From Collaborative RCE Tool Library

Jump to: navigation, search

File System Diff Tools


Tool name: All-Seeing Eye
Rating: 5.0 (1 vote)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Buster Sandbox Analyzer
Rating: 5.0 (1 vote)
Author: Buster                        
Website: http://bsa.isoftware.nl/
Current version: 1.81
Last updated: August 22, 2012
Direct D/L link: http://bsa.isoftware.nl/bsa.rar
License type: Free
Description: Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious.

The changes made to system can be of several types: file system changes, registry changes and port changes.

A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.

Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.

Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.

From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.

Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.

Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.

Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.

All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.



Program history : http://bsa.isoftware.nl/frame8.htm
Also listed in: File Monitoring Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Beyond Compare
Rating: 4.0 (1 vote)
Author: Scooter Software                        
Website: http://www.scootersoftware.com
Current version: 2.5.1
Last updated: August 30, 2007
Direct D/L link: N/A
License type: Shareware
Description: A very good text/code diffing tool. Also a good binary diffing tool if using the plugin for this from the author's website.
Also listed in: Binary Diff Tools, Image Diff Tools, Text Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Attack Surface Analyzer
Rating: 0.0 (0 votes)
Author: Microsoft Corporation                        
Website: http://go.microsoft.com/?linkid=9758398
Current version: Beta
Last updated: January 18, 2011
Direct D/L link: http://go.microsoft.com/?linkid=9758398
License type: Freeware
Description: Attack Surface Analyzer is the same tool used by Microsoft's internal product teams to catalogue changes made to the operating system by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

This allows:
- Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
- IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
- IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
- IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)
Also listed in: Install Monitoring Tools, Registry Diff Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Compare VMware Snapshots
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2007/08/31/find-out-hidden-files-comparing-vmwares-snapshots/
Current version: 1.0
Last updated: September 19, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Nowadays there’s a big use of virtualization; tools like VMware, VirtualPC and others are daily used. There are some differencies between the original and the virtualized environment, but to study a malware under a protected blackbox it’s very comfortable. You can study their behaviour without any problems.

Just today, while I was running a malware, I got this foolish idea: can I identify hidden files using VMware’s snapshots?

Under VMware you can save the current state of a virtual machine taking a snapshot of the running guest system. The snapshot is stored somewhere in the guest’s OS folder, it simply needs some files. I’m interestered in one file only, the one containing the guest’s memory. The memory is saved inside a file with .vmem extension.

The idea is to take two snapshots (a virgin and an infected system), and then compare the two files. The main problem is that a single snapshot needs a large amounts of bytes, around 260 Mb on my system. Comparing the snapshots using an hex editor is madness. I decided to write a simple application able to compare two files string to string. Why only strings?
Well, how can I identify an hidden file simply looking at a “memory dump”? The answer is simple: the only thing able to reveal a trace is a string containing the name of the hidden file, nothing more. So, I extract all the strings from the virgin snapshot and then I compare them with all the strings from the infected snapshot. Yes, it’s a foolish idea but it helps me to pass a boring afternoon.

The most important part of the program is the internal “search engine”. To speed up the program you have to search for specific strings. To view the results in a quick way I simply search for strings with extension “.sys”, “.dll” or just “.exe”. That’s because these are the file extensions of the files that are always hidden. You can improve the search engine adding some more rules (i.e. string must have “system32″ or “windows” inside) but the result won’t change: you can always see some interesting strings.

I tried the program running two malwares: Lager and Nailuj.
Lager malware hides a file named taskdir.exe and Nailuj hides videoati0.sys/dll/exe.
In both cases, I can see some strings referring to the hidden files.

The string is somewhere in the memory, I’m not interested in its position but in the string itself: it exists!

There are some good tools out there able to show hidden files but sometimes they fail. When they fail you can try with this approach.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SandboxDiff
Rating: 0.0 (0 votes)
Author: majoMo (Rui Morais)                        
Website: N/A
Current version: 2.3
Last updated: January 10, 2011
Direct D/L link: Locally archived copy
License type: Freeware
Description: 'SandboxDiff' allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur).

All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff.

Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system.
Also listed in: File Monitoring Tools, Install Monitoring Tools, Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Sandboxie
Rating: 0.0 (0 votes)
Author: Ronen Tzur                        
Website: http://www.sandboxie.com
Current version: 3.42
Last updated: December 1, 2009
Direct D/L link: N/A
License type: Shareware
Description: Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

You can also access all the changes that were made during the program execution.
Also listed in: File Monitoring Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Total Uninstall
Rating: 0.0 (0 votes)
Author: Gavrila Martau                        
Website: http://www.martau.com
Current version: 5.4.2
Last updated: June 15, 2009
Direct D/L link: N/A
License type: Shareware
Description: Total Uninstall is a complete uninstaller which includes two working modes.

Installed Programs module analyze existing installations and create a log with installation changes. It can uninstall programs even without the help of the supplied Add Remove program.
Just select from the list the program that you want to uninstall and in a few seconds Total Uninstall will analyze it and will show in a tree view detected files, folders, registry keys and values of that program. You can review the details and remove some of the detected items. Total Uninstall is ready to uninstall the analyzed program. It will use first the supplied Add Remove program and will continue removing remaining items using the log.

Monitored Programs module helps to monitor any changes made to your system during the installation of a new program. It allows you to perform a complete uninstall without having to rely on the supplied Add Remove program, which can leave files or changes behind.
Total Uninstall creates a snapshot of your system prior to installing a new program. It then takes an additional snapshot after the installation has completed. It then compares the two snapshots and displays all changes in a graphical tree view, marking all registry values and/or files that have been added, changed or deleted. Total Uninstall saves these changes and, if you decide to uninstall the program, it will reverse the changes to the previous state.
Features

* Accurate analyze existing installations and create a log with installation changes.
* Monitor changes from registry and file system for new installations.
* Uninstall completely and thoroughly analyzed or monitored programs.
* List without delay installed or monitored programs and with appropriate icons.
* Organize in groups installed or monitored programs.
* Find the program to uninstall by keyword quickly and easily.
* Summary and detailed information for each installed or monitored program.
* User configurable views of the detected changes.
* It shows a detailed uninstall log.
* Powerful search in detected changes.
* Standalone and low resource usage agent for notification of running installation programs
* Export registry changes for install or uninstall
* Export installed or monitored programs list to file
* Export to file or print detected changes
* View and apply pending file rename operations without restart.
Also listed in: Registry Diff Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Binary Diff Tools  (7)
   Image Diff Tools  (2)
   System Diff Tools  (5)
   Text Diff Tools  (6)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)