From Collaborative RCE Tool Library

Jump to: navigation, search

Memory Data Tracing Tools


Tool name: Codetective Analysis Tool
Rating: 5.0 (1 vote)
Author: Francisco Gama Tabanez Ribeiro                        
Website: https://github.com/blackthorne/Codetective
Current version: 0.8.2
Last updated: September 20, 2014
Direct D/L link: N/A
License type: GPL
Description: Sometimes we run into hashes and other artefacts and can't figure out where did they come from and how they were generated. This tool is able to recognise the output format of many different algorithms in many different possible encodings for analysis purposes. It also infers the levels of certainty for each finding based on traces of its representation .

This may be useful e.g. when you are testing systems from a security perspective and are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory. This may also be useful as a part of a fingerprinting process or simply to verify valid implementations of different algorithms. You may also try running this tool against network traffic captures or large source code repositories to look out for interesting stuff.

You can either use a generic version or as a plugin for the Volatility framework. The usage is similar.
Currently supports:
web-cookie
mssql2000
md5
URL
md4
phone number
credit cards
mssql2005
lm hash
ntlm hash
MySQL4+
MySQL323
base64
SAM(*:ntlm)
SAM(lm:*)
SAM(lm:ntlm)
RipeMD320
sha1
sha224
sha256
sha384
sha512
whirpool
CRC
des-salt-unix
sha256-salt-django
sha256-django
sha384-salt-django
sha384-django
sha256-salt-unix
sha512-salt-unix
apr1-salt-unix
md5-salt-unix
md5-wordpress
md5-phpBB3
md5-joomla2
md5-salt-joomla2
md5-joomla1
md5-salt-joomla1
blowfish-salt-unix
uuid
Also listed in: Crypto Libraries, Data Extraction Tools, Data Search and Extraction Tools, Dongle Analysis Tools, Dongle Crypto Solver Tools, Memory Search Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memory Hacking Software
Rating: 5.0 (2 votes)
Author: L. Spiro                        
Website: http://www.memoryhacking.com
Current version: 6.1
Last updated: December 5, 2009
Direct D/L link: http://memoryhacking.com/MemHack/MHS6.1.rar
License type: Free
Description: Highly advanced software for memory search/analysis and trainer creation. Recommended!

MHS 6.1 (bundle):
Bundle includes MHS.exe, MHS Help.chm, zlib1.dll, and ChangeLog.txt.


Features:
* Fastest Searching
-- Data-Type Search
-- Pointer Search
-- String Search (ASCII, Unicode, Hex Bytes, Wildcard, Regular Expressions)
-- Group Search (Includes Pattern Matching)
-- Expression Search (Extremely Flexible)
-- Script Search (The Ultimate in Custom Searching)

* Debugger
-- Very Stable
-- Customizable Breakpoints

* Disassembler

* Code Filter
-- Easiest Way to Find Functions

* Auto-Hack

* Auto-Assembler
-- 90% Same Language/Syntax as in Cheat Engine

* DLL Injector
-- Injects any DLL into the Target Process
-- Uninject Later, Automatically or Manually
-- Remotely Call ANY Functions in the Injected DLL(s), Regardless of Calling Convention, Return Type, or Number of Parameters

* Integrated Script Language
-- IDE/Compiler Built-In
-- Syntax Matches C; No Learning Curve
-- Compiled for Fast Execution
-- Full API
-- Includes Features Specially for Hacking

* Real-Time Hex Editor
-- Fully Featured Real-Time Hex Editor for Both RAM and Files
-- Allows Browsing of Kernel RAM

* Kernel Driver
-- Allows Bypassing Anti-Cheat Systems
-- Allows Reading/Writing of Kernel RAM

* Converter

* RAM Watcher

* Memory Allocator
-- Allocates Memory in the Target Process
Also listed in: Code Coverage Tools, Memory Search Tools, Trainer Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Cheat 'O Matic
Rating: 1.0 (1 vote)
Author: Nick Shaffner                        
Website: http://www.geocities.com/TimesSquare/Dungeon/5633
Current version: 0.99a
Last updated: 1997
Direct D/L link: http://bunnzy.oldgamemusic.com/files/extras/apps/cheatomatic099.zip
License type: Freeware
Description: Cheat 'O Matic is an EXTREMELY easy to use UNIVERSAL cheating program designed to allow you to automatically cheat on ANY game (or other program) that will run on Windows '95, '98 and 'NT (including DOS, Windows 3.1, Windows '95, Windows '98 and Windows 'NT games) - as the game actually runs! Additionally, Cheat 'O Matic allows you to cheat on programs that don't have cheat codes, or in completely different ways that cheat codes may not exist for, and perhaps the game's programmers never intended
Also listed in: Memory Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Flayer
Rating: 0.0 (0 votes)
Author: Will Drewry & Tavis Ormandy                        
Website: http://code.google.com/p/flayer
Current version: 0.0.1
Last updated: August 9, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind and its memory error detection plug-in, Memcheck . This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security.

Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application's running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls.

Flayer's functionality provides a robust foundation for the implementation of security tools and techniques. For example, an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing.

Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.

See full paper at:
http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry_html

And getting-started information at:
http://code.google.com/p/flayer/wiki/GettingStarted
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HBGary Inspector
Rating: 0.0 (0 votes)
Author: HBGary                        
Website: http://www.hbgary.com/inspector_v2.shtml
Current version: 2.0
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.
Also listed in: Tracers, Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordCHEAT
Rating: 0.0 (0 votes)
Author: Rudy Rooroh                        
Website: http://web.archive.org/web/20091027010825/http://geocities.com/asmfreesoft/
Current version: 1.2.6
Last updated: July 18, 2009
Direct D/L link: http://web.archive.org/web/20091027010825/http://geocities.com/asmfreesoft/LordCHEAT126.zip
License type: Freeware
Description: - Small & Powerfull Game Trainer
- Save & Load memory using simple script
- Read/Write memory using Hex Editor
- Support 16/32 bit Windows games, macromedia flash games, *emulator, etc
- Support Pointer to Pointer
- Support Plugins
- Memory monitor
- Can run under windows 98 up to *Vista
- etc.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MALM: Malware Monitor
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.2
Last updated: December 16, 2012
Direct D/L link: http://www.split-code.com/files/malm-v1_2.zip
License type: Freeware
Description: MALM is a 32 and 64bit Windows OS command-prompt tool for monitoring malware. It monitors:
- New processes
- New modules in existing processes
- New executable heaps in existing processes.

As it notices changes, MALM will output observations to the console. When MALM is terminated by CTRL-C, it will generate a final report of it's findings.

This tool is particularly useful for monitoring where the malware resides after execution, since malware often injects itself into other processes.
Also listed in: Malware Analysis Tools, Monitoring Tools, Process Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SpiderPig
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: http://piotrbania.com/all/spiderpig/
Current version: (not yet released)
Last updated:
Direct D/L link: N/A
License type:
Description: Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.

SpiderPig is a project created for performing and visualizing data flow analysis of a selected binary program. SpiderPig was created in the purpose of providing a tool which would be able to help vulnerability and security researchers with tracing and analyzing any necessary data and it's further propagation. Such tasks are very often crucial in the vulnerability discovering/identifying process and typically require a lot of time consuming manual work. The initial concept is pretty old, the first pseudo usable version was created initialy for Immunity Debugger Plugin Contest back in the 2007 just to be frozen few days after. I have reactivated the project while having the last months of holidays (arround September 2008) and I have decided to write a little paper about it (which was finished arround November 2008). Since i switched for another research at the moment the SpiderPig research is practically frozen since the time paper was made. As you probably realize history of this project is kinda a nutty. Anyway enjoy or erm not enjoy.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TEMU
Rating: 0.0 (0 votes)
Author: BitBlaze Binary Analysis Platform Project                        
Website: http://bitblaze.cs.berkeley.edu/temu.html
Current version: 1.0
Last updated: November 24, 2009
Direct D/L link: http://bitblaze.cs.berkeley.edu/release/temu-1.0/temu-1.0.tar.gz
License type: Free / Open Source
Description: Whole-system dynamic taint analysis platform, in the form of a QEMU extension.

The BitBlaze infrastructure provides a component, called TEMU, for dynamic binary analysis. TEMU is built upon a whole-system emulator, QEMU, and provides the following functionality:

* Dynamic taint analysis. TEMU is able to perform whole-system dynamic taint analysis. Marking certain information sources (e.g., keystrokes, network inputs, reads for certain memory locations, and function call outputs) as tainted, TEMU keeps track of the tainted information propagating in the system. This feature also provides a plug-in environment for dynamic symbolic execution, in which symbolic values are marked as tainted, and concrete values as untainted.
* OS awareness. Information about OS-level abstractions like processes and files is important for many kinds of analysis. Using knowledge of the guest operating system (Windows XP or Linux), TEMU can determine what process and module is currently executing, what API calls have been invoked (with their arguments), and what disk locations belong to which files.
* In-depth behavioral analysis. TEMU is able to understand how an analyzed binary interacts with the environment, such as what API calls are invoked, and what outstanding memory locations are accessed. By marking the inputs as tainted (i.e., symbolic), TEMU provides insights about how outputs are formulated from inputs.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)