rating: 0.0 (0 votes)
Author: dELTA                        
Website: http://www.woodmann.com/forum/showthread.php?t=5264
Current version: 1.0
Last updated: 2001
Direct D/L link: Locally archived copy
License type: Free
Description: Back in 2001 I wrote my own exe analyzer just for fun, while looking into the MZ and PE format. I never released it to anyone, but since it contains quite cool cave finding and cave analysis abilities, which I have never seen in any other program, I'll upload it here now for anyone to play with. You can also feel free to distribute it to anyone or upload it anywhere, I don't care.

But note that the program is just my own little ugly dirty hack, so I won't support it, the GUI isn't exactly the most beautiful, and I won't guarantee it won't crash and so on, but it has been quite stable while I have played around with it anyway.

It analyzes quite many aspects of the executable file, but one extra interesting and unique feature is the bunch of tools under "Extended executable info (PE)" ---> "File anatomy & offsets". It will give you details of all section padding areas (caves), and it will also automatically find any area inside the executable file which does not belong to any section (I actually found an alignment bug in a compiler/linker with this tool, which left a 512 byte block of null-bytes between two sections in the middle of the compiled file, ready to be exploited as a mega-size cave :)), including any data which is appended after the last section of the file. Quite useful sometimes. But the really juicy stuff will be found when you select a section in the box to the right and click "Show detailed map". It will the give you a graphical overview on the screen, of each and every single byte in that section. You can even click inside the graphic map to select any area and see what it is (click and hold down the mouse button and drag the mouse over the map for extra fun). This is very cool for "getting a feel" for how a certain linker/packer/whatever builds its sections, and also for finding "micro caves", consisting only of a few bytes, in the middle of a section! You can choose to display an analysis map of the free space or the used space of the selected section by clicking the radiobuttons on the upper right of the map.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Website: http://ntinfo.biz
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link: https://www.dropbox.com/s/h3sjlmhgcx7qfx2/DIE_1.01_win.zip?dl=1
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Entropy Analyzers, Linux Tools, Mac OS Tools, PE EXE Signature Tools, PE Executable Editors, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Entyzer
Rating: 0.0 (0 votes)
Author: Mohamad Fadel Mokbel                        
Website: http://www.mfmokbel.com
Current version: 0.6
Last updated: February 23, 2014
Direct D/L link: http://mfmokbel.com/Down/RCE/Entyzer+_v0.6_Orezmus_Build220214.rar
License type: Free
Description: Entyzer+ - Revision History
===========================

Version 0.6 {Orezmus Build:220214}
-----------

[?] Released on (February 23, 2014).
[+] Added four new features
[+] Decoder for the multiplication operation in case of an overflow.
(Available under -h:hex)
[+] Compute Signal to Noise Ratio option (Available under -h:stat
help option; Entyzer -f <file name> -snr)
[+] Added xrand option (Available under -h:hex). Please Consult
Help.html file for more info about it (lengthy description)
[+] Added xorkeybf (Available under -h:hex). A brute forcer for data
XORed/encrypted with 1-byte key.
[!] Fixed a bug in the parsing of the option keyword "xorxv". It was
set to a wrong keyword 'xorexv'.
[!] Fixed a bug in the 'rxor' implementation. It was missing the key length
by one with respect to the file size.
[!] Fixed a bug in the CPP array dump feature (Type conversion problem).
[*] Some other minor and major architectural improvements.
Also listed in: Entropy Analyzers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GCBE (Control Flow Graph Creation And Build Engine)
Rating: 0.0 (0 votes)
Author: Indy                        
Website: http://indy-vx.narod.ru
Current version:
Last updated: February 19, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: GCBE(Control Flow Graph Creation And Build Engine) - this is the base engine for morphing(x86). To create and build the graph. Allows us to solve very complex problems associated with graphs.
Also listed in: Control Flow Analyzers, Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hexer Plugin - Calculating the entropy of a file
Rating: 0.0 (0 votes)
Author: Sebastian Porst                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/99-Sample-Hexer-Plugin-Calculating-the-entropy-of-a-file.html#extended
Current version: 1.4.0
Last updated: July 1, 2008
Direct D/L link: http://www.the-interweb.com/serendipity/exit.php?url_id=699&entry_id=107
License type: Free / Open Source
Description: I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.
Also listed in: Entropy Analyzers, Hexer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Jim Clausing's Malware Packer Signatures
Rating: 0.0 (0 votes)
Author: Jim Clausing                        
Website: http://isc.sans.org/diary.html?storyid=3432
Current version:
Last updated:
Direct D/L link: http://handlers.sans.org/jclausing/userdb.txt
License type:
Description: Custom malware packer signatures by Jim Clausing.
Also listed in: Packer Identifier Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Marxio File Checksum Verifier
Rating: 0.0 (0 votes)
Author: Marek Mantaj                        
Website: http://www.marxio-tools.net/en/marxio-fcv.php
Current version: 1.6.2
Last updated: December 29, 2009
Direct D/L link: N/A
License type: Freeware
Description: Portable file checksum verifier that allows you to calculate many file checksums (hashes) and compare them with original one. Thanks to its simplicity and portability, it aims to be a portable, versatile and "must have" tool for dealing with single files and their checksums - to calculate, compare and verify them.

Marxio FCV supports major checksum types:
- CRC32,
- MD4,
- MD5,
- SHA1,
- SHA-256,
- SHA-384,
- SHA-512,
- RIPEMD-128,
- RIPEMD-160,
- HAVAL 256,
- TIGER 192.

"Drag and drop" function - all you need to to is to drag a file from Windows Explorer onto the form to calculate selected checksum type.

Context menu - optional integration with Explorer context menu with Your custom text and defined selected checksum to calculate

Compare checksums - with other selected checksum.

Large files support - with size over 32 GB.

Very fast - calculate 4 GB large DVD file/image in 2 minutes using md5 algorithm.

Portable version - one-file program, just one executable file.

Interface - simple, eye friendly with mini-form available.

Keyboard shortcuts - as much handy shortcuts as possible, even for copy and paste checksum from clipboard

Save checksum to file - checksum and filename.

History - save all calculated checksums to file.

Additional settings - stay-on-top, save windows position and last used checksum type, show mini-form, show hashes in upper or lowercase, break function, high contrast themes support, log file, snap to edge - all are configurable.

Frequent updates - new releases published even a week !

Vision difficulties - this application provides support for users with vision difficulties (vision impairment) - tries to respect Windows skins and color schemas.

Marxio FCV is a clean software. It does not contain any adverts. It does not integrate with Windows (unless user requested) and does not install any additional software nor it has spying mechanisms.

If you haven't found the function in this tool you looked for, I can develop it.

Note,
Marxio FCV target is to quickly calculate and verify ONE file and one checksum, not more. It's not any limit but this application works this way. Other application is being developed for calculating more files.
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PEBrowse Professional
Rating: 0.0 (0 votes)
Author: SmidgeonSoft                        
Website: http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
Current version: 10.1.5
Last updated: April 14, 2011
Direct D/L link: http://www.smidgeonsoft.com/download/PEBrowseV10_1_5.zip
License type: Free
Description: PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.
Also listed in: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.05
Last updated: April 22, 2016
Direct D/L link: Locally archived copy
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
A companion plugin is also provided to take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

In new version:
- .Net assembly VtableFixup support
- Control Flow Guard support
- New highlighting scheme
- Treeview icon added
- Neater Listview
- Major bug fixes


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: packerid.py
Rating: 0.0 (0 votes)
Author: Jim Clausing                        
Website: http://handlers.sans.org/jclausing
Current version:
Last updated:
Direct D/L link: http://handlers.sans.org/jclausing/packerid.py
License type:
Description:
Also listed in: Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Panda Security Packer Signatures
Rating: 0.0 (0 votes)
Author: Panda Security                        
Website: N/A
Current version:
Last updated:
Direct D/L link: http://research.pandasecurity.com/blogs/images/userdb.txt
License type:
Description: Panda Security Packer Signatures
Also listed in: Packer Identifier Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pev
Rating: 0.0 (0 votes)
Author: Fernando Mercês, Jardel Weyrich                        
Website: http://pev.sf.net
Current version: 0.70
Last updated: December 27, 2013
Direct D/L link: http://sourceforge.net/projects/pev/files/pev-0.70/pev-0.70-win32.zip/download
License type: Open Source (GPLv3)
Description: pev is a free and open source multi-platform PE file analysis toolkit,
that provide the following tools:

* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* peres - view and extract PE file resources
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features and certificates in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA

Features include:

* Based on own PE library, called libpe
* Support for PE32 and PE32+ (64-bit) files
* Formatted output in text and CSV (other formats in development)
* pesec: check security features in PE files, extract certificates and more
* readpe: parse PE headers, sections, imports and exports
* pescan: detect TLS callback functions, DOS stub modification,
suspicious sections and more
* pedis: disassembly a PE file section or function with support for
Intel and AT&T syntax
* Include tools to convert RVA from file offset and vice-versa
* pehash: calculate PE file hashes
* pepack: detect if an executable is packed or not
* pestr: search for hardcoded Unicode and ASCII strings simultaneously
in PE files
* peres: show and extract PE file resources
Also listed in: Disassemblers, Entropy Analyzers, Malware Analysis Tools, Packer Identifiers, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 6 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)