From Collaborative RCE Tool Library

Jump to: navigation, search

Linux Tools


Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (6 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 6.1
Last updated: April 8, 2011
Direct D/L link: http://95.211.133.202/files/idademo_windows60.exe
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, IPhone Tools, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers, Symbian Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: EDB Linux Debugger
Rating: 4.0 (2 votes)
Author: Evan Teran                        
Website: http://codef00.com/projects#debugger
Current version: 0.9.20
Last updated: January 15, 2014
Direct D/L link: http://codef00.com/projects/debugger-0.9.20.tgz
License type: GPL
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Debuggers, Linux Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bastard
Rating: 0.0 (0 votes)
Author:                         
Website: http://bastard.sourceforge.net
Current version: 0.16
Last updated: 2002
Direct D/L link: N/A
License type: Free / Open Source
Description: The Bastard is a disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burneye
Rating: 1.0 (1 vote)
Author: TESO                        
Website: https://teso.scene.at/releases.php
Current version: 1.0.1
Last updated: December 24, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burneye ELF encryption program, with full source and docs.
Also listed in: Packers, Linux Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Damn Vulnerable Linux
Rating: 0.0 (0 votes)
Author: Zero                        
Website: http://www.DamnVulnerableLinux.org
Current version: Damn Vulnerable Linux 1.5 (Infectious Disease)
Last updated: January 26, 2009
Direct D/L link: http://www.computerdefense.org/dvl/DVL_1.5_Infectious_Disease.iso
License type: Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
Description: Release date: 01/26/2009. Fixed many bugs (e.g. wrong postgres path), added several tools.

This release contains 99% of all available Linux RCE tools!

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system.

The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.

Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system.
Also listed in: Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Website: http://ntinfo.biz
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link: https://www.dropbox.com/s/h3sjlmhgcx7qfx2/DIE_1.01_win.zip?dl=1
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Entropy Analyzers, Exe Analyzers, Mac OS Tools, PE EXE Signature Tools, PE Executable Editors, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.82b2
Last updated: September 13, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HT Editor
Rating: 0.0 (0 votes)
Author: Stefan Weyergraf (steveman), Sebastian Biallas (seppel)                        
Website: http://hte.sourceforge.net/
Current version: 2.0.21
Last updated: November 20, 2012
Direct D/L link: http://hte.sourceforge.net/downloads.html
License type: GPL2
Description: General features

Supported file formats
common object file format (COFF/XCOFF32)
- header
- image with code/data analyser (x86)

executable and linkable format (ELF)
- header
- section headers
- program headers
- symbol tables
- image with code/data analyser (x86, AMD64, IA-64, Alpha, PowerPC, ARM) and relocations

linear executables (LE)
- header
- VxD descriptor
- object table
- page table
- image with code/data analyser (x86)
- auto-relocation layer (only internal refs for now)

standard dos executables (MZ)
- header
- relocations
- image (disassembly only)

new executables (NE)
- header
- segments
- names
- entrypoints
- image with code/data analyser (x86)
- auto-relocation layer (pretty complete)

portable executables (PE32, PE64)
- header
- import section
- delay-import section
- export section
- resources
- image with code/data analyser (x86, AMD64, PowerPC, IA-64, Alpha, ARM)
- preliminary support for .net executables

java class files (CLASS)
- header
- image with code/data analyser (java bytecode disassembler)

Mach exe/link format (MachO)
- header
- image with code/data analyser (x86, AMD64, PowerPC, ARM)

X-Box executable (XBE)
- header
- imports
- image with code/data analyser (x86)

Flat (FLT)
- header
- image with data analyser (no disassembler yet)

PowerPC executable format (PEF)
- header
- imports - image with code/data analyser (PowerPC)

Still some to be implemented (M$-OBJ, ARCH, LX)

Code & Data Analyser
- finds branch sources and destinations recursively
- finds procedure entries
- creates labels based on this information
- creates xref information
- allows to interactively analyse unexplored code (press 'c')
- allows to create/rename/delete labels (press 'n')
- allows to create/edit comments (press '#')

Target systems
- DJGPP
- GNU/Linux
- FreeBSD
- Win32
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: lida
Rating: 0.0 (0 votes)
Author: Mario Schallner                        
Website: http://lida.sourceforge.net
Current version: 00.03.00
Last updated: December 5, 2004
Direct D/L link: N/A
License type: Free / Open Source
Description: lida is basically a disassembler and code analysis tool. It uses the bastards libdisasm for single opcode decoding (see http://bastard.sourceforge.net/libdisasm.html). It allows interactive control over the generated deadlisting via commands and builtin tools.


Short Overview of (planned) features:

* ELF, RAW file disassembly (generating stringtable, symboltable, crossreferences, ... )
* trace execution flow of binary
* work with symbolic names: interactive naming of functions, labels, commenting of code
* scan for known anti-debugging, anti-disassembling techniques
* scan for user defined code sequences
* integrated patcher
* integrated cryptoanalyzer
* handy ("intelligent") browsing
* openssl support (customizeable "init values", apply to programs datablocks)


Why lida?

The project lida was initiated because of the lack of handy reverse engineering software for linux. Therefore it is designed to (and should) fit several needs of some typical reverse-engineering sessions.
lida addresses people who like to work on deadlistings, and should be especially useful for people with previous experience in windows reverse engineering. lida should be a good "entry point" for examining the "new targets".
A typical use is to run it while debugging your program and comment the deadlisting / name functions with the information gathered.

So basically it is a disassembler. Why another one? :)

Many disassemblers out there use the output of objdump - lida tries a more serious approach. The several limitations of objdump (see 3.1) are broken by using libdisasm (thx to HCUNIX!), and by tracing the execution flow of the program.
Further, by having the control over the disassembly - more features can be included. Everybody who has already worked on some deadlisting will immediate feel a need to work interactive with the code - and be able to change it.
Therefore lida will have an integrated patcher, resolves symbolic names, provides the ability to comment the code, serves efficient browsing methods, ...
The more exotic features of lida should be on the analysis side. The code can be scanned for custom sequences, known antidebugging techniques, known encryption algorithms, ... also you will be able to directly work with the programs data and for example pass it to several customizable en-/decryption routines.
This of course only makes limited sense as it is not a debugger. Tough often I really missed this functionality.
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Linice
Rating: 0.0 (0 votes)
Author: Goran Devic                        
Website: http://www.linice.com
Current version: 2.6
Last updated: July 28, 2005
Direct D/L link: Locally archived copy
License type: GPL
Description: What is Linice?

Linice is an Intel x86-based, Linux source-level kernel debugger with the look and feel of SoftIce for MS Windows.

Linice is designed to be used by the people who have SoftIce experience. Linice provides a major subset of SoftIce commands, and adds a few new ones. For that reason the documentation describing individual commands is not provided. There are a number of good resources on the Web that describe all SoftIce commands (Google "SoftIce" keyword.)

What can I use it for?

You can use Linice to debug a kernel module or a user application. You can also debug a Linux kernel. Kernel does not need to be recompiled or patched in any way. The debugger proper loads as a module into the running kernel and supports debugging using the following devices:
local VGA frame buffer
X-Window
remote serial terminal
monochrome monitor

You can break into a running kernel at any time by a hotkey. Place breakpoints, single step, watch variables etc. Multiple international keyboard layouts are supported.
Also listed in: Linux Debuggers, Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Skpd
Rating: 0.0 (0 votes)
Author: Albert Sellarès                        
Website: https://www.wekk.net
Current version: 1.3
Last updated: 13/07/2009
Direct D/L link: https://www.wekk.net/code/attachments/download/1/skpd.tar.gz
License type: none yet
Description: <nowiki>Skpd is a process dumper for x86 and x64 ELF binaries

Features:

static binaries.
dynamic binaries.
compressed files (at least upx)
elfuck encrypted.
32 and 64 bits support.
Generates an ELF file from a running process.
If the original file was encrypted, the new one will not.
i386, x86_64, MIPSEL platforms

Usage:

./skpd {-p pid
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Valgrind
Rating: 0.0 (0 votes)
Author:                         
Website: http://valgrind.org
Current version: 3.2.3
Last updated: January 29, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 4 subcategories to this category.





Views