From Collaborative RCE Tool Library

Jump to: navigation, search

Memory Dumpers

Tool name:

radare

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

pancake

Website:

http://www.radare.org

Current version:

0.7

Last updated:

March 8, 2011

Direct D/L link:

http://www.radare.org/get/radare2-0.7.tar.gz

License type:

LGPL

Description:

The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, x86_64, mips, arm, sparc, csr, m68k, powerpc and java.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for various architectures. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so) and much more.

See website for more details

Also listed in:

.NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Reflexil

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Sebastien Lebreton

Website:

http://reflexil.net

Current version:

1.2

Last updated:

March 7, 2011

Direct D/L link:

Locally archived copy

License type:

Free / Open Source

Description:

Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, a great tool for .NET developers. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection.

Also listed in:

.NET Disassemblers, .NET Executable Editors, .NET MSIL Dumpers, .NET Signature Changers, .NET Signature Removers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Rohitab API Monitor

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Rohitab Batra

Website:

http://www.rohitab.com/apimonitor

Current version:

v2 (Alpha-r9)

Last updated:

December 1, 2011

Direct D/L link:

http://www.rohitab.com/downloads

License type:

Freeware

Description:

API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 11,000 API’s from 181 DLL’s and over 14,000 methods from 1100+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call

Also listed in:

API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

WinHex

Currently4.5/5
1
2
3
4
5

Rating: 4.5 (2 votes)

Author:

Stefan Fleischmann

Website:

http://www.x-ways.net/winhex

Current version:

15.6

Last updated:

March 1, 2010

Direct D/L link:

http://www.x-ways.net/winhex.zip

License type:

Shareware

Description:

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features include (depending on the license type):

* Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
* Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF
* Built-in interpretation of RAID systems and dynamic disks
* Various data recovery techniques
* RAM editor, providing access to physical RAM and other processes' virtual memory
* Data interpreter, knowing 20 data types
* Editing data structures using templates (e.g. to repair partition table/boot sector)
* Concatenating and splitting files, unifying and dividing odd and even bytes/words
* Analyzing and comparing files
* Particularly flexible search and replace functions
* Disk cloning (under DOS with X-Ways Replica)
* Drive images & backups (optionally compressed or split into 650 MB archives)
* Programming interface (API) and scripting
* 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
* Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
* Import all clipboard formats, incl. ASCII hex values
* Convert between binary, hex ASCII, Intel Hex, and Motorola S
* Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
* Instant window switching. Printing. Random-number generator.
* Supports files >4 GB. Very fast. Easy to use. Extensive online help.

Also listed in:

Binary Diff Tools, Hex Editors, Memory Patchers, Memory Search Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Explorer Suite

Currently4.4/5
1
2
3
4
5

Rating: 4.4 (5 votes)

Author:

Daniel Pistelli

Website:

http://www.ntcore.com/exsuite.php

Current version:

III

Last updated:

March 12, 2010

Direct D/L link:

http://www.ntcore.com/files/ExplorerSuite.exe

License type:

Free

Description:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Also listed in:

.NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

LordPE

Currently4.5/5
1
2
3
4
5

Rating: 4.5 (4 votes)

Author:

y0da

Website:

N/A

Current version:

1.41 (Deluxe b)

Last updated:

September 30, 2009

Direct D/L link:

Locally archived copy

License type:

Free

Description:

LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Also listed in:

Dump Fixers, Import Editors, PE Executable Editors, Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

ImpREC

Currently4/5
1
2
3
4
5

Rating: 4.0 (3 votes)

Author:

MackT

Website:

http://www.tuts4you.com/forum/index.php?showtopic=6410

Current version:

Official version 1.6 - Unofficial version with misc. fixes 1.7e

Last updated:

October 1, 2010

Direct D/L link:

Locally archived copy

License type:

Free

Description:

The world's most famous IAT rebuilder tool.

NOTE:
The last official version from MackT is still 1.6. The 1.7a update is a third-party patched version of 1.6, which contains the following patches:

- Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM)
- user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM)
- Latest version of psapi.dll (6.0.6000.16386) included
- Fixed Vista64 crash bug (jstorme)
- GUI modified and improved (based upon Fly's modification)
- Updated/corrected plugins and deleted dups

v. 1.7a added the following fixes:

- Misc
- Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme)

The local download here contains the last unofficial patch, 1.7e. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc).

Changes in Version 1.7b:

- Misc
- Fixed invalid API bug in user32.dll on Windows 98 (jstorme)
- Modified code to improve support for discardable/unreadable sections (jstorme)
- Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme)
- Added an "ImpREC Classic" looking version

Changes in 1.7c:

- Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme)

Changes in 1.7d:

- Misc
- Fixed bug introduced in 1.7b which destroys IAT Autosearch feature in some packed targets, like eXpressor 1.8 (Newbie_Cracker).
- Fixed crash introduced in 1.7b when DLL's PE header has "NO Access" flag (Newbie_Cracker).

Changes in Version v1.7e

- Misc
- Fixed a bug which avoids ImpREC to fix JMP DWORD [...] if it is located at the end of code section (Newbie_Cracker)
( Thanks to Nexus6 for report the bug and provide samples)

Also listed in:

IAT Restore Tools, Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Memoryze

Currently4/5
1
2
3
4
5

Rating: 4.0 (1 vote)

Author:

Mandiant

Website:

http://www.mandiant.com/software/memoryze.htm

Current version:

Last updated:

Direct D/L link:

N/A

License type:

Free

Description:

MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Also listed in:

Kernel Hook Detection Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

SysAnalyzer

Currently4/5
1
2
3
4
5

Rating: 4.0 (2 votes)

Author:

David Zimmer (iDefense Labs)

Website:

http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack

Current version:

Last updated:

March 21, 2011

Direct D/L link:

http://labs.idefense.com/software/download/?downloadID=15

License type:

GPL2

Description:

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.

Also listed in:

API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

AMDUMPV6.2

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

CondZero

Website:

http://arteam.accessroot.com

Current version:

2.2

Last updated:

September 18th, 2008

Direct D/L link:

http://arteam.accessroot.com/releases.html?fid=3

License type:

Free / Open Source

Description:

The archive includes full sources and two tutorials.

Note: the included pdf overview (from previous release).
Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!!

Info:
* New noninvasive loader engine to run & dump activemark v6.2x targets.
* Run program from its own folder, no need to copy Amdumpv62 to target folder to run.
* Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file.

Special note:
* The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically.
* Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding:
(4) .text/.text/.code/.code/etc sections in the executable
For delayed import targets
(3) for non delayed import targets.
If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!!
* Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully!

Limitations:
* In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

History:
--------------------------------------------
Amdumpv62 - version 2.2 (September 2008)
1. Updated arteam import rebuilder v1.2.1 (nacho_dj) for targets that don't use the delayed imports option

Amdumpv62 - version 2.0 (march 2008)
1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug)
2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option
3. New log progress and results of the dump process
4. Separate threads for main gui and process

Also listed in:

Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

AMDUMPV66 V1.0

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

CondZero

Website:

http://www.accessroot.com/arteam/site/news.php

Current version:

v 1.0

Last updated:

January 18, 2011

Direct D/L link:

http://www.accessroot.com/arteam/site/download.php?view.230

License type:

Freeware

Description:

Amdumpv66 v1.0 - CondZero [ARTeam]
(see history below for details)

Note: This is a complete replacement for former AMDUMPV6.2!!

Tested under winxp sp3
Should work under w2k, wxp, Vista, Win 7 32 bit

Info:
* new noninvasive loader engine to run & dump activemark v6.2x - 6.6x
Targets.
* Drag & drop capability
* run program from its own folder, no need to copy
Amdumpv66 to target folder to run.
* amdumpv66 will dump activemark v6.2x - v6.6x executables for targets
with both delayed and non delayed imports. For targets with non delayed imports,
the built-in ARTeam ARImpRec (Import Rebuilder) will automatically fix any imports in the dumped file and append a '_' suffix to the end of the dumped file (i.e. dumped.exe >> dumped_.exe).

This program expects this suffix when appending the overlay data automatically for targets that don't use delayed imports. If using a different IAT rebuilding tool, it may be necessary to rename the resultant fixed dump file as described above, or the overlay data will not be appended automatically and you will be required to do this step manually.
* sometimes it may be necessary to view the sections in a pe editor
Program (i.e. lordpe or similar) because the dumper is
Dependent on finding:
(4) .text/.text/.code/.code/etc sections in the executable for delayed import targets and,
(3) .text/.text/.code/.code/etc sections for non delayed import targets.
If (3/4) sections are not found, then the executable may not
Be an Activemark v6.2x - 6.6x application!!

Limitations:
* in order to insure the stability of your dumped.exe, it may
be necessary to manually hexedit the dumped file and insert
an instruction which moves hi-values to a dword hi-value variable
used by the GetTickCount api within the 3rd layer (2nd .text)
in the executable. Please refer to the tutorial on dumping
and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

Disclaimer:
Not responsible for any damages that result from using this Tool!!

History:
--------------------------------------------
Amdumpv66 - version 1.0 (November 2010)
1. Updated ARTeam import rebuilder v1.7.5 (Nacho_dj) for targets
that don't use the delayed imports option
2. More elaborate search and replace scheme used for allocated and referenced
VM DWORDS used in the target process
3. Drag & drop AM protected executable file to application
4. Log file is saved to your target folder

Also listed in:

Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Armadillo 4.30a Dumping Script

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Nieylana

Website:

N/A

Current version:

1.0

Last updated:

December 27, 2007

Direct D/L link:

Locally archived copy

License type:

Free

Description:

Run this script using the OllyScript plugin, will automatically patch the OutputDebugStringA exploit, the IsDebugger API, Prevents PE header destruction, Prevents IAT from being messed with, And dumps the file to 'C:\D_File_Unpacked.exe'

Note: I am not the original author, I simply took the Armadillo 4.30a script I had and added some features to it allowing it to produce a working dump by itself. Thanks to the original author.

Enjoy!

Also listed in:

OllyScript Scripts

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

CHimpREC

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Sébastien Doucet (TiGa)

Website:

http://www.iitac.org

Current version:

ReCon Edition

Last updated:

June 23rd, 2008

Direct D/L link:

Locally archived copy

License type:

Freeware

Description:

CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

Also listed in:

Dump Fixers, IAT Restore Tools, Import Editors, Process Dumpers, Unpacking Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

MSIL Dumper

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Kurapica

Website:

http://www.woodmann.com/forum/showthread.php?t=11809

Current version:

0.4

Last updated:

December 12, 2008

Direct D/L link:

Locally archived copy

License type:

Free

Description:

The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799

Also listed in:

.NET MSIL Dumpers, .NET Tracers, Tracers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

mdmp

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Vlad-Ioan Topan

Website:

http://code.google.com/p/mdmp/

Current version:

0.2.2

Last updated:

October 28, 2010

Direct D/L link:

http://code.google.com/p/mdmp/downloads/detail?name=mdmp-0.2.4-beta-binaries.zip

License type:

GPL

Description:

mdmp - open-source x86 memory/process (command-line) dumper with Python bindings

libmdmp is a C library designed to dump process memory on Windows.

mdmp.exe is a command-line tool exposing most functionality in libmdmp (process/stack/heap/random-mem-address dumping).

pymdmp.pyd is a Python wrapper (only built for 2.7 as of now, trivial to adapt to any 2.x) exposing the memory-dumping functionality in Python.

Example usage:

mdmp:
mdmp.exe /n:explo /e:kernel
- will dump all modules (DLLs) whose name contains "kernel" from all the processes whose name contains "explo"

pymdmp:
import pymdmp
lst = pymdmp.dump(pymdmp.SEL_BY_NAME, pymdmp.DUMP_IMAGE_BY_NAME, 0, processName="explo", moduleName="kernel")
- will return in lst a list of tuples (<process_name>, <PID>, <dump-start-address>, <dump-data>)

Delphi bindings are planned. Feedback is welcome @ vtopan/gmail.

Requires the VC 2005 runtime.

Also listed in:

Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

OllyDumpEx

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

low_priority

Website:

http://low-priority.appspot.com/ollydumpex/

Current version:

0.90

Last updated:

August 24, 2011

Direct D/L link:

http://low-priority.appspot.com/ollydumpex/OllyDumpEx.zip

License type:

Free

Description:

This plugin is process memory dumper for OllyDbg and Immunity Debugger.
Very simple overview is
OllyDumpEx = OllyDump + PE Dumper - obsoluted + useful features
Features :
- OllyDbg version 2 plugin interface supported (EXPERIMENTAL)
- Select to dump debugee exe or loaded dll
- Dump any address space as section even if not in original section header
- Add dummy section to keep PE format consistency
- Fix RVA in DataDirectory to follow ImageBase change
- Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)

Also listed in:

OllyDbg Extensions, Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

PEBrowse Professional

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

SmidgeonSoft

Website:

http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html

Current version:

10.1.4

Last updated:

April 14, 2011

Direct D/L link:

http://www.smidgeonsoft.com/download/PEBrowse.zip

License type:

Free

Description:

PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.

Also listed in:

.NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

RE-Dump

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

SantMat

Website:

http://www.reteam.org/tools.html

Current version:

1.0

Last updated:

Direct D/L link:

Locally archived copy

License type:

Free

Description:

Process memory dumping utility

Also listed in:

(Not listed in any other category)

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Scylla

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Aguila

Website:

http://forum.tuts4you.com/forum/132-scylla-imports-reconstruction/

Current version:

0.5

Last updated:

October 17, 2011

Direct D/L link:

N/A

License type:

GNU GPL v3

Description:

Scylla is a Windows Import Table Reconstructor. It aims to be a replacement for ImpRec, keeping the best features and removing most of its limitations.

Key features:

- x64 and x86 support
- full unicode support
- written in C/C++
- plugin support, legacy support for ImpRec plugins
- process dumper, PE rebuilder
- dll injection
- works great with Windows 7
- open source

Current limitations:

- no autotrace

Also listed in:

Dump Fixers, IAT Restore Tools, Process Dumpers

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Feed containing all updates and additions for this category.