From Collaborative RCE Tool Library

Jump to: navigation, search

Monitoring Tools


Tool name: Memory Hacking Software
Rating: 5.0 (1 vote)
Author: L. Spiro                        
Website: http://www.memoryhacking.com
Current version: 4.017
Last updated: April 24, 2008
Direct D/L link: http://mhs.mpcforum.com/MHS4.017.rar
License type: Free
Description: Highly advanced software for memory search/analysis and trainer creation. Recommended!

MHS 4.017 (bundle):
Bundle includes MHS.exe, zlib1.dll, MHS Help.chm, and ChangeLog.txt.
Also listed in: Memory Data Tracing Tools, Memory Search Tools, Trainer Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Explorer
Rating: 5.0 (2 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
Current version: 11.04
Last updated: November 5, 2007
Direct D/L link: http://download.sysinternals.com/Files/ProcessExplorer.zip
License type: Free
Description: The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wireshark
Rating: 5.0 (3 votes)
Author: Gerald Combs                        
Website: http://www.wireshark.org
Current version: 0.99.8
Last updated: February 27, 2008
Direct D/L link: http://wireshark.osmirror.nl/download/win32/wireshark-setup-0.99.7.exe
License type: Free / Open Source
Description: Wireshark (previously Ethereal) is the world's foremost network protocol analyzer, and is the standard in many industries.

It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark has a rich feature set which includes the following:

* Hundreds of protocols are supported, with more being added all the time
* Live capture and offline analysis are supported
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list, which eases analysis
* Output can be exported to XML, PostScript®, CSV, or plain text
Also listed in: Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DebugView
Rating: 4.0 (1 vote)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/Miscellaneous/DebugView.mspx
Current version: 4.71
Last updated: August 20, 2007
Direct D/L link: N/A
License type: Free
Description: DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.
Also listed in: Debug Output Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ADInsight
Rating: 0.0 (0 votes)
Author: Bryce Cogswell & Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/utilities/adinsight.mspx
Current version: 1.01
Last updated: November 20, 2007
Direct D/L link: N/A
License type: Free
Description: ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.

ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services.

AD Insight works on Windows 2000 and higher.
Also listed in: Active Directory Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: APIScan
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/forums/posts/456
Current version: 2.2
Last updated: April 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2 Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.


TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.
Also listed in: API Monitoring Tools, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: All-Seeing Eye
Rating: 0.0 (0 votes)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Auto Debug
Rating: 2.0 (1 vote)
Author:                         
Website: http://www.autodebug.com
Current version: 4.3
Last updated: 2007
Direct D/L link: N/A
License type: Shareware
Description: Auto Debug software is an API monitor tool which can automatic trace all APIs and ActiveX interface to input and output parameters. After setting the API which you want to monitor easily, this application will auto trace the target program and monitor the function of inputting and outputting calling. It analysises PDB files automatic while monitoring any DLL and ActiveX interface.

Different from others apispy or API monitor tools, Auto Debug software doesn't need the user to develop any DLL or hook DLL. It's easy to use --- Only setting the APIs which we want to monitor with ON, once the target application running and calling these APIs, it will monitor their parameters of inputting and outputting automaticly! Don't need to develop any DLL, once installing the software, we can start to monitor APIs NOW!

If we have the API prototype(often from the .h file), we can build the PDB file without origin source easily. For example, we can found a sample for generating comdlg32.dll PDB file at ($InstallPath\PDBsample). --- (need Professional Version, it also generates over 30 windows system DLL's PDB files in the Professional Version).

News: Auto Debug for Windows x64 version is available.

Features

It doesn't need to rebuild the source code while monitoring inputting parameters and outputting results of the traced APIs in the target program automaticly, only monitoring the input and output of APIs.

* Source Code level monitor.(new in Professional V4.1).
* Automatic analysis parameter type with PDB files.(new in V4.0). Support for Visual Studio 2005, Visual Studio .NET 2003 and Visual C++ 6.0.
* Very easy to generate PDB files without source code if you know the api prototype.(new in Professional V4.0).
* Tracing your application with release version.
* The best API monitor tool.
* Tracing Release version with mapfile.
* Supporting Debug version and Release version, not need source code.
* Supporting tracing COM Interface.
* Supporting multithread.
* Not need to know the prototype of the functions.
* Not only trace for exported APIs, but also be effect for undocumented APIs.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BoundsChecker
Rating: 0.0 (0 votes)
Author: Compuware                        
Website: http://www.compuware.com/products/devpartner/visualc.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: Among many things, BoundsChecker is actually a pretty decent API monitor/logger.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: busTRACE
Rating: 0.0 (0 votes)
Author: busTRACE Technologies                        
Website: http://www.bustrace.com
Current version: 7.0.035
Last updated: January 17, 2008
Direct D/L link: N/A
License type: Commercial
Description: busTRACE 7.0 is a comprehensive bus and device analysis tool in use by leading system OEMs, peripheral OEMs, software developers, USB developers, and storage developers all over the world. busTRACE 7.0 provides a suite of applications designed to help you perform advanced bus and device analysis.

* Capture I/O Activity
- Capture I/O activity on local or remote computers
- Allow remote busTRACE users to capture I/O activity

* Generate I/O Activity
- Send a single CDB to a storage device
- Send a sequence of CDBs to a storage device
- Perform a read/write/compare stress test
- View ATA/ATAPI Identify information

* Simulate Device Faults
- Simulate a failure on one or more specified devices

* Additional Tools
- View Device Command Descriptor Blocks
- View Device Sense Codes
- CD/DVD Exclusive Access Status
Also listed in: Bus Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFSearch
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11306&page=2
Current version: 1.0A
Last updated: February 15, 2008
Direct D/L link: N/A
License type: Free
Description: Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors.

Not released yet, but we're awaiting it with great anticipation!
Also listed in: Tracers, Code Coverage Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Cheat 'O Matic
Rating: 1.0 (1 vote)
Author: Nick Shaffner                        
Website: http://www.geocities.com/TimesSquare/Dungeon/5633
Current version: 0.99a
Last updated: 1997
Direct D/L link: http://bunnzy.oldgamemusic.com/files/extras/apps/cheatomatic099.zip
License type: Freeware
Description: Cheat 'O Matic is an EXTREMELY easy to use UNIVERSAL cheating program designed to allow you to automatically cheat on ANY game (or other program) that will run on Windows '95, '98 and 'NT (including DOS, Windows 3.1, Windows '95, Windows '98 and Windows 'NT games) - as the game actually runs! Additionally, Cheat 'O Matic allows you to cheat on programs that don't have cheat codes, or in completely different ways that cheat codes may not exist for, and perhaps the game's programmers never intended
Also listed in: Memory Data Tracing Tools, Memory Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Conditional Branch Logger
Rating: 0.0 (0 votes)
Author: Blabberer / dELTA / Kayaker                        
Website: N/A
Current version: 1.0
Last updated: June13, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.
Also listed in: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detours
Rating: 5.0 (1 vote)
Author: Microsoft                        
Website: http://research.microsoft.com/sn/detours
Current version: 2.1
Last updated: 2007
Direct D/L link: N/A
License type: Free
Description: Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DiskMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Diskmon.mspx
Current version: 2.01
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity.
Also listed in: Disk Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dream of every reverser
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: public
Last updated: May 6, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Engine used to perfrom stealth memory trace of a target.
Public version only supports tracing of the eip in certain
range. To compile source you will need DDK.

It supports MP and win2k/winxp. Systems running KAV are
not supported as KAV installs hook in SwapContext which
is essential for this tracer.

Technical aspects:
1. Hooks int 0e and int 01
2. Hooks SwapContext
3. Installs ProcessNotifyRoutine

Due to the nature of paged memory in r3, there are 2
ways of tracing: using U/S flag, and using P bit in
PTE. Both cases are handled and supports PAE and nonPAE
addressing modes. Role of SwapContext is to set breaks on
given range when traced process is about to execute.
Role of notify routine is to stop tracer if traced
program exits by any chance during tracing.

When good range is hit, tracer will automaticaly stop
and you will see in DebugView or DbgMon when EIP is in
good range.
Also listed in: Technical PoC Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DynLogger
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/dynlogger.php
Current version: 1.1.0.1
Last updated: April 14, 2008
Direct D/L link: http://ntcore.com/Files/DynLogger_x86.zip
License type: Free
Description: DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.8a23
Last updated: November 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Reverse Engineering Frameworks, Linux Debuggers, Linux Disassemblers, Tracers, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Efilter
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: N/A
Current version: 1.0
Last updated: August 14, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Efilter is an automatic exception reporting utility. It is very useful
and handy while doing vulnerability research on any software designed
to work under Windows NT platforms. Due to that it hooks
KiUserExceptionDispatcher function, it acts BEFORE any of program's
active SEH frames take over the exception. In short words it reports
programs exceptions even if they are handled by original program.

Here is some sample screenshot:
- http://pb.specialised.info/all/efilter/efilter.jpg

Since it uses debug messages it requires DebugView utility to show
output messages. (download from: http://www.sysinternals.com)
Also listed in: Exception Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExcpHook
Rating: 0.0 (0 votes)
Author: Gynvael Coldwind                        
Website: http://vexillium.org/?sec
Current version: 0.0.4
Last updated: January 22, 2008
Direct D/L link: http://vexillium.org/dl.php?excphook004
License type: Free / Open Source
Description: The source code / binary is also available as a part of http://code.google.com/p/openrce-snippets/

ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (Team Vexillium).
Currently supported Windows versions: XP SP2
Please note that this is ALPHA version.

It uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitors all of XP processes, and the program does not have to attach to any other process to monitor it, hence it's harder to detect.

The ring0 code sucks. It does not BSoD at my place, but I cannot guarantee it won't BSoD at some other place.
I'm really looking forward to comments regarding the ring0 code, especially constructive ones ;)

The known bugs are:
- The code tends to BSoD on multi CPU machines (will be fixed)

Well, thats it, any comments are welcomed ;)

Example of usage:

>ExcpHook.exe excp_
ExcpHook Exception Monitor 0.0.4 by gynvael.coldwind//vx
(use -h or --help for help)
Filtering results only to ones containing "excp_"
Loading driver...OK
Opening device...OK
Requesting info on driver...OK
Driver: ExcpHook driver v0.0.1 by gynvael.coldwind//vx.
Entering loop... press ctrl+c to exit

--- Exception detected ---
PID: 2016 First Chance: YES
Exception code: 10000004 (KI_EXCEPTION_ACCESS_VIOLATION)
Exception addr: 0040130a
Image: D:\code\gynvael\BraveNewWorld\ExceptionCatch\excp_accviolw.exe
Param count  : 2
Params:
00000001 88776655
Access Violation Type  : WRITE
Accessed Memory Address: 88776655

Disconnecting from driver...OK
Unloading driver...OK
Also listed in: Exception Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 0.0 (0 votes)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FileMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
Current version: 7.04
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

Note:
Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.
Also listed in: File Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Flayer
Rating: 0.0 (0 votes)
Author: Will Drewry & Tavis Ormandy                        
Website: http://code.google.com/p/flayer
Current version: 0.0.1
Last updated: August 9, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind and its memory error detection plug-in, Memcheck . This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security.

Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application's running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls.

Flayer's functionality provides a robust foundation for the implementation of security tools and techniques. For example, an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing.

Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.

See full paper at:
http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry_html

And getting-started information at:
http://code.google.com/p/flayer/wiki/GettingStarted
Also listed in: Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Float Tracer
Rating: 0.0 (0 votes)
Author: j00ru                        
Website: http://vexillium.org/?sec
Current version: 0.0.1
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers, and so on :)
Also listed in: Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HBGary Inspector
Rating: 0.0 (0 votes)
Author: HBGary                        
Website: http://www.hbgary.com/inspector_v2.shtml
Current version: 2.0
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.
Also listed in: Tracers, Code Coverage Tools, Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KaKeeware Application Monitor (KAM)
Rating: 0.0 (0 votes)
Author: KaKeeware                        
Website: http://www.kakeeware.com/i_kam.php
Current version: 1.32
Last updated: May 24, 2007
Direct D/L link: http://www.kakeeware.com/download.php?f=kam.exe
License type: Freeware
Description: KaKeeware Application Monitor is a very small API monitor that allows the user to monitor the APIs called by the given application. KAM supports 5577 different APIs as for now.

KAM works as an API spy that may help the developers and localization engineers to find the bugs in the release versions of the software. It can be also used by malware analysts to check which APIs are used by the sample they analyse.
The executable file is packed with Upack.
Since v1.04, KAM can rerieve object names (filenames, registry keys) and shows them on UI instead of handles, making the listing more readable. 1.10 shows more information about monitored APIs. 1.20 added groups to APIs window and added support for command line for monitored program. 1.21 hopefully fixes the problem with some XP versions. 1.30 introduces a lot of new APIs (now it's over 5000!). 1.31 finally conquers Vista. 1.32 adds some APIs (as per request :).

Please be aware that some AV programs may flag kam.exe as malicious. This is a problem known as FP (False Positive). kam.exe is not malicious and it doesn't contain any malicious code.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KernelSpy
Rating: 0.0 (0 votes)
Author: Anton Bassov                        
Website: http://www.codeproject.com/system/kernelspying.asp
Current version: 1.0
Last updated: April 22, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: After having published my article about process-wide API spying, I received plenty of encouraging messages - readers have generally accepted my model of hooking function calls. In this article, we will extend our model to kernel- mode spying, and hook the API calls that are made by our target device driver. We will also introduce a brand-new way of communication between the kernel-mode driver and the user-mode application - instead of using system services, we will implement our own mini-version of Asynchronous Procedure Calls. This task is not as complicated as it may seem - in fact, it is just shockingly easy. Windows flat memory model offers us plenty of exciting opportunities - the only thing we need is a sense of adventure (plus a good knowledge of assembly language, of course). All tips and tricks, described in this article, are 100% of my own design - you would not find anything more or less similar to these tricks anywhere.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordCHEAT
Rating: 0.0 (0 votes)
Author: Rudy Rooroh                        
Website: http://www.geocities.com/asmfreesoft
Current version: 1.2.4
Last updated: April 9, 2008
Direct D/L link: http://www.geocities.com/asmfreesoft/LordCHEAT124.zip
License type: Freeware
Description: - Small & Powerfull Game Trainer
- Save & Load memory using simple script
- Read/Write memory using Hex Editor
- Support 16/32 bit Windows games, macromedia flash games, *emulator, etc
- Support Pointer to Pointer
- Support Plugins
- Memory monitor
- Can run under windows 98 up to *Vista
- etc.
Also listed in: Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://labs.idefense.com/files/labs/releases/previews/map/
Current version:
Last updated: November 13, 2006
Direct D/L link: http://labs.idefense.com/software/download/?downloadID=8
License type: GPL2
Description: The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rap