From Collaborative RCE Tool Library

Jump to: navigation, search

Import Editors


Tool name: IIDKing
Rating: 5.0 (1 vote)
Author: SantMat                        
Website: http://www.reteam.org/tools.html
Current version: 2.01
Last updated: November 2004
Direct D/L link: Locally archived copy
License type: Free
Description: IIDKing allows you to add/remove imports to/from ANY PE file's import table, thereby
eliminating the need to have to do LoadLibrary then GetProcAddress.

Whats New:
-Added the ability to add an unlimited number of DLL(s) and their
corresponding Function(s) to the target exe.

-You can now run IIDKing an unlimited number of times on any given target and
IIDKing will only ever use ONE section called ".IIDKING" in your target. Old
versions of IIDKing required more.

-When you run IIDKing on a target that has already been modified via IIDKing
v1/v2 it will notify you of this fact and subsequently load the previously
added DLL(s)/Function(s) into the IIDKing dialog. This allows you to re-run
IIDKing for the purpose of removing or adding to past import additions to
your targets.

-Added an easy to use interface for adding DLL(s)/Function(s) in the form of a
list dialog. You simply select the DLL filename as you wish and it will list
all it's available exports for you to choose from. Leaves no room for case
sensitive or spelling errors when adding DLL(s)/Function(s).

-IIDKing v2 is much more intuitive in handling user actions and hence can be
kept open and used continuously on the same target or any given number of
targets. No need to restart IIDKing ever.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordPE
Rating: 4.5 (4 votes)
Author: y0da                        
Website: N/A
Current version: 1.41 (Deluxe b)
Last updated: September 30, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...
Also listed in: Dump Fixers, Memory Dumpers, PE Executable Editors, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHimpREC
Rating: 0.0 (0 votes)
Author: Sébastien Doucet (TiGa)                        
Website: http://www.iitac.org
Current version: ReCon Edition
Last updated: June 23rd, 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
Also listed in: Dump Fixers, IAT Restore Tools, Process Dumpers, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Comrade's PE Tools
Rating: 0.0 (0 votes)
Author: Comrade                        
Website: http://comrade.ownz.com/projects/petools.html
Current version:
Last updated: July 31, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: * Inject Tool

Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows:

1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll
2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll
3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll
4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll
5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll

Note that in all uses, you should specify the full path to the injected DLL.


* Loader Tool

Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows:

1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll

Note that you should specify the full path to the injected DLL.


* Patch Tool

Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool.
The tool's command-line usage is as follows:

1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll


* Reimport Tool

Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll.
Also listed in: Code Injection Tools, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: May 5, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/map_setup.exe
License type: GPL2
Description: Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration
Also listed in: API Monitoring Tools, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.05
Last updated: April 22, 2016
Direct D/L link: Locally archived copy
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
A companion plugin is also provided to take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

In new version:
- .Net assembly VtableFixup support
- Control Flow Guard support
- New highlighting scheme
- Treeview icon added
- Neater Listview
- Major bug fixes


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Stud_PE
Rating: 0.0 (0 votes)
Author: CGSoftLabs                        
Website: http://www.cgsoftlabs.ro/studpe.html
Current version: 2.6.0.5
Last updated: October 31, 2009
Direct D/L link: http://www.cgsoftlabs.ro/zip/Stud_PE.zip
License type: Freeware
Description: Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)

Features:
* View/edit PE basic Header information (DOS also):
- Header structures to hexeditor;
* View/edit Section Table:
- Add new section;
* View/edit Directory Table:
- Import/Export Table viewer;
- Import adder;
- Resource viewer/editor (save/replace ico/cur/bmp);
PE Scanner (PEiD sig database):
- 400 packers/protectors/compilers;
* Task viewer/dumper/killer;
* PEHeader/Binary file compare;
* RVA to RAW to RVA;
* Drag'nDrop shell menu integration;
* Basic HexEditor;
* Process region dumper/viewer;
Also listed in: PE Executable Editors, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ZeroAdd
Rating: 0.0 (0 votes)
Author: SantMant                        
Website: [http:// immortal descendents http:// immortal descendents]
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type:
Description: Zero Add is a tool to add a zero padded section to the end of an executable
simply pick and exe give a name and size to add a zero padded section at the end of the executable.
Also listed in: PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Needs New Category  (3)