From Collaborative RCE Tool Library
Memory Dumpers
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://www.radare.org | |||
| Current version: | 1.4.1 | |||
| Last updated: | November 3, 2009 | |||
| Direct D/L link: | http://radare.nopcode.org/get/radare-1.4.1.tar.gz | |||
| License type: | GPL | |||
| Description: | <nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc. The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls. The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary. The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so). The debugger is mainly developed on linux and {Net | |||
| Also listed in: | .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SysAnalyzer |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/SysAnalyzer/ | |||
| Current version: | ||||
| Last updated: | January 19, 2007 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=15 | |||
| License type: | GPL2 | |||
| Description: | SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: * Running Processes * Open Ports * Loaded Drivers * Injected Libraries * Key Registry Changes * APIs called by a target process * File Modifications * HTTP, IRC, and DNS traffic SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: * Create a memory dump of target process * parse memory dump for strings * parse strings output for exe, reg, and url references * scan memory dump for known exploit signatures Full GPL source for SysAnalyzer is included in the installation package. | |||
| Also listed in: | Disk Monitoring Tools, Registry Monitoring Tools, Network Monitoring Tools, Install Monitoring Tools, API Monitoring Tools, File Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Explorer Suite |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/exsuite.php | |||
| Current version: | III | |||
| Last updated: | August 19, 2009 | |||
| Direct D/L link: | http://ntcore.com/Files/ExplorerSuite.exe | |||
| License type: | Free | |||
| Description: | A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium. Features: * Process Viewer * Windows Viewer * PE and Memory Dumper * Full support for PE32/64 * Special fields description and modification (.NET supported) * PE Utilities * PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) * View and modification of .NET internal structures * Resource Editor (full support for Windows Vista icons) * Support in the Resource Editor for .NET resources (dumpable as well) * Hex Editor * Import Adder * PE integrity checks * Extension support * Visual Studio Extensions Wizard * Powerful scripting language * Dependency Walker * Quick Disassembler (x86, x64) * Name Unmangler * Extension support * File Scanner * Directory Scanner * Deep Scan method * Recursive Scan method * Multiple results * Report generation * Signatures Manager * Signatures Updater * Signatures Collisions Checker * Signatures Retriever | |||
| Also listed in: | .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | LordPE |
| ||
|---|---|---|---|---|
| Author: | y0da | |||
| Website: | N/A | |||
| Current version: | 1.41 (Deluxe b) | |||
| Last updated: | September 30, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,... Main features: * Task viewer/dumper * Huge PE editor (with big ImportTable viewer, ...) * Break'n'Enter (break at the EntryPoint of dll or exe files) * PE Rebuilder News: * The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.) * New plugin interface added! You can develop LordPE Dump Engines (LDE) now. Look at \Docs\LDE.tXt for more information. * Added LDE: IntelliDump which can dump .NET CLR processes * Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons) * Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer * Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor * TLSTable DataDirectory is now editable * Possibility to increment/decrement the number of DataDirectories added * Etc etc etc... | |||
| Also listed in: | Dump Fixers, Import Editors, PE Executable Editors, Process Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Memoryze |
| ||
|---|---|---|---|---|
| Author: | Mandiant | |||
| Website: | http://www.mandiant.com/software/memoryze.htm | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis. MANDIANT Memoryze can: * image the full range of system memory (not reliant on API calls). * image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks. * image a specified driver or all drivers loaded in memory to disk. * enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can: o report all open handles in a process (for example, all files, registry keys, etc.). o list the virtual address space of a given process including: + displaying all loaded DLLs. + displaying all allocated portions of the heap and execution stack. o list all network sockets that the process has open, including any hidden by rootkits. o output all strings in memory on a per process basis. * identify all drivers loaded in memory, including those hidden by rootkits. * report device and driver layering, which can be used to intercept network packets, keystrokes and file activity. * identify all loaded kernel modules by walking a linked list. * identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables). MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools. | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | WinHex |
| ||
|---|---|---|---|---|
| Author: | Stefan Fleischmann | |||
| Website: | http://www.x-ways.net/winhex | |||
| Current version: | 15.4 SR-5 | |||
| Last updated: | August 30, 2009 | |||
| Direct D/L link: | http://www.x-ways.net/winhex.zip | |||
| License type: | Shareware | |||
| Description: | WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features include (depending on the license type): * Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ... * Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF * Built-in interpretation of RAID systems and dynamic disks * Various data recovery techniques * RAM editor, providing access to physical RAM and other processes' virtual memory * Data interpreter, knowing 20 data types * Editing data structures using templates (e.g. to repair partition table/boot sector) * Concatenating and splitting files, unifying and dividing odd and even bytes/words * Analyzing and comparing files * Particularly flexible search and replace functions * Disk cloning (under DOS with X-Ways Replica) * Drive images & backups (optionally compressed or split into 650 MB archives) * Programming interface (API) and scripting * 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...) * Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy * Import all clipboard formats, incl. ASCII hex values * Convert between binary, hex ASCII, Intel Hex, and Motorola S * Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode) * Instant window switching. Printing. Random-number generator. * Supports files >4 GB. Very fast. Easy to use. Extensive online help. | |||
| Also listed in: | Binary Diff Tools, Hex Editors, Memory Patchers, Memory Search Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ImpREC |
| ||
|---|---|---|---|---|
| Author: | MackT | |||
| Website: | http://www.tuts4you.com/forum/index.php?showtopic=6410 | |||
| Current version: | Official version 1.6 - Unofficial version with misc. fixes 1.7c | |||
| Last updated: | March 10, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The world's most famous IAT rebuilder tool. NOTE: The last official version from MackT is still 1.6. The 1.7a update is a third-party patched version of 1.6, which contains the following patches: - Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM) - user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM) - Latest version of psapi.dll (6.0.6000.16386) included - Fixed Vista64 crash bug (jstorme) - GUI modified and improved (based upon Fly's modification) - Updated/corrected plugins and deleted dups v. 1.7a added the following fixes: - Misc - Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme) Because of this, the local download here contains both the last official version 1.6, and the last unofficial patch, 1.7a. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc). Changes in Version 1.7b: - Misc - Fixed invalid API bug in user32.dll on Windows 98 (jstorme) - Modified code to improve support for discardable/unreadable sections (jstorme) - Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme) - Added an "ImpREC Classic" looking version Changes in 1.7c: - Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme) | |||
| Also listed in: | IAT Restore Tools, Process Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | AMDUMPV6.2 |
| ||
|---|---|---|---|---|
| Author: | CondZero | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 2.2 | |||
| Last updated: | September 18th, 2008 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=3 | |||
| License type: | Free / Open Source | |||
| Description: | The archive includes full sources and two tutorials. Note: the included pdf overview (from previous release). Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!! Info: * New noninvasive loader engine to run & dump activemark v6.2x targets. * Run program from its own folder, no need to copy Amdumpv62 to target folder to run. * Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file. Special note: * The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically. * Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding: (4) .text/.text/.code/.code/etc sections in the executable For delayed import targets (3) for non delayed import targets. If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!! * Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully! Limitations: * In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial Link: http://arteam.accessroot.com/tutorials.html?fid=211 History: -------------------------------------------- Amdumpv62 - version 2.2 (September 2008) 1. Updated arteam import rebuilder v1.2.1 (nacho_dj) for targets that don't use the delayed imports option Amdumpv62 - version 2.0 (march 2008) 1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug) 2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option 3. New log progress and results of the dump process 4. Separate threads for main gui and process | |||
| Also listed in: | Process Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Armadillo 4.30a Dumping Script |
| ||
|---|---|---|---|---|
| Author: | Nieylana | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | December 27, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Run this script using the OllyScript plugin, will automatically patch the OutputDebugStringA exploit, the IsDebugger API, Prevents PE header destruction, Prevents IAT from being messed with, And dumps the file to 'C:\D_File_Unpacked.exe' Note: I am not the original author, I simply took the Armadillo 4.30a script I had and added some features to it allowing it to produce a working dump by itself. Thanks to the original author. Enjoy! | |||
| Also listed in: | OllyScript Scripts | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CHimpREC |
| ||
|---|---|---|---|---|
| Author: | Sébastien Doucet (TiGa) | |||
| Website: | http://www.iitac.org | |||
| Current version: | ReCon Edition | |||
| Last updated: | June 23rd, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Freeware | |||
| Description: | CHimpREC: The Cheap Imports Reconstructor by TiGa of ARTeam IITAC (http://www.iitac.org) This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal. Made for the best compatibility with WoW64 on x64-based Windows XP or Vista. This is the same version that was used at the conference. The first official release will come soon. +Features The first universal 64-bit imports rebuilder 32-bit version included Interface similar to ImpREC Integrated 32/64-bit process dumper IAT AutoSearch from ImageBase or OEP Unshuffle thunks function Manual imports editor -Limitations No plugin support yet No AutoTrace feature No disassembler The Visual Studio 2005 SP1 redistributable package might be necessary too: x86: http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en x64: http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en | |||
| Also listed in: | Dump Fixers, IAT Restore Tools, Import Editors, Process Dumpers, Unpacking Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | MSIL Dumper |
| ||
|---|---|---|---|---|
| Author: | Kurapica | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11809 | |||
| Current version: | 0.4 | |||
| Last updated: | December 12, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The idea of this tool is to achieve two objects: 1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder. 2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies. I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods. you can find more on LibX protection here hxxp://www.reteam.org/board/showthread.php?t=799 | |||
| Also listed in: | .NET MSIL Dumpers, .NET Tracers, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PEBrowse Professional |
| ||
|---|---|---|---|---|
| Author: | SmidgeonSoft | |||
| Website: | http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html | |||
| Current version: | 10.0.1 | |||
| Last updated: | July 12, 2009 | |||
| Direct D/L link: | http://www.smidgeonsoft.com/download/PEBrowse.zip | |||
| License type: | Free | |||
| Description: | PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.) With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu. While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as: * Module entry-point * Exports (if any) * Debug-symbols (if a valid PDB, i.e., program database file, is present) * Imported API references * Relocation addresses * Internal functions/subroutines * Any valid address inside of the module Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays. PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files. PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code. Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped. | |||
| Also listed in: | .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | RE-Dump |
| ||
|---|---|---|---|---|
| Author: | SantMat | |||
| Website: | http://www.reteam.org/tools.html | |||
| Current version: | 1.0 | |||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Process memory dumping utility | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
