From Collaborative RCE Tool Library

Jump to: navigation, search

Monitoring Tools


Tool name: All-Seeing Eye
Rating: 5.0 (1 vote)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Buster Sandbox Analyzer
Rating: 5.0 (1 vote)
Author: Buster                        
Website: http://bsa.isoftware.nl/
Current version: 1.81
Last updated: August 22, 2012
Direct D/L link: http://bsa.isoftware.nl/bsa.rar
License type: Free
Description: Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious.

The changes made to system can be of several types: file system changes, registry changes and port changes.

A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.

Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.

Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.

From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.

Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.

Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.

Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.

All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.



Program history : http://bsa.isoftware.nl/frame8.htm
Also listed in: File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DongleKnack
Rating: 5.0 (1 vote)
Author: H. Haftmann                        
Website: http://www-user.tu-chemnitz.de/~heha/
Current version: 2.00
Last updated:
Direct D/L link: Locally archived copy
License type: Freeware & Source (TASM, Pascal)
Description: This tools logs all traffic on the parallel port on ring 0 level by using a dynamic VxD.
Thus it works on all Win9x related Windows (Win3x, Win9x and Win2K).

The dynamic VxD either modifies the IOPM (IO Permission Map) or traps the port by setting a Debug Register on its address. To use the Debug Register method you need at least a Pentium processor.
If you have logged all port traffic, you can replay the log file port traffic and thus emulate the Dongle.
The log file is not compressed and it can be used to understand the dongle routines in the application you want to crack.

Be sure you check the source if you're interessted in Win9x system programming.
Also listed in: Dongle Dumper Tools, Dongle Emulation Tools, Parallel Comm Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HookShark
Rating: 5.0 (1 vote)
Author: DeepBlueSea                        
Website: http://www.gamedeception.net/threads/20596-HookShark-Beta-0-9-(With-a-Vengeance)?highlight=hookshark
Current version: BETA 0.9
Last updated: September 1, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - VTable Hooks
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints
* - PAGE_GAURD Candidates

FAQ

Why is IAT-Scanning / Hook-Scanning so slow? There are faster tools.
=====================================================================

That's because other tools suck. They just walk the IAT Entrys and look for addresses that are out of the module bounds. Thats bollocks. The callback function of the hook, or a redirection (JMP) could be planted well within the module bounds, and there you have a stealth IAT Hook, which HookShark recognizes as "IAT - Local".
And HookShark scans EVERY IAT-Table of EVERY Module. Unlike some other tools, which just examine the main process module.

And HookShark does not only check for hooks in exported/known functions. No, byte by byte of disk/memory image is compared, and even one-byte-patches are revealed. That is only for read-only code-sections though.

What the hell is all that crap? So many patches WTF?
======================================================

HookShark looks for differences between the disk image and the scanned memory. There might be cases where you are just looking at a packed module. To counter these false positives, there is an option to filter patches, which are bigger than n-bytes. (Look in the GlobalOptions Tab)

Sometimes after i scanned a process and want to scan another one and it crashes.
=================================================================================

Yeah, i hate when that happens. I have no idea why. If i get my lazy ass on the debugger i try to check it out. Until then, just restart HookShark.

The mnemonics of patched instructions are wrongly displayed.
============================================================

That's because HookShark just cant do a thorough analysis like IDA does for every module in this short time-span. The alignment of instructions is guessed and heuristically computed.
Also listed in: Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Kernel Detective
Rating: 5.0 (3 votes)
Author: GamingMaster -AT4RE                        
Website: http://www.at4re.com
Current version: 1.4.1
Last updated: December 10, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista/Server 2008/SEVEN


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Also listed in: Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools, Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Explorer
Rating: 5.0 (2 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
Current version: 11.33
Last updated: February 4, 2009
Direct D/L link: http://download.sysinternals.com/Files/ProcessExplorer.zip
License type: Free
Description: The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Hacker
Rating: 5.0 (1 vote)
Author: wj32                        
Website: http://processhacker.sourceforge.net
Current version: 2.33
Last updated: December 27, 2013
Direct D/L link: http://processhacker.googlecode.com/files/processhacker-2.33-bin.zip
License type: Open Source (GNU General Public License V3)
Description: Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...
Also listed in: Malware Analysis Tools, Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 2.0.0
Last updated: October 10, 2017
Direct D/L link: http://bin.rada.re/radare2-w32-2.0.0.zip
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rohitab API Monitor
Rating: 5.0 (1 vote)
Author: Rohitab Batra                        
Website: http://www.rohitab.com/apimonitor
Current version: v2 (Alpha-r13)
Last updated: March 14, 2013
Direct D/L link: http://www.rohitab.com/downloads
License type: Freeware
Description: API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification
Also listed in: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TCPView
Rating: 5.0 (1 vote)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
Current version: 2.54
Last updated: March 17, 2009
Direct D/L link: http://download.sysinternals.com/Files/TcpView.zip
License type: Free
Description: TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
Also listed in: Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: tcpdump
Rating: 5.0 (2 votes)
Author: The Tcpdump team                        
Website: http://www.tcpdump.org/
Current version: 4.0.0
Last updated: July 18, 2009
Direct D/L link: http://www.tcpdump.org/release/tcpdump-4.0.0.tar.gz
License type: BSD
Description: From wikipedia's entry for tcpdump:

tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.

Distributed under a permissive free software licence, tcpdump is free software.

Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.

There is also a port of tcpdump for Windows called WinDump; this uses WinPcap, which is a port of libpcap to Windows.

In some Unix-like operating systems, a user must have superuser privileges to use tcpdump because the packet capturing mechanisms on those systems require elevated privileges. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required.

The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.
Also listed in: Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinApiOverride
Rating: 5.0 (3 votes)
Author: Jacquelin POTIER                        
Website: http://jacquelin.potier.free.fr/winapioverride32/
Current version: 6.5.5
Last updated: April 19, 2017
Direct D/L link: http://jacquelin.potier.free.fr/exe/winapioverride32_bin.zip
License type: Free for non commercial use (temporary closed sources due to abuse)
Description: WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- A library is provided for developers who intend to build their one hooking software
Also listed in: .NET Tracers, API Monitoring Tools, COM Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wireshark
Rating: 5.0 (5 votes)
Author: Gerald Combs                        
Website: http://www.wireshark.org
Current version: 1.8.6
Last updated: March 6, 2013
Direct D/L link: http://www.wireshark.org/download.html
License type: GPL / Open Source (C)
Description: Wireshark (previously Ethereal) is the world's foremost network protocol analyzer, and is the standard in many industries.

It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark has a rich feature set which includes the following:

* Hundreds of protocols are supported, with more being added all the time
* Live capture and offline analysis are supported
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list, which eases analysis
* Output can be exported to XML, PostScript®, CSV, or plain text
Also listed in: Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ADInsight
Rating: 4.0 (1 vote)
Author: Bryce Cogswell & Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/utilities/adinsight.mspx
Current version: 1.01
Last updated: November 20, 2007
Direct D/L link: N/A
License type: Free
Description: ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.

ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services.

AD Insight works on Windows 2000 and higher.
Also listed in: Active Directory Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DebugView
Rating: 4.0 (1 vote)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/Miscellaneous/DebugView.mspx
Current version: 4.76
Last updated: October 16, 2008
Direct D/L link: N/A
License type: Free
Description: DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.
Also listed in: Debug Output Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DynLogger
Rating: 4.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/dynlogger.php
Current version: 1.1.0.1
Last updated: April 14, 2008
Direct D/L link: http://ntcore.com/Files/DynLogger_x86.zip
License type: Free
Description: DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memoryze
Rating: 4.0 (1 vote)
Author: Mandiant                        
Website: http://www.mandiant.com/software/memoryze.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Free
Description: MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Also listed in: Kernel Hook Detection Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIX with callstack patch
Rating: 4.0 (1 vote)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?t=12696
Current version:
Last updated: May 1, 2012
Direct D/L link: Locally archived copy
License type: Free
Description: MSDN describes the DirectX tool "PIX" as follows (at http://msdn.microsoft.com/en-us/library/bb173085(VS.85).aspx):
"PIX is a debugging and analysis tool that captures detailed information from a Direct3D application as it executes. PIX can be configured to gather data, such as the list of Direct3D APIs called, timing information, mesh vertices before and after transformations, screenshots, and select statistics. PIX can also be used for debugging vertex and pixel shaders, including setting breakpoints and stepping through shader code."

Thus, a highly useful tool right from the MS DirectX SDK for e.g. finding the cause of a rendering problem: for any captured frame, you can click through the executed DX API functions and see how the frame is being built up, eventually finding out what part is to blame.

But what about reversing a closed source application's renderer? PIX does not store a call stack; it merely logs *what* DX functions are called, but not from *where*. Therefore it is not very useful for reversing by default.

I didn't want to let such a great tool go to waste. After some reversing work I ended up patching PIX to log and show (part of) the call stack for each DirectX call that the target program makes. Each call stack entry has both the virtual address and the module name.

Example usage of the resulting modified tool is finding out about and messing with a game's renderer, or more simply locating the HUD rendering code and quickly finding the data that it represents (e.g. health, money) rather than having to resort to memory scanning.
Also listed in: API Monitoring Tools, DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SysAnalyzer
Rating: 4.0 (2 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: March 21, 2011
Direct D/L link: http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe
License type: GPL2
Description: Update: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author.

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.
Also listed in: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Auto Debug
Rating: 3.5 (2 votes)
Author:                         
Website: http://www.autodebug.com
Current version: 4.3
Last updated: 2007
Direct D/L link: N/A
License type: Shareware
Description: Auto Debug software is an API monitor tool which can automatic trace all APIs and ActiveX interface to input and output parameters. After setting the API which you want to monitor easily, this application will auto trace the target program and monitor the function of inputting and outputting calling. It analysises PDB files automatic while monitoring any DLL and ActiveX interface.

Different from others apispy or API monitor tools, Auto Debug software doesn't need the user to develop any DLL or hook DLL. It's easy to use --- Only setting the APIs which we want to monitor with ON, once the target application running and calling these APIs, it will monitor their parameters of inputting and outputting automaticly! Don't need to develop any DLL, once installing the software, we can start to monitor APIs NOW!

If we have the API prototype(often from the .h file), we can build the PDB file without origin source easily. For example, we can found a sample for generating comdlg32.dll PDB file at ($InstallPath\PDBsample). --- (need Professional Version, it also generates over 30 windows system DLL's PDB files in the Professional Version).

News: Auto Debug for Windows x64 version is available.

Features

It doesn't need to rebuild the source code while monitoring inputting parameters and outputting results of the traced APIs in the target program automaticly, only monitoring the input and output of APIs.

* Source Code level monitor.(new in Professional V4.1).
* Automatic analysis parameter type with PDB files.(new in V4.0). Support for Visual Studio 2005, Visual Studio .NET 2003 and Visual C++ 6.0.
* Very easy to generate PDB files without source code if you know the api prototype.(new in Professional V4.0).
* Tracing your application with release version.
* The best API monitor tool.
* Tracing Release version with mapfile.
* Supporting Debug version and Release version, not need source code.
* Supporting tracing COM Interface.
* Supporting multithread.
* Not need to know the prototype of the functions.
* Not only trace for exported APIs, but also be effect for undocumented APIs.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detours
Rating: 3.5 (2 votes)
Author: Microsoft                        
Website: http://research.microsoft.com/sn/detours
Current version: 2.1.216
Last updated: November 10, 2008
Direct D/L link: http://ftp.research.microsoft.com/downloads/d36340fb-4d3c-4ddd-bf5b-1db25d03713d/DetoursExpress.msi
License type: Free
Description: Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oSpy
Rating: 3.5 (2 votes)
Author: Ole Andre Vadla Ravnaas                        
Website: http://code.google.com/p/ospy
Current version: 1.9.8
Last updated: July 18, 2009
Direct D/L link: http://ospy.googlecode.com/files/oSpy-1.9.8.zip
License type: Free / Open Source
Description: oSpy is a tool which aids in reverse-engineering software running on the Windows platform. With the amount of proprietary systems that exist today (synchronization protocols, instant messaging, etc.), the amount of work required to keep up when developing interoperable solutions will quickly become a big burden when limited to traditional techniques.

However, when the sniffing is done on the API level it allows a much more fine-grained view of what's going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it's easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you've got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: APIScan
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/forums/posts/456
Current version: 2.2
Last updated: April 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2: Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.


TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.
Also listed in: API Monitoring Tools, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anathema .NET Instrumentation Tool
Rating: 0.0 (0 votes)
Author: Antonio "s4tan" Parata                        
Website: http://www.phrack.org/papers/dotnet_instrumentation.html
Current version:
Last updated: January 11, 2018
Direct D/L link: Locally archived copy
License type: Open Source
Description: |=-----------------------------------------------------------------------=|
|=--------=[ .NET Instrumentation via MSIL bytecode injection ]=---------=|
|=-----------------------------------------------------------------------=|
|=----------=[ by Antonio "s4tan" Parata <aparata@gmail.com>]=-----------=|
|=-----------------------------------------------------------------------=|


1 - Introduction
2 - CLR environment
2.1 - Basic concepts
2.1.1 - Metadata tables
2.1.2 - Metadata token
2.1.3 - MSIL bytecode
2.2 - Execution environment
3 - JIT compiler
3.1 - The compileMethod
3.2 - Hooking the compileMethod
4 - .NET Instrumentation
4.1 - MSIL injection strategy
4.2 - Resolving the method handle
4.3 - Implementing a trampoline via the calli instruction
4.4 - Crafting a dynamic method
4.5 - Invoking the user defined code
4.6 - Fixing the SEH table
5 - Real world examples
5.1 - Web application password stealer
5.2 - Malware inspection
6 - Conclusion
7 - References
8 - Source Code


--[ 1 - Introduction

In this article we will explore the internals of the .NET framework with
the purpose of providing an innovative method to instrument .NET programs
at runtime.

Actually, there are several libraries that allow to instrument .NET
programs; most of them install a hook in the code generated after compiling
a given method, or by modifying the Assembly and saving back the result of
the modification.

Microsoft also provides a profile API in order to instrument the execution
of a given program. However the API must be activated before executing the
program by setting specific environment variables.

Our goal is to instrument the program at runtime by leaving the Assembly
binary untouched; all this by using a high level .NET language. As we will
see, this is done by injecting additional MSIL code just before the target
method is compiled.


--[ 2 - CLR environment

Before describing in depth how to inject additional MSIL code in a method,
it is necessary to provide some basic concepts as on how the .NET framework
works and which are its basic components.

We will only describe the concepts that are relevant to our purpose.


---[ 2.1 - Basic concepts

A .NET binary is typically called Assembly (even if it doesn't contain any
assembly code). It is a self-describing structure, meaning that inside an
Assembly you will find all the necessary information to execute it (for
more information on this subject see [01]).

As we will shortly see, all this information can be accessed by using
reflection. Reflection allows us to have a full picture of which types and
methods are defined inside the Assembly. We can also have access to the
names and types of the parameters passed to a specific method. The only
missing information are the names of the local variables, but as we will
see this is not a problem at all.


----[ 2.1.1 - Metadata tables

All the above mentioned information is stored inside tables called
Metadata tables.

The following list taken from [02] shows the index and names of all the
existing tables:

00 - Module 01 - TypeRef 02 - TypeDef
04 - Field 06 - MethodDef 08 - Param
09 - InterfaceImpl 10 - MemberRef 11 - Constant
12 - CustomAttribute 13 - FieldMarshal 14 - DeclSecurity
15 - ClassLayout 16 - FieldLayout 17 - StandAloneSig
18 - EventMap 20 - Event 21 - PropertyMap
23 - Property 24 - MethodSemantics 25 - MethodImpl
26 - ModuleRef 27 - TypeSpec 28 - ImplMap
29 - FieldRVA 32 - Assembly 33 - AssemblyProcessor
34 - AssemblyOS 35 - AssemblyRef 36 - AssemblyRefProcessor
37 - AssemblyRefOS 38 - File 39 - ExportedType
40 - ManifestResource 41 - NestedClass 42 - GenericParam
44 - GenericParamConstraint

Each table is composed of a variable number of rows. The size of a row
depends on the kind of table and can contain a reference to other Metadata
tables.

Those tables are referenced by the Metadata token, a notion that is
described in the next paragraph.


----[ 2.1.2 - Metadata token

The Metadata token (or token for short) is a fundamental concept in the CLR
framework. A token allows you to reference a given table at a given index.
It is a 4-byte value, composed of two parts [08]: a table index and the
RID.

The table index is the topmost byte wich points to a table. A RID is a
3-byte record identifier pointing in the table, which starts at offset one.

As an example, let's consider the following Metadata token:

(06)00000F

0x06 is the number of the referenced table, which in this case is
MethodDef. The last three bytes are the RID, that in this case has a value
of 0x0F.


----[ 2.1.3 - MSIL bytecode

When we write a program in a .NET high level language, the compiler will
translate this code into an intermediate representation called MSIL or as
defined in the ECMA-335 [03] CIL, which stands for Common Intermediate
Language.

By installing Visual Studio you will also install a very handy utility
called ILDasm, that allows you to disassemble an Assembly by displaying the
MSIL code and other useful information.

As an example let try to compile the following C# source code:

------#------#------#------<START CODE>------#------#------#------
public class TestClass
{
private String _message;

public TestClass(String txt)
{
this._message = txt;
}

private String FormatMessage()
{
return "Hello " + this._message;
}

public void SayHello()
{
var message = this.FormatMessage();
Console.WriteLine(message);
}
}
------#------#------#------<END CODE>------#------#------#------

The result of the compilation is an Assembly with three methods:
.ctor : void(string), FormatMessage : string() and SayHello : void().

Let's try to display the MSIL code of the SayHello method:

------#------#------#------<START CODE>------#------#------#------
.method public hidebysig instance void SayHello() cil managed
// SIG: 20 00 01
{
// Method begins at RVA 0x21f8
// Code size 16 (0x10)
.maxstack 1
.locals init ([0] string message)
IL_0000: /* 00 | */ nop
IL_0001: /* 02 | */ ldarg.0
IL_0002: /* 28 | (06)00000F */
call instance string MockLibrary.TestClass::FormatMessage()
IL_0007: /* 0A | */ stloc.0
IL_0008: /* 06 | */ ldloc.0
IL_0009: /* 28 | (0A)000014 */
call void [mscorlib]System.Console::WriteLine(string)
IL_000e: /* 00 | */ nop
IL_000f: /* 2A | */ ret
} // end of method TestClass::SayHello
------#------#------#------<END CODE>------#------#------#------

For each instruction we can see the associated MSIL byte values. It is
interesting to see that the code doesn't contain any reference to unmanaged
memory but only to metadata tokens.

The two call instructions reference two different tables, due to the
FormatMessage method being implemented in the current Assembly and the
WriteLine method implemented in an external Assembly.

If we take a look at the list of tables presented in 2.1.1 we can see that
the Metadata token (0A)000014 references the table 0x0A which is the
MemberRef table, index 0x14 which is WriteLine. Instead the token
(06)00000F references the table 0x06 which is the MethodDef table, index
0x0F which is FormatMessage.


---[ 2.2 - Execution environment

The CLR execution environment is very strict and forbids any kind of
dangerous operation. If we compare it with the unmanaged world where we
were able to jump in the middle of an instruction to confuse the
disassembler, to create all kinds of opaque instructions or to jump to any
valid address, we will discover a sad truth: everything is forbidden.

The CLR is a stack based machine. This means that there is no concept of
registers and every parameter is pushed on the stack in order to be passed
to other functions. When we exit a method, the stack must be empty or at
least contain the value that should be returned.

As already said, everything is based on the definition of the Metadata
token. If we try to invoke a call with an invalid token we will receive a
fatal exception. This poses a serious problem for our goal, since we cannot
call methods that are not referenced by the original Assembly.


--[ 3 - JIT compiler

When a method is executed we have two different scenarios. The first one is
when the method is already compiled, in this case the code just jumps to
the compiled unmanaged code. The second scenario is when the method isn't
yet compiled, in this case the code jumps to a stub that will call the
exported method compileMethod, defined in corjit.h [04], in order to
compile and then execute the method.


---[ 3.1 - The compileMethod

Let's analyze this interesting method a bit more. The signature of
compileMethod is the following:

virtual CorJitResult __stdcall compileMethod (
ICorJitInfo *comp, /* IN */
struct CORINFO_METHOD_INFO *info, /* IN */
unsigned /* code:CorJitFlag */ flags, /* IN */
BYTE **nativeEntry, /* OUT */
ULONG *nativeSizeOfCode /* OUT */
) = 0;

The most interesting structure is the CORINFO_METHOD_INFO
which is defined in corinfo.h [05] and has the following format:

struct CORINFO_METHOD_INFO
{
CORINFO_METHOD_HANDLE ftn;
CORINFO_MODULE_HANDLE scope;
BYTE * ILCode;
unsigned ILCodeSize;
unsigned maxStack;
unsigned EHcount;
CorInfoOptions options;
CorInfoRegionKind regionKind;
CORINFO_SIG_INFO args;
CORINFO_SIG_INFO locals;
};

For our purpose the most important field is the ILCode byte pointer. It
points to a buffer which contains the MSIL bytecode. By modifying this
buffer we are able to alter the method execution flow.

As a side note, this method is also extensively used by .NET obfuscators.
In fact we can read the following comment in the source code:

Note: Obfuscators that are hacking the JIT depend on this method having
__stdcall calling convention

An obfuscator typically encrypts the MSIL bytecode of a method, then when
the method is bound to be executed they decrypt the bytecode and pass this
value as byte pointer instead of the encrypted one. This also explains why
if we open it in ILDasm or with a decompiler we receive back an error. How
can they know when a method is going to be called? This is pretty easy,
the code in charge for the replacement process is placed inside the type
constructor. This specific constructor is invoked only once: before a new
object of that specific type is created.


---[ 3.2 - Hooking the compileMethod

Since the compileMethod is exported by the Clrjit.dll (or from mscorjit.dll
for older .NET versions), we can easily install a hook to intercept all the
requests for compilation. The following F# pseudo-code shows how to do
this:

------#------#------#------<START CODE>------#------#------#------
[<DllImport(
"Clrjit.dll",
CallingConvention = CallingConvention.StdCall, PreserveSig = true)
>]
extern IntPtr getJit()

[<DllImport("kernel32.dll", SetLastError = true)>]
extern Boolean VirtualProtect(
IntPtr lpAddress,
UInt32 dwSize,
Protection flNewProtect,
UInt32& lpflOldProtect)

let pVTable = getJit()
_pCompileMethod <- Marshal.ReadIntPtr(pVTable)

// make memory writable
let mutable oldProtection = uint32 0
if not <| VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
Protection.PAGE_EXECUTE_READWRITE,
&oldProtection)
then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection

// save original compile method
_realCompileMethod <-
Some (Marshal.GetDelegateForFunctionPointer(
Marshal.ReadIntPtr(_pCompileMethod),
typeof<CompileMethodDeclaration>) :?> CompileMethodDeclaration
)
RuntimeHelpers.PrepareDelegate(_realCompileMethod.Value)
RuntimeHelpers.PrepareDelegate(_hookedCompileMethodDelegate)

// install compileMethod hook
Marshal.WriteIntPtr(
_pCompileMethod,
Marshal.GetFunctionPointerForDelegate(_hookedCompileMethodDelegate)
)

// repristinate memory protection flags
VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
protection,
&oldProtection
) |> ignore
------#------#------#------<END CODE>------#------#------#------

When we modify the MSIL code we must pay attention to the stack size. Our
framework needs some stack space in order to work and if the method that is
going to be compiled doesn't need any local variables, we will receive an
exception at runtime. In order to fix this problem it is enough to modify
the maxStack variable of CORINFO_METHOD_INFO structure before writing it
back.


--[ 4 - .NET Instrumentation

Now it is time to modify the MSIL buffer of our method of choice and
redirect the flow to our code. As we will see this is not a smooth process
and we need to take care of numerous aspects.


---[ 4.1 - MSIL injection strategy

In order to invoke our code the process that we will follow is composed of
the following steps:

1. Install a trampoline at the beginning of the code. This
trampoline will call a dynamically defined method.

2. Define a dynamic method that will have a specific method signature.

3. Construct an array of objects that will contain the parameters
passed to the method.

4. Invoke a dispatcher function which will load our Assembly
and will finally call our code by passing a handle to the original
method and an array of objects representing the method parameters.

In the end the structure that we are going to create will follow the path
defined in the following diagram:

| ... |
| ... | +---------------+
| Trampoline |----> | |
| Original MSIL | | Dynamic |
| ... | | Method |---------+
| ... | | | |
+---------------+ v
+---------------+
| |
| Framework |
| Dispatcher |
| |
+---------------+
|
+----------+
|
v
+---------------+
| |
| User |
| Code Monitor |
| |
+---------------+


---[ 4.2 - Resolving the method handle

As we will see in the next paragraph, it is necessary to resolve the handle
of the method that will be compiled in order to obtain the needed
information via reflection. I have found a method to resolve it, it is not
very elegant but it works :P.

The following F# pseudo-code will show you how to resolve a method handle
given the CorMethodInfo structure:

------#------#------#------<START CODE>------#------#------#------
let getMethodInfoFromModule(
methodInfo: CorMethodInfo,
assemblyModule: Module) =
let mutable info: FilteredMethod option = None
try
// dirty trick, is there a
// better way to know the module of the compiled method?
let mPtr =
assemblyModule.ModuleHandle.GetType()
.GetField("m_ptr",
BindingFlags.NonPublic ||| BindingFlags.Instance)
let mPtrValue = mPtr.GetValue(assemblyModule.ModuleHandle)
let mpData =
mPtrValue.GetType()
.GetField("m_pData",
BindingFlags.NonPublic ||| BindingFlags.Instance)

if mpData <> null then
let mpDataValue = mpData.GetValue(mPtrValue) :?> IntPtr
if mpDataValue = methodInfo.ModuleHandle then
// module found, get method name
let tokenNum =
Marshal.ReadInt16(nativeint(methodInfo.MethodHandle))
let token = (0x06000000 + int32 tokenNum)
let methodBase = assemblyModule.ResolveMethod(token)

if methodBase.DeclaringType <> null &&
isMonitoredMethod(methodBase) then
let mutable numOfParameters =
methodBase.GetParameters() |> Seq.length
if not methodBase.IsStatic then
// take into account the this parameter
numOfParameters <- numOfParameters + 1

// compose the result info
info <- Some {
TokenNum = tokenNum
NumOfArgumentsToPushInTheStack = numOfParameters
Method = methodBase
IsConstructor = methodBase :? ConstructorInfo
Filter = this
}
with _ -> ()
info
------#------#------#------<END CODE>------#------#------#------

This method must be invoked for each module of all loaded Assemblies.

Now that we have a MethodBase object, we can use it to extract the needed
information, like the number of accepted parameters and their types.


---[ 4.3 - Implementing a trampoline via the calli instruction

Our first obstacle is to create a MSIL bytecode that can invoke an
arbitrary function. Among all the available OpCodes, the one of interest
for us is the calli instruction [06] (beware of its usage, as it makes our
code unverifiable).

From the MSDN page we can read that:

"The method entry pointer is assumed to be a specific pointer to native
code (of the target machine) that can be legitimately called with the
arguments described by the calling convention (a metadata token for a
stand-alone signature). Such a pointer can be created using the Ldftn or
Ldvirtftn instructions, or passed in from native code."

Nice, we can specify an arbitrary pointer to native code. The only
difficulty is that we cannot use the Ldftn or Ldvirtftn since they need a
metadata token, and we cannot specify this value. Not too bad, since from
the Ldftn documentation we can read that [07]:

"Pushes an unmanaged pointer (type native int) to the native code
implementing a specific method onto the evaluation stack."

So, if we have an unmanaged pointer we can simulate the Ldftn with a simple
Ldc_I4 instruction (supposing that we are operating on a 32 bit
environment) [09].

Unfortunately now we have another, even bigger, problem. The calli
instruction needs a callSiteDescr. From [08] we can read that:

"<token> - referred to callSiteDescr - must be a valid StandAloneSig".

The StandAloneSig is the table number 17. As I have already said we cannot
specify this Metadata token (since it probably doesn't exist in the table).

I have played a bit with the calli instruction in order to see if it
accepts also other kinds of Metadata tokens. In the end I discovered that
it also accepts a token from one of the following tables: TypeSpec, Field
and MethodDef.

For our purpose, the MethodDef table is the most interesting one, since we
can fake a valid MethodDef token by creating a DynamicMethod (more on this
later). We can now close the circle by using the calli instruction and
modifying the metadata token in order to specify a MethodDef.

We will use the MethodBase object that we obtained in the previous step in
order to know how many parameters the method accepts and push them in the
stack before invoking calli.

The following F# pseudo-code shows how to build the calli instruction:

------#------#------#------<START CODE>------#------#------#------
// load all arguments on the stack
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Ldarg, i)

// emit calli instruction with a pointer to the dynamic method,
// the token used by the calli is not important as I'll modify it soon
ilGenerator.Emit(OpCodes.Ldc_I4, functionAddress)
ilGenerator.EmitCalli(
OpCodes.Calli,
CallingConvention.StdCall,
dispatcherMethod.ReturnType,
dispatcherArgs)

// this index allow to modify the right byte
let patchOffset = ilGenerator.ILOffset - 4
ilGenerator.Emit(OpCodes.Nop)

// check if I have to pop the return value
match filteredMethod.Method with
| :? MethodInfo as mi ->
if mi.ReturnType <> typeof<System.Void> then
ilGenerator.Emit(OpCodes.Pop)
| _ -> ()

// end method
ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The functionAddress variable contains the native pointer of our dynamic
method. One last step is to patch the calli Metadata token with a MethodDef
token whose value we know to be correct. As value we will use the token of
the method that it is being compiled.

The following F# pseudo-code show how to modify the MSIL bytecode at the
right offset:

------#------#------#------<START CODE>------#------#------#------
// craft MethodDef metadata token index
let b1 = (filteredMethod.TokenNum &&& int16 0xFF00) >>> 8
let b2 = filteredMethod.TokenNum &&& int16 0xFF

// calli instruction accept 0x11 as table index (StandAloneSig),
// but seems that also other tables are allowed.
// In particular the following ones seem to be accepted as
// valid: TypeSpec, Field and Method (most important)
trampolineMsil.[patchOffset] <- byte b2
trampolineMsil.[patchOffset+1] <- byte b1
trampolineMsil.[patchOffset + 3] <- 6uy // 6(0x6): MethodDef Table
------#------#------#------<END CODE>------#------#------#------

Since this step is a bit complex let's try to summarize our actions:

1. We use the calli instruction to invoke an arbitrary method by specifying
a native address pointer.

2. We modify the calli metadata token by specifying a MethodDef token and
not a StandAloneSig token.

3. We pass as Metadata token value the token of the method currently
compiled. This kind of token describes the method that must be called.

Our next step is to be sure that the method invoked by calli satisfies the
information contained in the referenced Metadata token.


---[ 4.4 - Crafting a dynamic method

We now have to create the dynamic method that satisfies the information
provided by the token passed to the calli instruction. From [10] we can
read that:

"The method descriptor is a metadata token that indicates the method to
call and the number, type, and order of the arguments that have been placed
on the stack to be passed to that method as well as the calling convention
to be used."

So, in order to create a method that satisfies the signature of the method
referenced by the token we will use a very powerful .NET capability, which
allows us to define dynamic method. This step allows the following:

1. Create a method that has the same signature of the method that will be
compiled. This will guarantee that the information carried by the
metadata token is legit.

2. We are now in a situation where we can specify a valid metadata
token, since the new dynamic type is created in the current execution
environment.

This dynamic method will call another method (a dispatcher) that accepts
two arguments: a string representing the location of the Assembly to load
(more on this later) and an array of objects which contains the arguments
passed to the method.

In creating this method you have to pay attention when creating the objects
array, since in .NET not everything is an object.

The following F# pseudo-code creates the dynamic method with the right
signature:

------#------#------#------<START CODE>------#------#------#------
let argumentTypes = [|
if not filteredMethod.Method.IsStatic then
yield typeof<Object>
yield!
filteredMethod.Method.GetParameters()
|> Array.map(fun p -> p.ParameterType)
|]

let dynamicType =
_dynamicModule.DefineType(
filteredMethod.Method.Name + "_Type" + string(!_index))
let dynamicMethod =
dynamicType.DefineMethod(
dynamicMethodName,
MethodAttributes.Static |||
MethodAttributes.HideBySig |||
MethodAttributes.Public,
CallingConventions.Standard,
typeof<System.Void>,
argumentTypes
)
------#------#------#------<END CODE>------#------#------#------

We can now proceed with the creation of the method body. We need to pay
attention to two facts: ValueType parameters must be boxed, and Enum
parameters must be converted to another form (after some trials and errors
I found that Int32 is a good compromise).

------#------#------#------<START CODE>------#------#------#------
// push the location of the Assembly to load containing the monitors
let assemblyLocation =
if filteredMethod.Filter.Invoker <> null
then filteredMethod.Filter.Invoker.Assembly.Location
else String.Empty
ilGenerator.Emit(OpCodes.Ldstr, assemblyLocation)

// get the parameter types
let parameters =
filteredMethod.Method.GetParameters()
|> Seq.map(fun pi -> pi.ParameterType)
|> Seq.toList

// create argv array
ilGenerator.Emit(OpCodes.Ldc_I4,
filteredMethod.NumOfArgumentsToPushInTheStack)
ilGenerator.Emit(OpCodes.Newarr, typeof<Object>)

// fill the argv array
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Dup)
ilGenerator.Emit(OpCodes.Ldc_I4, i)
ilGenerator.Emit(OpCodes.Ldarg, i)

// check if I have to box the value
if filteredMethod.Method.IsStatic || i > 0 then
// this check is necessary becasue the
// GetParameters method doesn't consider the 'this' pointer
let paramIndex = if filteredMethod.Method.IsStatic then i else i - 1
if parameters.[paramIndex].IsEnum then
// consider all enum as Int32 type to avoid access problems
ilGenerator.Emit(OpCodes.Box, typeof<Int32>)

elif parameters.[paramIndex].IsValueType then
// all value types must be boxed
ilGenerator.Emit(OpCodes.Box, parameters.[paramIndex])

// store the element in the array
ilGenerator.Emit(OpCodes.Stelem_Ref)

// emit call to dispatchCallback
let dispatchCallbackMethod =
Type.GetType("ES.Anathema.Runtime.Dispatcher")
.GetMethod("dispatchCallback", BindingFlags.Static ||| BindingFlags.Public)
ilGenerator.EmitCall(OpCodes.Call, dispatchCallbackMethod, null)

ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The call will end up invoking a framework method that is in charge for the
dispatch of the call to the user defined code.


---[ 4.5 - Invoking the user defined code

In order to make the code easy to extend, we can implement a mechanism that
will load a user defined Assembly and invoke a specific method. In this way
we have an architecture that resembles that of a plugin-based architecture.
We call these plugins: monitors. Each monitor can be configured in order to
intercept a specific method.

In order to locate the monitors we will use the software design paradigm
"convention over configuration", which implies that all classes whose name
ends in "Monitor" are loaded.

This last method is very simple, it just retrieves the MethodBase object
from the stack in order to pass it to the monitor and finally invoke it.
The assemblyLocation parameter is the one that specifies where the user
defined Assembly is located.

------#------#------#------<START CODE>------#------#------#------
let dispatchCallback(assemblyLocation: String, argv: Object array) =
if File.Exists(assemblyLocation) then
let callingMethod =
try
// retrieve the calling method from the stack trace
let stackTrace = new StackTrace()
let frames = stackTrace.GetFrames()
frames.[2].GetMethod()
with _ -> null

// invoke all the monitors, we use "convention over configuration"
let bytes = File.ReadAllBytes(assemblyLocation)
for t in Assembly.Load(bytes).GetTypes() do
try
if t.Name.EndsWith("Monitor") && not t.IsAbstract then
let monitorConstructor =
t.GetConstructor([|
typeof<MethodBase>;
typeof<Object array>|])
if monitorConstructor <> null then
monitorConstructor.Invoke([|callingMethod; argv|]) |> ignore
with _ -> ()
------#------#------#------<END CODE>------#------#------#------


---[ 4.6 - Fixing the SEH table

We are near the end, we have modified the MSIL bytecode, we have created a
dynamic method and a trampoline. The final step is to write back the
CORINFO_METHOD_INFO structure and call the real compileMethod.
Unfortunately by doing so you will soon receive a runtime error when you
try to instrument a method that uses a try/catch clause.

This is due to the fact that the creation of the trampoline has made the
SEH table invalid. This table contains information on the portions of code
that are inside try/catch clauses. From [11] we can see that by adding
additional MSIL code, the properties TryOffset and HandlerOffset will
assume an invalid value.

This table is located after the IL Code, as shown in the following
diagram:

+--------------------+
| |
| Fat Header |
| |
+--------------------+
| |
| |
| IL Code |
| |
| |
+--------------------+
| |
| SEH Table |
| |
+--------------------+

We also have a confirmation from the source code, in fact in corhlpr.cpp
([12]) we can see that the SEH table is added to the outBuff variable after
that was already filled with the IL code.

So, to get the address of the SEH table it is enough to add to the IlCode
pointer, located in the CorMethodInfo structure, the length of the MSIL
code.

Before showing the code that does that we have to take into account that
the SEH Table can be of two different types: FAT or SMALL. What changes is
only the dimensions of its fields. So fixing this table it is just a matter
of locating it and enumerating each clause to fix their values.

The following F# pseudo-code does exactly this:

------#------#------#------<START CODE>------#------#------#------
let fixEHClausesIfNecessary(
methodInfo: CorMethodInfo,
methodBase: MethodBase,
additionalCodeLength: Int32) =
let clauses = methodBase.GetMethodBody().ExceptionHandlingClauses
if clauses.Count > 0 then
// locate SEH table
let codeSizeAligned =
if (int32 methodInfo.IlCodeSize) % 4 = 0 then 0
else 4 - (int32 methodInfo.IlCodeSize) % 4
let mutable startEHClauses =
methodInfo.IlCode +
new IntPtr(int32 methodInfo.IlCodeSize + codeSizeAligned)

let kind = Marshal.ReadByte(startEHClauses)
// try to identify FAT header
let isFat = (int32 kind &&& 0x40) <> 0

// it is always plus 3 because even if it is small it is
// padded with two bytes. See: Expert .NET 2.0 IL Assembler p. 296
startEHClauses <- startEHClauses + new IntPtr(4)

for i=0 to clauses.Count-1 do
if isFat then
let ehFatClausePointer =
box(startEHClauses.ToPointer())
 :?> nativeptr<CorILMethodSectEhFat>
let mutable ehFatClause = NativePtr.read(ehFatClausePointer)

// modify the offset value
ehFatClause.HandlerOffset <-
ehFatClause.HandlerOffset + uint32 additionalCodeLength
ehFatClause.TryOffset <-
ehFatClause.TryOffset + uint32 additionalCodeLength

// write back the result
let mutable oldProtection = uint32 0
let memSize = Marshal.SizeOf(typeof<CorILMethodSectEhFat>)
if not <| VirtualProtect(
startEHClauses,
uint32 memSize,
Protection.PAGE_READWRITE,
&oldProtection) then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection
NativePtr.write ehFatClausePointer ehFatClause

// repristinate memory protection flags
VirtualProtect(
startEHClauses,
uint32 memSize,
protection,
&oldProtection) |> ignore

// go to next clause
startEHClauses <- startEHClauses + new IntPtr(memSize)
else
//... do same as above but for small size table
------#------#------#------<END CODE>------#------#------#------

Once we have fixed this table we can finally invoke the real compileMethod.


--[ 5 - Real world examples

The code presented is part of a project called Anathema that will allow you
to easily instrument .NET programs. Let's try to use the framework by
instrumenting a web application in order to steal the user passwords and to
instrument a real world malware in order to log all method calls.


---[ 5.1 - Web application password stealer

Let's see how we can use this instrumentation method in order to implement
a password stealer for a web application. For our demo we will use a very
popular .NET web server called Suave ([13]). We will write the web
application in F# and the password stealer as a C# console application, in
this way we can instrument the interesting method before it is compiled. In
the other case we have to force the .NET runtime to recompile the method in
order to apply the instrumentation (see [14] for a possible approach).

The web application is very simple and contains only a form; its HTML code
is shown below:

------#------#------#------<START CODE>------#------#------#------
<h1>-= Secure Web Shop Login =-</h1>
<form method="POST" action="/login">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Login"></td>
</tr>
</table>
</form>
------#------#------#------<END CODE>------#------#------#------

The F# code in charge for the authentication is the following:

------#------#------#------<START CODE>------#------#------#------
let private _accounts = [
("admin", BCrypt.HashPassword("admin"))
("guest", BCrypt.HashPassword("guest"))
]

let private authenticate(username: String, password: String) =
_accounts
|> List.exists(fun (user, hash) ->
let usernameMatch = user.Equals(username, StringComparison.Ordinal)
let passwordMatch = BCrypt.Verify(password, hash)
usernameMatch && passwordMatch
)

let private doLogin(ctx: HttpContext) =
match (tryGetParameter(ctx, "username"), tryGetParameter(ctx, "password")) with
| (Some username, Some password) when authenticate(username, password) ->
OK "Authentication successfully executed!" ctx
| _ -> OK "Wrong username/password combination" ctx
------#------#------#------<END CODE>------#------#------#------

So, the best way to intercept passwords is the 'authenticate' method. We
will start by creating a class in charge of printing the received password,
this is done by creating the following simple class:

------#------#------#------<START CODE>------#------#------#------
class PasswordStealerMonitor
{
public PasswordStealerMonitor(MethodBase m, object[] args)
{
Console.WriteLine(
"[!] Username: '{0}', Password: '{1}'",
args[0],
args[1]);
}
}
------#------#------#------<END CODE>------#------#------#------

Now, the final step is to instrument the application, this is done using
the following code:

------#------#------#------<START CODE>------#------#------#------
// create runtime
var runtime = new RuntimeDispatcher();
var hook = new Hook(runtime.CompileMethod);
var authenticateMethod = GetAuthenticateMethod();
runtime.AddFilter(
typeof(PasswordStealerMonitor),
"SecureWebShop.Program.authenticate");

// apply hook
var jitHook = new JitHook();
jitHook.InstallHook(hook);
jitHook.Start();

// start the real web application
SecureWebShop.Program.main(new String[] { });
------#------#------#------<END CODE>------#------#------#------

Once the web application is run and we try to login, we will see the
following output in the console:

-= Secure Web Shop =-
Start web server on 127.0.0.1:8080
[14:45:49 INF] Smooth! Suave listener started in 631.728 with binding 127.0.0.1:8080
[!] Username: 's4tan', Password: 'wrong_password'
[!] Username: 'admin', Password: 'admin'


---[ 5.2 - Malware inspection

Let's consider a sample of the Hawkeye malware, written in .NET, with the
following MD5 hash: 130efba199b389ab71a374bf95be2304.

The sample contains two levels of packing. We could trace the packers but
let's focus on the main payload (MD5: 97d74c20f5d148ed68e45dad0122d3b5).
When the main payload is launched the following method calls are logged:

c:\>MLogger.exe malware.exe
[+] Debugger.My.MyApplication.Main(Args: System.String[]) : System.Void
[+] Debugger.My.MyProject..cctor()
[...]
[+] Debugger.My.MyProject.get_Application() : Debugger.My.MyApplication
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyApplication..ctor()
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyProject+MyForms..ctor()
[+] Debugger.Debugger..ctor()
[+] Debugger.Clipboard..ctor()
[+] Debugger.Clipboard.add_Changed(obj: Debugger.Clipboard+ChangedEventHandler)
 : System.Void
[+] Debugger.My.Resources.Resources.get_CMemoryExecute() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.InitializeComponent() : System.Void
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[...]
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.GetInternalIP() : System.String
[+] Debugger.Debugger.GetExternalIP() : System.String
[+] Debugger.Debugger.GetBetween(
Source: System.String, Before: System.String, After: System.String) : System.String
[+] Debugger.Debugger.GetAntiVirus() : System.String
[+] Debugger.Debugger.GetFirewall() : System.String
[+] Debugger.Debugger.unHide() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.unhidden(path: System.String) : System.Void
[...]
[+] Debugger.My.Resources.Resources.get_mailpv() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.HookKeyboard() : System.Void
[+] Debugger.Clipboard.Install() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.My.MyProject.get_Computer() : Debugger.My.MyComputer
[...]


--[ 6 - Conclusion

Instrumenting a .NET program via MSIL bytecode injection is a pretty useful
technique that allows you to have full control of method invocation by
using a high level .NET language.

As we have seen, doing so requires a lot of attention and knowledge of the
internal workings of the CLR, but in the end the outcome is worth the
trouble.


--[ 7 - References

[01] Metadata and Self-Describing Components - https://goo.gl/bbSG7p
[02] The .NET File Format - http://www.ntcore.com/files/dotnetformat.htm
[03] Standard ECMA-335 - https://goo.gl/J9kko6
[04] corjit.h - https://goo.gl/J68Poi
[05] corinfo.h - https://goo.gl/G31KHP
[06] OpCodes.Calli Field - https://goo.gl/D7ug93
[07] OpCodes.Ldftn Field - https://goo.gl/sHzz1S
[08] Expert .NET 2.0 IL Assembler - https://goo.gl/3LKLSW
[09] OpCodes.Ldc_I4 Field - https://goo.gl/qEW2Lx
[10] OpCodes.Call Field - https://goo.gl/29rqZk
[11] ExceptionHandlingClause Class - https://goo.gl/bjLqSv
[12] corhlpr.cpp - https://goo.gl/DDVKgH
[13] Suave web server - https://suave.io/
[14] .NET CLR Injection - https://goo.gl/nryxYB
Also listed in: .NET Code Injection Tools, .NET Tracers, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Attack Surface Analyzer
Rating: 0.0 (0 votes)
Author: Microsoft Corporation                        
Website: http://go.microsoft.com/?linkid=9758398
Current version: Beta
Last updated: January 18, 2011
Direct D/L link: http://go.microsoft.com/?linkid=9758398
License type: Freeware
Description: Attack Surface Analyzer is the same tool used by Microsoft's internal product teams to catalogue changes made to the operating system by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

This allows:
- Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
- IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
- IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
- IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Diff Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BoundsChecker
Rating: 0.0 (0 votes)
Author: Compuware                        
Website: http://www.compuware.com/products/devpartner/visualc.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: Among many things, BoundsChecker is actually a pretty decent API monitor/logger.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bus Hound
Rating: 0.0 (0 votes)
Author: Perisoft                        
Website: http://www.perisoft.net/bushound/index.htm
Current version: 6.01
Last updated:
Direct D/L link: N/A
License type: Free + commercial version
Description: Bus Hound is the premier software bus analyzer for capturing I/O, protocol, and performance measurements. Bus Hound can also be used to build and submit commands to devices including bus resets, from a graphical interface.

Power User Features:
· Capture megabytes of I/O at a time
· View I/O on screen in real time
· Trigger on conditions
· Build and submit custom commands
· Issue bus and device resets
· Capture the system startup process
· View low level protocol including SCSI sense data and SMART commands
· View microsecond resolution timing
· Drag and drop captured data to other applications or save it to a zip file
· Capture isochronous and control transfers
· View IRPs and other device driver packets

Bus Support
USB 1.0 & 2.0
SCSI & ATAPI
IDE & SATA
FireWire, 1394a/b
Bluetooth
Fibre Channel
iSCSI, SAS
PC Card, PCMCIA
serial port
parallel port
ps/2 ports
...and more

OS Support
32-bit and 64-bit
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows XP Embedded
Windows 2000
Windows NT 4.0
Windows Me
Windows 98
Windows 95

Device Support
DVD, CD, Blu-ray
Hard drives, tape drives
Removable drives
Web Cams, Cameras
Mice, Keyboards, HID
Printers, Scanners
Speakers, Modems
...and everything else!
Also listed in: Bus Monitoring Tools, USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: busTRACE
Rating: 0.0 (0 votes)
Author: busTRACE Technologies                        
Website: http://www.bustrace.com
Current version: 8.0.047
Last updated: June 15, 2009
Direct D/L link: N/A
License type: Commercial
Description: busTRACE 8.0 is a comprehensive bus and device analysis tool in use by leading system OEMs, peripheral OEMs, software developers, USB developers, and storage developers all over the world. busTRACE 7.0 provides a suite of applications designed to help you perform advanced bus and device analysis.

* Capture I/O Activity
- Capture I/O activity on local or remote computers
- Allow remote busTRACE users to capture I/O activity

* Generate I/O Activity
- Send a single CDB to a storage device
- Send a sequence of CDBs to a storage device
- Perform a read/write/compare stress test
- View ATA/ATAPI Identify information

* Simulate Device Faults
- Simulate a failure on one or more specified devices

* Additional Tools
- View Device Command Descriptor Blocks
- View Device Sense Codes
- CD/DVD Exclusive Access Status
Also listed in: Bus Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFSearch
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11306&page=2
Current version: 1.0A
Last updated: February 15, 2008
Direct D/L link: N/A
License type: Free
Description: Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors.

Not released yet, but we're awaiting it with great anticipation!
Also listed in: Tracers, Code Coverage Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CloudView NMS
Rating: 0.0 (0 votes)
Author: CloudView NMS                        
Website: http://www.cloudviewnms.com
Current version: 2.00b
Last updated: September 9, 2014
Direct D/L link: http://www.cloudviewnms.com/files/cloudviewsetup200b.exe
License type: Shareware
Description: CloudView is a standards-based network management and monitoring system (NMS). It can auto-discover, monitor and perform many functions with any vendor SNMP or TCP/IP devices. It provides consistent geographical view of your whole network (thousands of IP nodes and hundreds thousands of switching ports), helps with its configuration, monitoring and troubleshooting. It is client-server system which allows secure performing NMS functions by multiple remote users simultaneously. CloudView can be successfully used in both enterprise and service provider networks with carrier-grade reliability. It is scalable for any network size. It is supported on multiple platforms including Windows, Linux, Mac OS and Solaris. It can be accessed remotely from any platform including mobile devices. Multiple network protocols standards are supported, including SNMPv1, SNMPv2 and SNMPv3 with AES-128 security. CloudView also used in SCADA (supervisory control and data acquisition) solutions as a large scale industrial control system (ICS). When access to managed devices is blocked by a corporate firewall, network address translation (NAT) mechanism or manged devices do not have a permanent IP address (i.e. DHCP) , CloudView offers optional multi-platform agent software which can be installed on the devices to overcome the above problems without VPN.
Also listed in: Network Monitoring Tools, Network Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DiskMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Diskmon.mspx
Current version: 2.01
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity.
Also listed in: Disk Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNET Tracer
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11859
Current version: 1.1
Last updated: February 15, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

This version can handle all .net assemblies from 2.0 up to 4.0.

I hope it's useful and as always bug reports are welcome.
Also listed in: .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Echo Mirage
Rating: 0.0 (0 votes)
Author: Dave Armstrong <dave@wildcroftsecurity.com>                        
Website: http://www.wildcroftsecurity.com/echo-mirage
Current version: 3.1
Last updated: March 5, 2013
Direct D/L link: Locally archived copy
License type: Freeware
Description: Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified.

Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available.

Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts.
Also listed in: API Monitoring Tools, Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Export Log
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org
Current version: 1.0
Last updated: September 15, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Program for runtime logging of used/imported external functions (i.e. in other DLLs) in target modules/processes.
Also listed in: API Monitoring Tools, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FastSystemCallHook
Rating: 0.0 (0 votes)
Author: Darawk                        
Website: N/A
Current version:
Last updated: April 5, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A snippet of code which is a KiFastSystemCall hook I wrote that hooks all user-mode APIs by replacing the SYSENTER MSR. It works also on multi-processor systems and should be easy to extend into a fully functional library if you want to.
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FileMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
Current version: 7.04
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

Note:
Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.
Also listed in: File Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Filter Monitor
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/filtermon.php
Current version: 1.1.0
Last updated: October 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.
Also listed in: Kernel Filter Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fport
Rating: 0.0 (0 votes)
Author: Foundstone, Inc.                        
Website: http://www.foundstone.com/us/resources/proddesc/fport.htm
Current version: 2.0
Last updated: 2002
Direct D/L link: Locally archived copy
License type: Free
Description: fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

Usage:

C:\>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
212 services -> 1026 UDP C:\WINNT\system32\services.exe

The program contains five (5) switches. The switches may be utilized using either a '/'
or a '-' preceding the switch. The switches are;

Usage:
/? usage help
/p sort by port
/a sort by application
/i sort by pid
/ap sort by application path

fport supports Windows NT4, Windows 2000 and Windows XP
Also listed in: Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Frida
Rating: 0.0 (0 votes)
Author: Ole André Vadla Ravnås (@fridadotre)                        
Website: https://www.frida.re/
Current version: 9.1.19
Last updated: March 22, 2017
Direct D/L link: N/A
License type: Open Source
Description: Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.

It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

Scriptable

Your own scripts get injected into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed!


Stalking

Stealthy code tracing without relying on software or hardware breakpoints. Think DTrace in user-space, based on dynamic recompilation, like DynamoRIO and PIN.


Portable

Works on Windows, macOS, Linux, iOS, Android, and QNX. Install the Node.js bindings from npm, grab a Python package from PyPI, or use Frida through its Swift bindings, .NET bindings, Qt/Qml bindings, or C API.


Why do I need this?

Great question. We’ll try to clarify with some use-cases:

* There’s this new hot app everybody’s so excited about, but it’s only available for iOS and you’d love to interop with it. You realize it’s relying on encrypted network protocols and tools like Wireshark just won’t cut it. You pick up Frida and use it for API tracing.

* You’re building a desktop app which has been deployed at a customer’s site. There’s a problem but the built-in logging code just isn’t enough. You need to send your customer a custom build with lots of expensive logging code. Then you realize you could just use Frida and build an application- specific tool that will add all the diagnostics you need, and in just a few lines of Python. No need to send the customer a new custom build - you just send the tool which will work on many versions of your app.

* You’d like to build a Wireshark on steroids with support for sniffing encrypted protocols. It could even manipulate function calls to fake network conditions that would otherwise require you to set up a test lab.

* Your in-house app could use some black-box tests without polluting your production code with logic only required for exotic testing.
Also listed in: API Monitoring Tools, Android Tools, Code Injection Tools, IPhone Tools, Memory Data Tracing Tools, Network Monitoring Tools, Non-Intrusive Debuggers, Programming Libraries, Reverse Engineering Frameworks, Ring 3 Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GMER
Rating: 0.0 (0 votes)
Author: Przemyslaw Gmerek                        
Website: http://www.gmer.net
Current version: 1.0.15.15087
Last updated: September 15, 2009
Direct D/L link: http://www.gmer.net/gmer.zip
License type: Free
Description: GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks


GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: generic tracer
Rating: 0.0 (0 votes)
Author: Dennis Yurichev                        
Website: http://conus.info/gt
Current version: 0.1
Last updated: May 24, 2009
Direct D/L link: http://conus.info/gt/gt01.zip
License type: Free
Description: generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.
Also listed in: API Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HookShark64
Rating: 0.0 (0 votes)
Author: DeepBlueSea                        
Website: http://www.gamedeception.net/threads/23612-Article-HookShark64-Beta-0.1
Current version: 0.1.0.6 BETA
Last updated: December 27, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet

Advantages of HookShark64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file

You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.


However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.

Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.

Version History
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )
Also listed in: Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IRP Tracker
Rating: 0.0 (0 votes)
Author: OSR                        
Website: http://www.osronline.com/article.cfm?article=199
Current version: v2.20
Last updated: February 2010
Direct D/L link: http://www.osronline.com/OsrDown.cfm/IrpTracker_V220_x86.zip?name=IrpTracker_v220_x86.zip&id=199
License type: freeware
Description: IrpTracker allows you to monitor all I/O request packets (IRPs) on a system without the use of any filter drivers and with no references to any device objects, leaving the PnP system entirely undisturbed. In addition to being able to see the path the IRP takes down the driver stack and its ultimate completion status, a detailed view is available that allows you to see the entire contents of static portion of the IRP and an interpreted view of the current and previous stack locations.

Use it as a learning tool if you're wondering how different devices/drivers interact or handle certain typs of I/O. Or, use it as a debugging tool (i.e. why does this I/O request succeed, but this one fails?). "Supported" on XP through Windows 7.
Also listed in: Driver & IRP Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IRPTrace
Rating: 0.0 (0 votes)
Author: APSoft                        
Website: http://www.tssc.de/products/tools/irptrace/default.htm
Current version: 1.00.007
Last updated: September 18, 2005
Direct D/L link: N/A
License type: Commercial
Description: IrpTrace is a tool that watches I/O request packages (IRP) sent to kernel-mode driver(s) of Windows NT 4.0, Windows 2000 or Windows XP. Information about IRP requests can be sent to remote debugger and/or saved to a file. The collected information is available for instantaneous or deferred analysis, which makes this tool indispensable for debugging and support of device drivers.

Debug and support drivers

If a driver causes system crash or hangs at processing of an IRP, IrpTrace can help to locate buggy handler by information sent to remote debugger or output window of terminal application. Usually developers insert debug messages to locate crash point. Advantage of IrpTrace in that that: a) it can do it for non-debug version of drivers; b) developer can save time using for writing debug code.

If a driver forgets to complete an IRP request, it can cause various problems (up to system hang or blue screen). The list of not completed IRP requests can be determined using IrpTrace.

Windows 2000/XP build a stack of physical, filter and functional devices for each PnP device. Your software for a PnP device can malfunction due to a third-party software installed on the computer. IrpTrace can help you to locate such kind of problems.
Investigate interaction of software components

In some cases developer need to investigate communication protocol of existing software (driver - application, driver - driver). If protocol is a sequence of I/O requests (for example, device control, internal device control, read and write requests), IrpTrace can help to do it.

The list of I/O requests IrpTrace will watch for can be specified by:

* Name of driver that is owner of IRP request target device
* Name of target device
* Name of module which is sending IRP request
* Name / ID of PnP device

Information about IRP request includes:

* Name of request
* Name and address of target device
* Completion status
* Address of code that sent the request
* IRQL, process name and ID of thread that sent the request
* Address of procedure that completed request
* Detailed information about input and output parameters of request (if any)
Also listed in: Driver & IRP Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: JavaSnoop
Rating: 0.0 (0 votes)
Author: Aspect Security                        
Website: https://www.aspectsecurity.com/research/appsec_tools/javasnoop/
Current version: 1.1 RC2
Last updated: January 15, 2012
Direct D/L link: Locally archived copy
License type: Free
Description: A tool that lets you intercept methods, alter data and otherwise test the security of Java applications on your computer

Normally, without access to the original source code, testing the security of a Java client is unpredictable at best and unrealistic at worst. With access the original source, you can run a simple Java program and attach a debugger to it remotely, stepping through code and changing variables where needed. Doing the same with an applet is a little bit more difficult.

Unfortunately, real-life scenarios don’t offer you this option, anyway. Compilation and decompilation of Java are not really as deterministic as you might imagine. Therefore, you can’t just decompile a Java application, run it locally and attach a debugger to it.

Next, you may try to just alter the communication channel between the client and the server, which is where most of the interesting things happen anyway. This works if the client uses HTTP with a configurable proxy. Otherwise, you’re stuck with generic network traffic altering mechanisms. These are not so great for almost all cases, because the data is usually not plaintext. It’s usually a custom protocol, serialized objects, encrypted, or some combination of those.

JavaSnoop attempts to solve this problem by allowing you attach to an existing process (like a debugger) and instantly begin tampering with method calls, run custom code, or just watch what’s happening on the system.
Also listed in: Java Code Injection Tools, Network Monitoring Tools, Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KaKeeware Application Monitor (KAM)
Rating: 0.0 (0 votes)
Author: KaKeeware                        
Website: http://www.kakeeware.com/i_kam.php
Current version: 1.32
Last updated: May 24, 2007
Direct D/L link: http://www.kakeeware.com/download.php?f=kam.exe
License type: Freeware
Description: KaKeeware Application Monitor is a very small API monitor that allows the user to monitor the APIs called by the given application. KAM supports 5577 different APIs as for now.

KAM works as an API spy that may help the developers and localization engineers to find the bugs in the release versions of the software. It can be also used by malware analysts to check which APIs are used by the sample they analyse.
The executable file is packed with Upack.
Since v1.04, KAM can rerieve object names (filenames, registry keys) and shows them on UI instead of handles, making the listing more readable. 1.10 shows more information about monitored APIs. 1.20 added groups to APIs window and added support for command line for monitored program. 1.21 hopefully fixes the problem with some XP versions. 1.30 introduces a lot of new APIs (now it's over 5000!). 1.31 finally conquers Vista. 1.32 adds some APIs (as per request :).

Please be aware that some AV programs may flag kam.exe as malicious. This is a problem known as FP (False Positive). kam.exe is not malicious and it doesn't contain any malicious code.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KernelSpy
Rating: 0.0 (0 votes)
Author: Anton Bassov                        
Website: http://www.codeproject.com/system/kernelspying.asp
Current version: 1.0
Last updated: April 22, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: After having published my article about process-wide API spying, I received plenty of encouraging messages - readers have generally accepted my model of hooking function calls. In this article, we will extend our model to kernel- mode spying, and hook the API calls that are made by our target device driver. We will also introduce a brand-new way of communication between the kernel-mode driver and the user-mode application - instead of using system services, we will implement our own mini-version of Asynchronous Procedure Calls. This task is not as complicated as it may seem - in fact, it is just shockingly easy. Windows flat memory model offers us plenty of exciting opportunities - the only thing we need is a sense of adventure (plus a good knowledge of assembly language, of course). All tips and tricks, described in this article, are 100% of my own design - you would not find anything more or less similar to these tricks anywhere.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LSOF
Rating: 0.0 (0 votes)
Author: Victor A. Abell                        
Website: http://people.freebsd.org/~abe/
Current version:
Last updated:
Direct D/L link: N/A
License type: Free / Open Source
Description: The lsof (LiSt Open Files) diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. It can also list communications sockets open by each process.
Also listed in: File Monitoring Tools, Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MALM: Malware Monitor
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.2
Last updated: December 16, 2012
Direct D/L link: http://www.split-code.com/files/malm-v1_2.zip
License type: Freeware
Description: MALM is a 32 and 64bit Windows OS command-prompt tool for monitoring malware. It monitors:
- New processes
- New modules in existing processes
- New executable heaps in existing processes.

As it notices changes, MALM will output observations to the console. When MALM is terminated by CTRL-C, it will generate a final report of it's findings.

This tool is particularly useful for monitoring where the malware resides after execution, since malware often injects itself into other processes.
Also listed in: Malware Analysis Tools, Memory Data Tracing Tools, Process Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: May 5, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/map_setup.exe
License type: GPL2
Description: Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration
Also listed in: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oStudio - Live Tuning
Rating: 0.0 (0 votes)
Author: Objectis                        
Website: http://www.objectis-software.com/product/ostudio-live-tuning-live-debugging-functional-tests/
Current version: 1.3
Last updated: January 17, 2014
Direct D/L link: http://www.objectis-software.com/download-ostudio-2013/
License type: Free
Description: Accelerates the integration, testing and development phase by a factor of 2 to 10, in one easy-to-use application.
oStudio - Live Tuning brings a new development and real time debugging method. It's easy to connect embedded systems, automation and .NET applications to oStudio - Live Tuning, and to interact with them LIVE!

Traditional step by step debugging techniques are now history. A system doesn’t need to be halted to verify and validate its behavior anymore! This method, called live debugging, consists of observing and interacting with a real-time system while it’s still running. oStudio – Live Tuning is a new generation of debugger. It regroups new debugging tools for embedded systems and the machine industry with automated testing.
Also listed in: .NET Debuggers, .NET Tools, .NET Tracers, API Monitoring Tools, COM Debugging Tools, COM Monitoring Tools, Debug Output Monitoring Tools, Debuggers, FPGA Tools, Microcontroller Tools, Non-Intrusive Debuggers, Visual Basic Debuggers, Visual Basic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pin
Rating: 0.0 (0 votes)
Author: Intel                        
Website: https://software.intel.com/en-us/articles/pintool/
Current version: 81205
Last updated: February 13, 2017
Direct D/L link: N/A
License type: Free
Description: Pin is a dynamic binary instrumentation framework for the IA-32, x86-64 and MIC instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications on Linux, Windows and OS X*. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.


Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.
Also listed in: API Monitoring Tools, Code Injection Tools, Programming Libraries, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pipetrace
Rating: 0.0 (0 votes)
Author: Toolcrypt Group                        
Website: http://www.toolcrypt.org/tools/pipetrace/index.html
Current version:
Last updated:
Direct D/L link: http://www.toolcrypt.org/tools/pipetrace/pipetrace.zip
License type: Free
Description: Pipestrace is a console to trace / view Named Pipe creation and deletion. Changes are tracked by using FindFirstChangeNotification. Pipetrace has been tested on Win2K
Also listed in: Named Pipe Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Portmon
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Portmon.mspx
Current version: 3.02
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations.
Also listed in: Parallel Comm Monitoring Tools, Serial Comm Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Lasso
Rating: 0.0 (0 votes)
Author: Jeremy Collake                        
Website: http://www.bitsum.com/prolasso.php
Current version: 3.62
Last updated: July 18, 2009
Direct D/L link: http://www.bitsum.com/files/prolasso.zip
License type: Free
Description: Process Lasso is a unique new technology intended to automatically adjust the allocation of CPU cycles so that system responsiveness is improved in high-load situations. It does this by dynamically temporarily lowering the priorities of processes that are consuming too many CPU cycles, there-by giving other processes a chance to run if they are in need. This is useful for both single and multi-core processors. No longer will a single process be able to bring your system to a virtual stall.

In addition, Process Lasso offers capabilities such as default process priorities, termination of disallowed processes, and logging of processes executed.
Supporting users are able to download all past and future builds of Process Lasso and have are given a specially labelled version of Process Lasso
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Monitor
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
Current version: 2.7
Last updated: September 18, 2009
Direct D/L link: http://download.sysinternals.com/Files/ProcessMonitor.zip
License type: Free
Description: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Also listed in: File Monitoring Tools, Process Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RAIDE
Rating: 0.0 (0 votes)
Author: petersilberman                        
Website: http://www.rootkit.com/project.php?id=33
Current version: Beta 1
Last updated: August 6, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool. RAIDE offers unique features like process dumping/firewall identification etc.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rootkit Unhooker
Rating: 0.0 (0 votes)
Author: EP_X0FF / DiabloNova                        
Website: http://www.rootkit.com/newsread.php?newsid=902
Current version: 3.8.342.554
Last updated: Sep 21, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista.

The project was discontinued when it was bought up by Microsoft in November 2007.

Project continued by DiabloNova.
Last announcement:
http://www.rootkit.com/blog.php?newsid=912
Direct D/L:
http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SDT Cleaner
Rating: 0.0 (0 votes)
Author: Nahuel C. Riva                        
Website: http://oss.coresecurity.com/projects/sdtcleaner.html
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

* The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls.
* This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSDT Revealer
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2007/03/20/tool-system-service-descriptor-table-revealer/
Current version: 1.0
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This is little tool I’ve coded some times ago. The name says it all, it reveals System Service Dispatch Table showing possible hooks over one or more functions. It was born as a part of a more complex tool, which is still unfinished.. SSDT revealer is nothing special but could come in handy.

The program has been developed under Win-XP. It should run on other OSs but I really don’t know. Again, it’s a personal program and I didn’t spend nights and nights trying to find one or more bug, when a bug occours I fix it. If you find a bug or something else, please, don’t hesitate to contact me.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SandboxDiff
Rating: 0.0 (0 votes)
Author: majoMo (Rui Morais)                        
Website: N/A
Current version: 2.3
Last updated: January 10, 2011
Direct D/L link: Locally archived copy
License type: Freeware
Description: 'SandboxDiff' allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur).

All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff.

Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system.
Also listed in: File Monitoring Tools, File System Diff Tools, Install Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Sandboxie
Rating: 0.0 (0 votes)
Author: Ronen Tzur                        
Website: http://www.sandboxie.com
Current version: 3.42
Last updated: December 1, 2009
Direct D/L link: N/A
License type: Shareware
Description: Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

You can also access all the changes that were made during the program execution.
Also listed in: File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: scdbg
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152
Current version:
Last updated: March 30, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/scdbg.zip
License type: free
Description: scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.


**************************
New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe
***************************
Also listed in: API Monitoring Tools, Automated Unpackers, Debuggers, Malware Analysis Tools, Needs New Category
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Exe Analyzers, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SniffUSB
Rating: 0.0 (0 votes)
Author: Thomas F. Divine / Benoit Papillault                        
Website: http://www.pcausa.com/Utilities/UsbSnoop
Current version: 2.0.0006
Last updated: February 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Overview

SniffUSB 2.0 is a minor update to the predecessor SniffUSB 1.8 by Benoit Papillault.

The purpose of this release is actually to update Benoit's prior work to allow it to be built under newer development tools. In particular:
* The SniffUSB application is built under Microsoft Visual Studio 2005.
* The UsbSnoop driver is built under the Windows Vista Driver Kit (WDK 6000)

Benoit deserves quite a bit of credit because his V1.8 application and driver ported to these newer tools with very little effort.

Thanks, Benoit!

This release does not fix any bugs from Benoit's V1.8 release and does not offer any new functionality.

After making the initial port of the UsbSnoop driver to WDK 6000 (which went smoothly...) I did make additional modifications to the driver code. Most of these were to make the code more readable - at least to me.

The V2.0 UsbSnoop driver changes included:
* Fixed a small number of PreFast warnings.
* Replaced deprecated functions with newer preferred functions.
* Now use lookaside lists for repetitive fixed-size allocations.
* Removed dead code.
* Simplified some code paths.
* Reorganized code and renamed variables and functions to suit my tastes.
* Replaced driver core dispatch template with that of the WDK 6000 filter.cpp sample driver.

In addition I removed some functionality:
* SniffUSB 2.0 does NOT support Windows 98/ME
* SniffUSB 2.0 does NOT support Windows 2000

I did very little work on the SniffUSB MFC application. Changes that I did make include:
* Replaced some deprecated functions with newer preferred functions.
* Fixed some complier warnings.
* Revised the folder organization for compiler and linker output.
* Added x64 configurations.
* Fixed "Present" indication. (V2.0.0004)
* Improved display refresh control. (V2.0.0004)
* Control whether devices that are not present are listed. (V2.0.0004)
* Added "Uninstall All" button. (V2.0.0005)
* Added mechanism to pause/resume logging. (V2.0.0006)
* Added mechanism to allow the log file to be closed and deleted reliably. (V2.0.0006)

SniffUSB 2.0 now supports only Windows XP and higher.

Benoit's original SniffUSB V1.8 source and executables can be found at the URL:

http://benoit.papillault.free.fr/usbsnoop/
Also listed in: USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SpyStudio
Rating: 0.0 (0 votes)
Author: Nektra                        
Website: http://www.nektra.com/products/spystudio
Current version: 1.0.0b
Last updated: February 2008
Direct D/L link: http://www.nektra.com/products/spystudio/spystudio.exe
License type: Free
Description: SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:

Advapi32.dll
Gdi32.dll
Kernel32.dll
Ntdll.dll
User32.dll
Shell32.dll
Wininet.dll
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strace for NT
Rating: 0.0 (0 votes)
Author: Bindview Security Research                        
Website: http://razor.bindview.com/tools
Current version: 0.3
Last updated: October 21, 2003
Direct D/L link: Locally archived copy
License type: Free
Description: Strace for NT is a debugging/investigation utility for examining the NT system calls made by a process. It is meant to be used like the strace (or truss) on linux and other unix OSes.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strace for NT (with anti anti debug patch)
Rating: 0.0 (0 votes)
Author: Shub-nigurrath / Bindview Security Research                        
Website: http://arteam.accessroot.com/releases
Current version: 1.1a
Last updated: July 25, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Modified version of Strace NT, with advanced antiantidebugging option to hide it to most packers.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Syscall Lister
Rating: 0.0 (0 votes)
Author: Omega Red                        
Website: http://omeg.pl/
Current version:
Last updated: July 18, 2007
Direct D/L link: bin_Syscall_Lister_2007-10-20_23.59__SysCall_32_and_64.zip
License type: Free
Description: This program enumerates all NT kernel system calls and matches them with native API functions using dbghelp and MS symbols (internet connection is required to download these symbols).

It uses kernel mode driver to access arbitrary memory locations, like System Service Descriptor Tables.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: System Virginity Verifier
Rating: 0.0 (0 votes)
Author: Joanna Rutkowska                        
Website: http://www.invisiblethings.org/code.html
Current version: 2.3
Last updated: February 27, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site.

SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system for malicious hooking and also checks the integrity of code section modules directly in memory.

After the verification, SVV notifies the user with five level of infection or seriousness:


-level 0: 100% Virgin (not expected to ocuur in the wild);
-level 1: Seems ok;
-level 2: Innocent hooking detected;
-level 3: Very suspected but may be a false positive;
-level 4: compromised.

The final verdict uses a color codification from blue to deepred.
Resource: the SVV powerpoint presentation (available at invisiblethings.org).

It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on.

SVV in action:

After rebooting the PC in the diagnose mode, SVV gives its first verdict:


Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1

0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.

Level 1/Green: this a good news for a beginning.

Now let's hook some windows APIs and let's see the new verdict:

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
ntoskrnl.exe (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:
0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1


0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1


0x804e72c4 [ExAllocatePoolWithQuotaTag()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dbfc)
address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 51
memory :ff 25 fc db b1 ba
verdict = 2

0x804eb321 [ExAllocatePoolWithTagPriority()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dba4)
address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 53
memory :ff 25 a4 db b1 ba
verdict = 2

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.
Also listed in: Kernel Hook Detection Tools, Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TR
Rating: 0.0 (0 votes)
Author: Liu Taotao                        
Website: N/A
Current version: 2.52
Last updated: November 30, 1998
Direct D/L link: Locally archived copy
License type: Shareware
Description: Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================



TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)





Traditional debuggers or tracers have too many shortages:



(1) Using INT1 and the Trap Flag



Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!



(2) Using INT3



These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(



(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(



Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.



On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.



Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.



2.Batch File

============



Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.



3.Magic Offset

==============



Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!



4.Assembly Language Command

===========================



It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...





5.Add Comments During Tracing

=============================



"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.



6.Automatic Jump

================



Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!





7.Log

=====



TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.



8.Write EXE file from memory

============================



You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!



9.Various Complex breakpoints, One-time breakpoints

===================================================



All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:



(1) BP conditions

Conditional break-point. ex.:



BP IP>4000

BP ah=2 dl=80 ch>30



(2) BPINT intnum [conditions]

Interrupt break-point.



(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use



BPXB b8



to break on all "mov ax,????" opcodes. Other examples:



BPXB cd  ;all interrupt

BPXB 33 c0  ;xor ax,ax



(4) BPREG REG|SEG [conditions]

Break if the given register changes. You can use



BPREG cs



to get all code segment changes (jmp far,retf...). As well, you can

use something like



BPREG cs ax=0 es=#  ;# means PSP seg



to get the kernel of a shelled program.



(5) BPM [seg:]offset

Break if specified memory is accessed.



BPM 20



will stop at 'mov ax,[20]'.



(6) BPW SEG:OFFSET

Break-point if memory changes. Some opcode's changing memory

could only be found by repeatedly compare.



(7) BPIO port [conditions]



(8) BPKNL [count]

Break-point to find new program kernel.



The most important is: if you only use one break-point onetime,

you can change the break-point command 'BP???' to 'GO???' to run.

By using this one-time break-point, you need not to set any

break-point.



These break-point function make it more and more easy to track a

program. You need not to do any hard work!



TR is a real tracing, tracking, debug program. We have DEBUG,SYMDEB,

TD,CV,S-ICE, but they are all not such real tracing debug programs.

DEBUG & SYMDEB aren't, because I think a real debug software should

be full-screen. TD cannot process command line input. No mouse

clicks could replace a command line like 'F CS:DX,DX+CX 00'. In

DEBUG you can use 'L 100 0 0 1' to check floopy boot, and use

'L 400' or 'W 400' to load a program to memory or write memory to

file. In SYMDEB you could use '>' to save the unassemble result.

All these useful functions cannot be found in another debug program.

I think TD & CV are not standalone debug programs. They just debug

their C program. S-ICE is great! But it looks like that 386CPU's

debug function is for S-ICE, and that S-ICE is just a demo of this

function. Only TR does what you think, rises 9 great new ideals in

tracing technology, for the first time make TRACING an easy job.

TR is a real tracing debug program!
Also listed in: 16 bit and DOS Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: USBTrace
Rating: 0.0 (0 votes)
Author: SysNucleus                        
Website: http://www.sysnucleus.com
Current version: 2.3.9
Last updated: June 11, 2009
Direct D/L link: N/A
License type: Commercial with trial
Description: USBTrace is an easy to use and powerful USB analyzer. USBTrace can monitor USB transactions at host controllers, hubs and devices. This is a 100% software product. USBTrace supports Windows 2000, Windows XP, Windows 2003 Server and Windows Vista operating systems and works with USB 1.x and 2.0 (low, full and high speed) host controllers, hubs and devices.

Supports Device Class Decoding. (New)
HID, Hub, Video, Audio, Mass Storage, Bluetooth,
Still Image Capture, Vendor Specific, WUSB HWA Printer, CDC, Smart Card (CCID)

Complete Enumeration Monitoring.
Monitors all USB requests exchanged during device enumeration. Does not use filter drivers.

Search / Filter / Trigger / Export.
Search captured data. Filter out unwanted data.
Set trigger points. Export captured data.

Background/Continuous capturing.
For high performance/non stop capture sessions.

Performance Statistics. (New)
Detailed performance analysis for your device/driver.

Detailed Device Information
USB descriptors (Device, Hub, Configuration, Interface, Endpoint, class specific, IAD, String), Windows enumeration info.
Also listed in: USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Win32 API Monitor
Rating: 0.0 (0 votes)
Author: N/A                        
Website: http://www.apimonitor.com
Current version: 1.3.1
Last updated: March 24, 2009
Direct D/L link: http://www.apimonitor.com/download/APIMonitorTrial.exe
License type: Shareware
Description: API Monitor is a software that allows you to spy and display Win32 API calls made by applications. It can trace any exported APIs and display wide range of information, including function name, call sequence, input and output parameters, function return value and more. A useful developer tool for seeing how win32 applications work and learn their tricks.

Main Features
Trace any exported APIs- Including win32 APIs and other 3rd-Party APIs, unnecessary to know the prototype of the functions.
Display wide range of information, including function name, call sequence, input and output parameters, function return value, GetLastError code and more.
Predefine 82 DLLs and nearly 4000 APIs' prototype.
Filter Profiles are a powerful way of storing your favorite monitor settings for use in other sessions. API Monitor preset 27 API Filter Profiler, including Handles and Objects, Dynamic-Link Libraries, Event Log, Pipes and Mailslots, Debugging, Windows Classes, COMM, Application Related, Shell, Dialog Boxes, File System, Services Related, Remote Access Service, Memory Management, Print Related, Windows, Registry, Processes and Threads, File IO, WinInet, Windows Sockets, Multimedia API, Windows GUI, Network Management, WinNT Security, Access Control Functions.
Allow content to be viewed and exported-Log content can be viewed within API Monitor, and exported to another application or saved to a file.
Support debug version and release version with no modifications to the target application.
Support Unicode and ANSI APIs.
Monitor Running Process-Spy APIs in a background or console process that is already running.
Support multithread.
Display API calls originating from ActiveX controls and COM objects instanced by an application.
MS Excel® style data filtering, customize filter criteria against any data item.
Automatic click-sorting against an unlimited number of columns, descending or ascending.
Automatic data grouping - an extremely powerful data viewing and manipulation metaphor.
Automatic runtime column selection - easily customize the columns visible on-screen with intuitive drag and drop.
Instant Online MSDN Help - This feature allows you to view online MSDN context-sensitive help for the currently selected API.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Winalysis
Rating: 0.0 (0 votes)
Author:                         
Website: http://www.winalysis.com
Current version: 3.1
Last updated: January 13, 2006
Direct D/L link: Locally archived copy
License type: Shareware
Description: Winalysis is a software application that can help you manage change on computers running Windows. The program can:

Make compressed Snapshots of local and remote computer configurations. Test for changes from snapshots at any time.

Monitor for changes to files, the registry, users, groups, security policies, services, shares, scheduled jobs, the system environment and more.

Monitor remote computers from a central location. There is no need to install Winalysis on the remote machines.

Restore files and/or the registry from compressed snapshots with the ability to undo a restore at any time.
Also listed in: Install Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Needs New Category  (3)