From Collaborative RCE Tool Library

Jump to: navigation, search

PE Executable Editors


Tool name: CRC Calculator
Rating: 5.0 (1 vote)
Author: Shub-Nigurrath                        
Website: http://arteam.accessroot.com
Current version: 1.1
Last updated: January 6, 2005
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=14
License type: Free
Description: Just drag & drop files to it or use the button to calculate the CRC, then select and paste.

Adapted from existing sources, small and easy.

History
-1.0 initial version
-1.1 added command-line support ideal for integration into Total Commander
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IIDKing
Rating: 5.0 (1 vote)
Author: SantMat                        
Website: http://www.reteam.org/tools.html
Current version: 2.01
Last updated: November 2004
Direct D/L link: Locally archived copy
License type: Free
Description: IIDKing allows you to add/remove imports to/from ANY PE file's import table, thereby
eliminating the need to have to do LoadLibrary then GetProcAddress.

Whats New:
-Added the ability to add an unlimited number of DLL(s) and their
corresponding Function(s) to the target exe.

-You can now run IIDKing an unlimited number of times on any given target and
IIDKing will only ever use ONE section called ".IIDKING" in your target. Old
versions of IIDKing required more.

-When you run IIDKing on a target that has already been modified via IIDKing
v1/v2 it will notify you of this fact and subsequently load the previously
added DLL(s)/Function(s) into the IIDKing dialog. This allows you to re-run
IIDKing for the purpose of removing or adding to past import additions to
your targets.

-Added an easy to use interface for adding DLL(s)/Function(s) in the form of a
list dialog. You simply select the DLL filename as you wish and it will list
all it's available exports for you to choose from. Leaves no room for case
sensitive or spelling errors when adding DLL(s)/Function(s).

-IIDKing v2 is much more intuitive in handling user actions and hence can be
kept open and used continuously on the same target or any given number of
targets. No need to restart IIDKing ever.
Also listed in: Import Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImageRemCert
Rating: 5.0 (2 votes)
Author: Jupiter                        
Website: N/A
Current version: 1.02
Last updated: January 4, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: After modifying PE which contains digital signature (security certificate), image may not run under Vista or you'll see warning about incorrect digital signature.

This little tool removes certificate from PE image.

Written using assembly language. Uses ImageRemoveCertificate API function from ImageHlp.dll.
Also listed in: PE EXE Signature Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Javassist
Rating: 5.0 (1 vote)
Author: Shigeru Chiba                        
Website: http://www.csg.is.titech.ac.jp/~chiba/javassist/
Current version: 3.12.0.GA
Last updated: April 16, 2010
Direct D/L link: N/A
License type: Free
Description: Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors.

Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides.

Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed.
Also listed in: Java Code Injection Tools, Java Executable Editors & Patchers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PE Explorer
Rating: 5.0 (1 vote)
Author: Heaventools Software                        
Website: http://www.heaventools.com/overview.htm
Current version: 1.99 R6 (silent update)
Last updated: October 14, 2009
Direct D/L link: http://www.heaventools.com/download/pexsetup.zip
License type: Shareware
Description: PE Explorer provides powerful tools for disassembly and inspection of unknown binaries, modifying the properties of executable files and customizing and translating their resources. Use this product to do reverse engineering, analyze the procedures and libraries an executable uses.

Features include:

* Working with PE files - exe, dll, sys, drv, bpl, dpl, cpl, ocx and more.
* The ability to open a broken or packed file in Safe mode.
* Support for custom plug-ins to perform any startup processing.
* Collecting the full information contained in the file header.
* Checksum computing and modification.
* Review and editing Data Directories.
* Review of all the sections and info about their location and size.
* Review of contents of section as Raw Data - up to 16 view windows.
* Extracting and deleting sections.
* Section header recalculation.
* Section Editor to modify and repair the damaged section headers.
* Resource Editor to view and modify almost any kind of resources.
* Saving changes to disk as a new file image.
* Full info on exported and imported functions. Review of contents of the base relocation table.
* Quick Function Syntax Lookup. Syntax Description Editor.
* Source code and package information analyzer. Dependency Scanner.
* Built-in Disassembler.
* Customize GUI elements of your favorite Windows programs
* Special support for Delphi applications
* Automatic UPX and Upack unpacking

See multiple screenshots at: http://www.heaventools.com/scrshots.htm
Also listed in: Disassemblers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rebel.NET
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/rebelnet.php
Current version: 1.6.0.1
Last updated: September 3, 2010
Direct D/L link: http://ntcore.com/files/RebelDotNET.zip
License type: Free
Description: Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Also listed in: .NET Code Injection Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexil
Rating: 5.0 (1 vote)
Author: Sebastien Lebreton                        
Website: http://reflexil.net
Current version: 1.2
Last updated: March 7, 2011
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, a great tool for .NET developers. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection.
Also listed in: .NET Disassemblers, .NET Executable Editors, .NET MSIL Dumpers, .NET Signature Changers, .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resource Hacker (Reshacker)
Rating: 5.0 (1 vote)
Author: Angus Johnson                        
Website: http://angusj.com/resourcehacker
Current version: 3.5.2.84
Last updated: December 19, 2009
Direct D/L link: http://angusj.com/resourcehacker/reshack_setup.exe
License type: Freeware
Description: Now with PE64 support!!


Resource Hacker is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on Win95, Win98, WinME, WinNT, Win2000 and WinXP operating systems.

Viewing Resources: Cursor, Icon, Bitmap, GIF, AVI, and JPG resource images can be viewed. WAV and MIDI audio resources can be played. Menus, Dialogs, MessageTables, StringTables, Accelerators, Delphi Forms, and VersionInfo resources can be viewed as decompiled resource scripts. Menus and Dialogs can also be viewed as they would appear in a running application.

Saving Resources: Resources can be saved as image files (*.ico, *.bmp etc), as script files (*.rc), as binary resource files (*.res), or as untyped binary files (*.bin).

Modifying Resources: Resources can be modified by replacing the resource with a resource located in another file (*.ico, *.bmp, *.res etc) or by using the internal resource script compiler (for menus, dialogs etc). Dialog controls can also be visually moved and/or resized by clicking and dragging the respective dialog controls prior to recompiling with the internal compiler.

Adding Resources: Resources can be added to an application by copying them from external resource files (*.res).

Deleting Resources: Most compilers add resources into applications which are never used by the application. Removing unused resources can reduce an application's size.

Known limitation:
Resource Hacker will not read 16bit (Windows 3.1) executables.
Also listed in: Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: THYloadergen
Rating: 5.0 (1 vote)
Author: veyl/THY                        
Website: N/A
Current version: 0.6
Last updated: March 6, 2010
Direct D/L link: Locally archived copy
License type: creditware
Description: features:
* memory patch packed targets (except process redirected ones, like armadillo debugblocker)
* patch:VA (patch at a virtual address)
* patch:SnR (patch by search&replace)
* hookAPI (specify an API call that is executed after target is fully unpacked. hit count can be specified)
* hookVA (specify a VA that is executed after target is fully unpacked. hit count can be specified)
* wnd (specify a window that is created after target is fully unpacked)
* inject a dll into the process to have the possibility to include more complex stuff than the patching provided. (no live injecting, as this is a loader)
* optional splash screen at startup (pic can be specified, aswell as the transparency)


veyl/THY, MAR/2010
Also listed in: Code Injection Tools, Loader Generators, Memory Patchers, Patch Packaging Tools, Patcher Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: The aPE
Rating: 5.0 (1 vote)
Author: ap0x                        
Website: http://ap0x.jezgra.net/patchers.html
Current version: 0.1.2.21 beta
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: The aPE is a patcher program that can be used to patch packed/protected executable files. This is done by code insertion in packer/protector code so that the program can be patched normaly without the unpacking of the packed file. This means that you can now make smaller patches for packed executables. There is no more need for distribution of larger unpacked files... The aPE can patch tham while they are still packed!

:: Which packers are supported?
The complete list of the supported packers and their options can be found here. Curently there are 91 supported packers, and every packer has it`s own patching procedure. There is also a generic inline patching method that can patch many packers/crypters/protectors.

!ExE Pack 1.x
32Lite 0.3a
[G!X]`s Protector 1.2
ACProtect/UltraProtect 1.3x - 2.x
Alex Protector 1.0 beta2
ARM Protector 0.1
ASPack 1.x - 2.x
ASProtect 1.x - 2.x
BJFNT 1.3
CodeCrypt 0.15x - 0.16x
DEF 1.0
dePack
dot Fake Signer 3.x
Enigma 1.x
EP Protector 0.3
EXE32Pack 1.4x
exeFog 1.2
EXEStealth 2.7x
eXPressor 1.2.x - 1.3.x - 1.4.x
EZip 1.0
FSG 1.xx & 2.0
GHF Protector (pack) 0.1
HidePE 2.1
HidePX 1.4
hmimysPacker 1.x
JDPack 1.x
JDProtect 0.9
KByS Packer 0.2x
Krypton 0.4 & 0.5
LameCrypt 1.0
MEW 1.x
NeoLite 2.0
NoodleCrypt 2.0
nSPack 2.x - 3.x
NWCC
ORiEN 2.12
PackItBitch
PackMan 0.0.0.1
PC PE Encryptor alpha
PC Shrink 0.71
PE Diminisher 0.1
PE Lock NT 2.04
PE Pack 1.0
PEBundle 2.0x - 3.x
PECompact 1.3x - 1.8x & 2.x
PELock 1.x
PEncrypt 4.0
PESHiELD 0.25
PESpin 1.x
PEStubOEP 1.6
PeTite 1.x - 2.x
PeX 0.99
PKLite32 1.x
PolyCrypt PE 2.1.5
Polyene 0.01
PUNiSHER 1.5
Re-Crypt 0.15 & 0.714
SDProtector 1.x
ShrinkWarp 1.4
Simple UPX-Scrambler
SimplePack
SLVc0deProtector 1.11
SmokesCrypt 1.2
Software Compress 1.2 (lite)
SPEC b3
SPLayer 0.08
StealthPE 2.1
Stone`s PE Encryptor 2.0
SVKP 1.x
tELock 0.4x - 0.92
UG Chruncher 0.x
UPolyX 0.4 & 0.5
UPX 0.8x - 1.9x
UPX Inkvizitor
UPX Protector 1.0x
UPX-Scrambler RC 1.x
UPXCrypt
UPXFreak 0.1
UPXLock 1.0nPack 1.x
UPXRedir
UPXScramb 2.x
UPXShit 0.06 & 0.0.1
VirogenCrypt 0.75
VProtect
Winkript 1.0
WinUPack 0.2x - 0.3x
WWPack32 1.x
yC 1.x
yP 1.0.2 & 1.03.2
Also listed in: Patcher Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: topo
Rating: 5.0 (1 vote)
Author: MrCrimson/[WkT!99]                        
Website: (defunct) http://i.am/MrCrimson (defunct)
Current version: 1.2
Last updated: November, 1999
Direct D/L link: Locally archived copy
License type: Free/Public Domain
Description: Topo is the spanish word meaning: mole, tunnelling machine, spy or inside informer.

These are a few possible applications for ToPo:

· You would like to add some lines to that code but you HAVE LOST the sources.

· You would like to add some lines to that code but you NEVER HAD the sources. :o)

· You want to change that code but it is packed/crypted.

· You would like to fake any API function.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFF Explorer
Rating: 4.8 (4 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: 7.9
Last updated: August 2, 2010
Direct D/L link: http://www.ntcore.com/Files/CFF_Explorer.zip
License type: Freeware
Description: The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!
Also listed in: .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordPE
Rating: 4.5 (4 votes)
Author: y0da                        
Website: N/A
Current version: 1.41 (Deluxe b)
Last updated: September 30, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...
Also listed in: Dump Fixers, Import Editors, Memory Dumpers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anolis Resourcer
Rating: 4.0 (1 vote)
Author: AnolisFX                        
Website: http://anol.is/
Current version: 0.9.0 Beta
Last updated: September 1, 2009
Direct D/L link: http://www.deviantart.com/download/116235998/Anolis_Resourcer_by_AnolisFX.zip
License type: GPL
Description: Anolis Resourcer is a flexible Resource Hacker that exceeds the venerable ResHacker's capabilities in many areas, including support for x64 executables, Vista and Windows 7's MUI files, and 256x256 PNG icon support.


On 2009-05-21 -- The release fixes a number of issues and adds a Batch Export feature which will be of use to people wanting to make custom resources for programs like Windows Media Player.

On 2009-05-26 -- This fixes a critical race condition in the 3428 build. The zip archive now contains a command-line reference text file.
Also listed in: PE EXE Signature Tools, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ultimate Hooking Engine
Rating: 4.0 (1 vote)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated: August 10, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Engine allows anyone to hook APIs very easily using their hooking dll.

Each hooking dll might have 3 types of exports:
1. prefixed HOOK
2. prefixed Detoured
3. hookmain (optional)

1. Whenever you want to hook some API you will put this kind of export:

HOOK_kernel32_GetModuleHandleA
HOOK_user32_MessageBoxA

Also note that inline hook will point to this procedure so this procedure
will have all of your code responsible for certain API.

2. To be able to call original API from your hook you should export also
this variable (in C/C++ it will be function pointer):

Note how variables are prefixed with "Detoured_"

Detoured_GetModuleHandleA
Detoured_MessageBoxA

Here is one example from C/C++ code:

extern "C" __declspec(dllexport) HMODULE (__stdcall *Detoured_GetModuleHandleA)(LPCTSTR modulename) = NULL;

extern "C" HMODULE __declspec(dllexport) __stdcall HOOK_kernel32_GetModuleHandleA(LPCTSTR modulename){
return Detoured_GetModuleHandleA(modulename);
}

Note also that this is optional, if you don't need to call orignal proc,
then you don't need this export.

Note that when working with MSVC2005 it will always screw export name for
procedures while function pointers are properly exported, so add this line
to your .def file:

HOOK_kernel32_GetModuleHandleA = _HOOK_kernel32_GetModuleHandleA@4
Detoured_GetModuleHandleA


3. hookmain

hookmain is export which has this prototype:

void __stdcall hookmain();

This procedure will be called before program jumps to entrypoint of
target, here you may add some extra code, it isn't very useful and
all initialization you may perfrom in DllEntry, but I leave this here
just in case that you want to start your own tracer before code jmps
to entrypoint. At least that's why I'm using it.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detours
Rating: 3.5 (2 votes)
Author: Microsoft                        
Website: http://research.microsoft.com/sn/detours
Current version: 2.1.216
Last updated: November 10, 2008
Direct D/L link: http://ftp.research.microsoft.com/downloads/d36340fb-4d3c-4ddd-bf5b-1db25d03713d/DetoursExpress.msi
License type: Free
Description: Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RDG Packer Detector
Rating: 3.5 (2 votes)
Author: RDGMax                        
Website: http://www.rdgsoft.8k.com
Current version: 0.6.7
Last updated: June 26, 2011
Direct D/L link: http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar
License type: Free
Description: RDG Packer Detector is a detector packers, Cryptors, Compilers,
Packers Scrambler,Joiners,Installers.

-Holds Fast detection system..
-Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases.
-You can create your own Signatures detection.
-Holds Crypto-Graphic Analyzer.
-Allows you to calculate the checksum of a file.
-Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not.
-OEP-Detector (Original Point of Entry) of a program.
-You can Check and download and you always signaturas.RDG Packer Detector will be updated.
-Plug-ins Loader..
-Signatures converter.
-Detector distortive Entry Point.
-De-Binder an extractor attachments.
-System Improved heuristic.

What's New! v0.6.6

-New Interface!

-Fast Mode Detection and Mode Powerful Improved!
-Super base signatures Updated!
-Heuristic detection of Binders
-Detection and Extraction Overlay!
-Check and Auto-Update of signatures!
-Super Fast Detection of MD5 Hash!
-Support for Multiple Plug-ins for both RDG Packer Detector and other detectors!
-Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc..
-Detection and removal of attachments!
Also listed in: Compiler Identifiers, Entropy Analyzers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex Workshop
Rating: 3.0 (1 vote)
Author: BreakPoint Software                        
Website: http://www.hexworkshop.com
Current version: 5.02
Last updated: January 6, 2008
Direct D/L link: http://www.bpsoft.com/downloads/hw32v502.msi
License type: Shareware
Description: A quite good and competent hex editor.
Also listed in: Executable CRC Calculators, Hex Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hiew
Rating: 3.0 (2 votes)
Author: Eugene Suslikov                        
Website: http://www.hiew.ru/
Current version: 8.10
Last updated: February 24, 2010
Direct D/L link: http://www.hiew.ru/files/hiew802.zip
License type: Shareware
Description: * view and edit files of any length in text, hex, and decode modes
* x86-64 disassembler & assembler
* physical & logical drive view & edit
* support for NE, LE, LX, PE/PE32+ and little-endian ELF/ELF64 executable formats
* support for Netware Loadable Modules like NLM, DSK, LAN,...
* following direct call/jmp instructions in any executable file with one touch
* pattern search in disassembler
* built-in simple 64bit decrypt/crypt system
* built-in powerful 64bit calculator
* block operations: read, write, fill, copy, move, insert, delete, crypt
* multifile search and replace
* keyboard macros
* unicode support
* Hiew Extrenal Module (HEM) support
* ArmV6 disassembler
Also listed in: Disassemblers, Hex Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Hook Library
Rating: 0.0 (0 votes)
Author: shokshok                        
Website: http://dotnethook.sourceforge.net
Current version: 2.1
Last updated: May 30, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).
Also listed in: .NET Code Injection Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHimpREC
Rating: 0.0 (0 votes)
Author: Sébastien Doucet (TiGa)                        
Website: http://www.iitac.org
Current version: ReCon Edition
Last updated: June 23rd, 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
Also listed in: Dump Fixers, IAT Restore Tools, Import Editors, Process Dumpers, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHook
Rating: 0.0 (0 votes)
Author: Darawk                        
Website: N/A
Current version:
Last updated: October 16, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: This is my hooking library that performs a variety of different types of hooks:

- IAT hooking
- EAT hooking
- Debug register hooking
- Thread-safe jmp patch hooking using a length-disassembler engine and a code thunk that masks the problem of jumping back to the original function.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CheckSum Fixer
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: January 5, 2006
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=12
License type: Free
Description: The PE files headers include a CheckSum field which is located into the
IMAGE_NT_HEADER->IMAGE_OPTIONAL_HEADER->CheckSum

This value is an overall checksum of the whole file, often not set and left to 0x0000 by most compilers and thus doesn't happens often to worry about it, but sometimes this value is used to check if there have been alterations in the executable file.
There is for example an API, MapFileAndCheckSum(), which calculates the real checksum of a PE file and reports also the value stored into the PE Header. It is then simple for simple protectors to detect alterations of a PE file, even of a single byte.

It's a simple technique that advanced protector doesn't use too often and you can of course intercept this API and modify it online or skip its call, but for example with PocketPC smartphones or system drivers this check is done by the operative system, so you simply have no choice to intercept this check and the only way is to fix the value stored in the PE file header.

This program simply does this conveniently. Already other tools have this functionality (LordPE for example), but I just wanted a fast program able to fix this checksum in a click (e.g. with LordPE you have to do at least 5, 6 clicks).

It is very handy with ring0 drivers which test this checksum value!
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Snippet Creator (Iczelion)
Rating: 0.0 (0 votes)
Author: Iczelion                        
Website: N/A
Current version: 1.05 (build 2)
Last updated: January 13, 2001
Direct D/L link: Locally archived copy
License type: Free
Description: Code Snippet Creator is designed specifically for advanced crackers/assembly programmers who want to create custom code snippets in assembly language.

The features of this utility:
· Can generate code snippets and save them as binary files
· Support both TASM and MASM
· Provide simple integrated PE editor to edit the target file you want to patch
· Can patch the code snippet into a target PE file both as a new section and as an addition to an existing section (or PE header)
· You can use ANY functions that the target imports in your snippet! This utility will fix the calls for you.
Also listed in: Code Injection Tools, Code Snippet Creators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Codename ASLAN (4514N)
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: http://www.piotrbania.com/all/4514N/
Current version: (not yet released)
Last updated:
Direct D/L link: N/A
License type: Free
Description: I'm currently working on my masterpiece project (school project), a first gui oriented and the most advanced integrating-metamorphic engine so far. Integration engine allows user to integrate any code to any PE binary file (x86 processors), including device drivers etc. etc. 4514N engine can rebuild all the PE
structure, internal offsets (jumps,refferences), any type of PE sections relocs, imports, exports, resources...), moreover it even can keep the align of variables.

Integration means that firstly target file is disassembled to pieces (it creates a chain which connects the body of target file), then we move that chain, we do everything we want (i call this step InverseKinematics, just because i'm an 3d graphics hobbyst) and then we compile the chain again. Such horrible modified application runs perfectly, moreover it is almost impossible to disinfect the modified target. So tell me, do you want to compile a rootkit inside of yours ndis.sys? :)

I don't want to speak much about the metamorphic engine since it is not 100% ready yet. But the main thing you should know it is mostly based on the emulation process (and as far as i know it is the first metamorphic engine which does so), and many of the muation states are based on the Automaton Theory (which inspired me a lot). Lets consider the rest of the features as an future surprise :)
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Comrade's PE Tools
Rating: 0.0 (0 votes)
Author: Comrade                        
Website: http://comrade.ownz.com/projects/petools.html
Current version:
Last updated: July 31, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: * Inject Tool

Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows:

1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll
2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll
3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll
4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll
5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll

Note that in all uses, you should specify the full path to the injected DLL.


* Loader Tool

Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows:

1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll

Note that you should specify the full path to the injected DLL.


* Patch Tool

Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool.
The tool's command-line usage is as follows:

1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll


* Reimport Tool

Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll.
Also listed in: Code Injection Tools, Import Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DLL Injection Framework
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/dll-injection-framework
Current version: 1.0
Last updated: December 20, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The process of remote function hooking via a DLL is notoriously messy, so I’ve tried to encapsulate as much of the mess as possible into a C++ class. Here’s an example of some client code that injects a DLL into Windows Calculator, then installs two hooks (one by name and another by address):

-----------------------------------------------------------------
// Create the injection object
DLLInjection injection("E:/Temp/HookDLL.dll");

// Find Calc.exe by its window
DWORD process_id = injection.GetProcessIDFromWindow(
"SciCalc",
"Calculator");

// Inject the DLL
HMODULE remote_module = injection.InjectDLL(process_id);

// Hook a DLL function (User32!SetWindowTextW)
HDLLHOOK swtw_hook = injection.InstallDLLHook(
"C:/Windows/System32/User32.dll",
"SetWindowTextW",
"SetWindowTextHookW");

// Hook a function manually (Calc!0100F3CF)
HDLLHOOK manual_hook = injection.InstallCodeHook(
reinterpret_cast (0×0100F3CF),
“SomeOtherHook”);

// Remove the hooks
injection.RemoveHook(swtw_hook);
injection.RemoveHook(manual_hook);
-----------------------------------------------------------------

Testing has been limited so don’t be surprised to find bugs. If you do find any, please report them.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Website: http://ntinfo.biz
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link: https://www.dropbox.com/s/h3sjlmhgcx7qfx2/DIE_1.01_win.zip?dl=1
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Entropy Analyzers, Exe Analyzers, Linux Tools, Mac OS Tools, PE EXE Signature Tools, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DetourXS
Rating: 0.0 (0 votes)
Author: Sinner                        
Website: http://forum.gamedeception.net/showthread.php?t=10649
Current version: 1.0
Last updated: June 16, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: DetourXS is a library for function detouring.

Example usage code:

---------------------------------------------------------
#include <detourxs.h>

typedef DWORD (WINAPI* tGetTickCount)(void);
tGetTickCount oGetTickCount;

DWORD WINAPI hGetTickCount(void)
{
printf("GetTickCount hooked!");
return oGetTickCount();
}

// To create the detour
oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP);

// ...Or an address
oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP);

// ...You can also specify the detour len
oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5);

// To remove the detour
DetourRemove(oGetTickCount);
---------------------------------------------------------
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Direct3D Hooking
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/direct3d-hooking
Current version: 1.1
Last updated: November 27, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A sample for hooking a Direct3D 9 program and drawing on its viewport. Translating this to Direct3D 8 should be trivial.

Notes:

* Vista support added with version 1.1
* This is not safe for 64-bit consumption, though that should be obvious.
* While there’s no reason it can’t be made to work with Unicode, I’ve written everything in ASCII, for simplicity.
* By default, the DLL will increase its own reference count to prevent it being unloaded prior to termination of the host process. This is because there is a small risk of the DLL being unloaded by one thread, while a hooked function in another returns to the now dead memory. I figured that it’s best to waste a little bit of everybody’s memory than to crash unnecessarily.
* The d3d9.dll function addresses (and prologues) are hard-coded, or at least their offsets are. While this may look very unprofessional and rather risky, I can assure you that it’s quite safe. The alternative would be to hack up some virtual-function tables and that’s a whole other story for a whole other post.
* You may notice that the compiled DLL is dependent upon D3DX. This isn’t necessary for the hook itself, but I used ID3DXFont in my example for demonstrative purposes. The only reason I mention this is that there is no way to guarantee the existence of any D3DX DLLs on a DirectX 9 machine, and distributing them yourself is in violation of the DirectX Runtime EULA. So if you happen to need to distribute this code, you’ll either need to carry the huge runtime installer around, or avoid using D3DX altogether.
* The soft-hooks used here will cause problems with PunkBuster if applied to any of its monitored functions. If you need to do this then you’ll have to be a bit cleverer.
* The source assumes that the graphics device will never become invalid. If you suspect that this isn’t the case (which will be true for any full-screen game at a minimum) then you’ll need to add the appropriate sanity checks (see IDirect3DDevice9::TestCooperativeLevel) before attempting to render anything, lest you want to crash and burn.
Also listed in: DirectX Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNetasploit
Rating: 0.0 (0 votes)
Author: Jon McCoy                        
Website: http://digitalbodyguard.com/DotNetasploit.html
Current version: 2.5
Last updated: August 2010
Direct D/L link: Locally archived copy
License type: Free
Description: DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dotnet IL Editor (DILE)
Rating: 0.0 (0 votes)
Author: zsozsop                        
Website: http://sourceforge.net/projects/dile
Current version: 0.2.6
Last updated: September 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.
Also listed in: .NET Debuggers, .NET Disassemblers, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DynamoRIO
Rating: 0.0 (0 votes)
Author: Hewlett-Packard Laboratories & MIT & Derek Bruening                        
Website: http://dynamorio.org
Current version: 6.0.0.6
Last updated: October 6, 2015
Direct D/L link: https://github.com/DynamoRIO/dynamorio/releases/download/release_6_0_0/DynamoRIO-Windows-6.0.0-6.zip
License type: Free and open source (BSD-type license)
Description: DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.
DynamoRIO's powerful API abstracts away the details of the underlying infrastructure and allows the tool builder to concentrate on analyzing or modifying the application's runtime code stream. API documentation is included in the release package and can also be browsed online.

Previous description:

The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science.

The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications.

The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract:

In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees.
Also listed in: Code Coverage Tools, Code Injection Tools, Debugger Libraries, Disassembler Libraries, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.82b2
Last updated: September 13, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: eXeScope
Rating: 0.0 (0 votes)
Author: Toshifumi Yamamoto                        
Website: http://hp.vector.co.jp/authors/VA003525/Eindex.htm
Current version: 6.50
Last updated: March 23, 2004
Direct D/L link: Locally archived copy
License type: Shareware
Description: Do you want to customize an application? For example,

* to change font,
* to change menu,
* to change an arrangement of dialog,
* etc.,

But you think that it is impossible because you have not source files ?

eXeScope can analyze, display various information, and rewrite resources of executable files, that is, EXE, DLL, OCX, etc. without source files.
Also listed in: Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Export Function Explorer
Rating: 0.0 (0 votes)
Author: tt.t                        
Website: N/A
Current version: 1.2
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: Export Function Explorer (for PE32 only) allows you to easily add new exports to existing PE files, or output the export table to a .txt list which is easy to parse from a custom application. This is the original version of ExpX, which only supports PE32 (no X64) PE files.
Also listed in: Export Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Export Function Explorer x64
Rating: 0.0 (0 votes)
Author: tt.t, modified by Fyyre                        
Website: http://mfyyre.narod.ru
Current version: 1.2
Last updated: June 27, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I needed to add an export to a PE32+ file, and could not locate a tool which would do this.

This is a modification of Export Function Explorer, which lets you add new exports to PE32+ files. Please note that this modification is only suited for PE32+ files, use the normal ExpX for anything else.
Also listed in: Export Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FastSystemCallHook
Rating: 0.0 (0 votes)
Author: Darawk                        
Website: N/A
Current version:
Last updated: April 5, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A snippet of code which is a KiFastSystemCall hook I wrote that hooks all user-mode APIs by replacing the SYSENTER MSR. It works also on multi-processor systems and should be easy to extend into a fully functional library if you want to.
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HookLib
Rating: 0.0 (0 votes)
Author: Nektra                        
Website: http://www.nektra.com/products/deviare/hooklib/
Current version: 1.0
Last updated:
Direct D/L link: http://www.nektra.com/products/deviare/hooklib/hooklib.exe
License type: LGPL
Description: Nektra's hook engine used in Deviare.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Inject
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/idainject
Current version: 1.0.3
Last updated: July 18, 2008
Direct D/L link: http://newgre.net/system/files/IDAInject.rar
License type: Free / Open Source
Description: This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.
Also listed in: Code Injection Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: JavaSnoop
Rating: 0.0 (0 votes)
Author: Aspect Security                        
Website: https://www.aspectsecurity.com/research/appsec_tools/javasnoop/
Current version: 1.1 RC2
Last updated: January 15, 2012
Direct D/L link: Locally archived copy
License type: Free
Description: A tool that lets you intercept methods, alter data and otherwise test the security of Java applications on your computer

Normally, without access to the original source code, testing the security of a Java client is unpredictable at best and unrealistic at worst. With access the original source, you can run a simple Java program and attach a debugger to it remotely, stepping through code and changing variables where needed. Doing the same with an applet is a little bit more difficult.

Unfortunately, real-life scenarios don’t offer you this option, anyway. Compilation and decompilation of Java are not really as deterministic as you might imagine. Therefore, you can’t just decompile a Java application, run it locally and attach a debugger to it.

Next, you may try to just alter the communication channel between the client and the server, which is where most of the interesting things happen anyway. This works if the client uses HTTP with a configurable proxy. Otherwise, you’re stuck with generic network traffic altering mechanisms. These are not so great for almost all cases, because the data is usually not plaintext. It’s usually a custom protocol, serialized objects, encrypted, or some combination of those.

JavaSnoop attempts to solve this problem by allowing you attach to an existing process (like a debugger) and instantly begin tampering with method calls, run custom code, or just watch what’s happening on the system.
Also listed in: Java Code Injection Tools, Network Monitoring Tools, Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: May 5, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/map_setup.exe
License type: GPL2
Description: Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration
Also listed in: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ManualMap
Rating: 0.0 (0 votes)
Author: Darawk                        
Website: N/A
Current version:
Last updated: September 9, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: ManualMap is a library I wrote for dll injection by 'manually mapping' a PE file into the remote address space of a process. Instead of calling LoadLibrary or using SetWindowsHookEx (which also essentially calls LoadLibrary internally), this code parses the PE file itself, fixes up the relocs, maps the sections, and builds the import table. It also redirects APIs like GetModuleHandle and GetProcAddress so that manualmap'd modules are visible to each other, but are not visible to any other modules in the process.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Marxio File Checksum Verifier
Rating: 0.0 (0 votes)
Author: Marek Mantaj                        
Website: http://www.marxio-tools.net/en/marxio-fcv.php
Current version: 1.6.2
Last updated: December 29, 2009
Direct D/L link: N/A
License type: Freeware
Description: Portable file checksum verifier that allows you to calculate many file checksums (hashes) and compare them with original one. Thanks to its simplicity and portability, it aims to be a portable, versatile and "must have" tool for dealing with single files and their checksums - to calculate, compare and verify them.

Marxio FCV supports major checksum types:
- CRC32,
- MD4,
- MD5,
- SHA1,
- SHA-256,
- SHA-384,
- SHA-512,
- RIPEMD-128,
- RIPEMD-160,
- HAVAL 256,
- TIGER 192.

"Drag and drop" function - all you need to to is to drag a file from Windows Explorer onto the form to calculate selected checksum type.

Context menu - optional integration with Explorer context menu with Your custom text and defined selected checksum to calculate

Compare checksums - with other selected checksum.

Large files support - with size over 32 GB.

Very fast - calculate 4 GB large DVD file/image in 2 minutes using md5 algorithm.

Portable version - one-file program, just one executable file.

Interface - simple, eye friendly with mini-form available.

Keyboard shortcuts - as much handy shortcuts as possible, even for copy and paste checksum from clipboard

Save checksum to file - checksum and filename.

History - save all calculated checksums to file.

Additional settings - stay-on-top, save windows position and last used checksum type, show mini-form, show hashes in upper or lowercase, break function, high contrast themes support, log file, snap to edge - all are configurable.

Frequent updates - new releases published even a week !

Vision difficulties - this application provides support for users with vision difficulties (vision impairment) - tries to respect Windows skins and color schemas.

Marxio FCV is a clean software. It does not contain any adverts. It does not integrate with Windows (unless user requested) and does not install any additional software nor it has spying mechanisms.

If you haven't found the function in this tool you looked for, I can develop it.

Note,
Marxio FCV target is to quickly calculate and verify ONE file and one checksum, not more. It's not any limit but this application works this way. Other application is being developed for calculating more files.
Also listed in: Executable CRC Calculators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MetaPuck
Rating: 0.0 (0 votes)
Author: y0da                        
Website: http://y0da.cjb.net
Current version: 1.0
Last updated: 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code.
Also listed in: COM Debugging Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Mhook
Rating: 0.0 (0 votes)
Author: Marton Anka                        
Website: http://codefromthe70s.org/mhook2.asp
Current version: 2.1
Last updated: October 15, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Mhook is a library for installing API hooks. If you dabble in this area then you’ll already know that Microsoft Research's Detours pretty much sets the benchmark when it comes to API hooking. Why don't we get a comparison out of the way quickly then?


Detours vs. Mhook

Detours is available for free with a noncommercial license but it only supports the x86 platform. Detours can also be licensed for commercial use which also gives you full x64 support, but you only get to see the licensing conditions after signing an NDA.

Mhook is freely distributed under an MIT license with support for x86 and x64.

Detours shies away from officially supporting the attachment of hooks to a running application. Of course, you are free to do it - but if you end up causing a random crash here or there, you can only blame yourself.

Mhook was meant to be able to set and remove hooks in running applications – after all, that’s what you need it for in the real world. It does its best to avoid overwriting code that might be under execution by another thread.

Detours supports transactional hooking and unhooking; that is, setting a bunch of hooks at the same time with an all-or-nothing approach. Hooks will only be set if all of them can be set, otherwise the library will roll back any changes made. Mhook does not do this.

Finally, Mhook is pretty lazy when it comes to managing memory for the trampolines it uses. Detours allocates blocks of memory as needed, and uses the resulting data area to store as many trampolines within as will fit. Mhook, on the other hand, uses one call to VirtualAlloc per hook being set. Every hook needs less than 100 bytes of storage so this is very wasteful, since VirtualAlloc ends up grabbing 64K from the process' virtual address space every time Mhook calls it. (Actual allocated memory will be a single page which is also quite wasteful.) In the end though, this probably does not really matter, unless you are setting a very large number of hooks in an application. Also, this is very easy to fix.

With that out of the way, if you’re still here, let’s delve into it.


Future Improvements

Mhook is far from perfect. The following things should be addressed in the future:

* Implement a memory allocator so one call to VirtualAlloc can service multiple hooks
* Improve the thread-suspension code so it can deal with threads that are spawned during the execution of the thread-suspension process itself
* Improve error handling so meaningful failure codes can be retrieved by GetLastError
* For the truly paranoid: deal with possible conflicts with other hooking libraries (what if Mhook_SetHook is called on a function that is currently hooked with Detours, etc)
* Add support for IA64 (Itanium)
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mmBBQ
Rating: 0.0 (0 votes)
Author: Michael Willigens, Rene Laemmert                        
Website: http://web.archive.org/web/20150507114635/http://duschkumpane.org/index.php/mmbbq
Current version: 3.1.0RC1
Last updated: October 16, 2014
Direct D/L link: http://hellgateaus.info/files/mmbbq_3.1.0_RC1.zip
License type: public domain, closed source
Description: mmBBQ injects an interactive codecaving Lua API into a win32 process. It is easy to use, there are no dependencies and only little knowledge is required. It was initially built to create APIs for MMORPGs. However it is fully generic and can attach to any kind of program. It can also inject into many protected processes, as it's meant to bypass some protective mechanisms. It offers debugging functionality, but not being a debugger itself makes it harder to detect.

It's easy to place any form of generic codecaves by using plain Lua code (LuaJIT C-Types). For Example:
codecave.inject(nil, getProcAddress("user32", "GetMessageA"), function(context) print("Hellow World Codecave") end)

It can also call arbitrary functions of the host process:
asmcall.cdecl(getProcAddress("user32", "MessageBoxA"), 0, "Hello World!", "Title", 0)

Aside that it includes a debugging and disassembly module, that can be used to script breakpoints. This can be useful when making packed .exe extractors etc.


64 bit support is underway. And further future maybe also a Linux and Mac version.
Also listed in: Code Injection Tools, Debuggers, Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: N-CodeHook
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/ncodehook
Current version: 1.0.1
Last updated: July 07, 2008
Direct D/L link: http://newgre.net/system/files/NCodeHook.rar
License type: Free / Open Source
Description: N-CodeHook is a small template based C++ library which allows you to hook into functions via inline patching.
For some background info see the blog post or read the paper from the detours website on how inline patching works. Detours uses the same mechanism as N-CodeHook, but requires you to buy a license for the X64 version. Besides the IA32 version must not be used for commercial purposes.
N-CodeHook however is completely free and you can use it for whatever you like.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: N-InjectLib
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/ninjectlib
Current version: 1.0.2
Last updated: July 14, 2008
Direct D/L link: http://newgre.net/system/files/NInjectLib.rar
License type: Free / Open Source
Description: N-InjectLib is a library written in C++ which allows of injecting dynamic link libraries into a remote (i.e. foreign) process.
Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: NW PE Builder
Rating: 0.0 (0 votes)
Author: Net Walker!                        
Website: N/A
Current version: 0.7
Last updated: February 16, 2009
Direct D/L link: Locally archived copy
License type:
Description: Simple and easy to use PE Editor.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: NetAsm
Rating: 0.0 (0 votes)
Author: Alexandre Mutel                        
Website: http://www.codeplex.com/netasm
Current version: 1.0
Last updated: July 25, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: NetAsm provides a hook to the .NET JIT compiler and enables to inject your own native code in replacement of the default CLR JIT compilation. With this library, it is possible, at runtime, to inject x86 assembler code in CLR methods with the speed of a pure CLR method call and without the cost of Interop/PInvoke calls.

NetAsm can be used to integrate optimized native code using CPU extended instructions (SSE,MMX) into your managed code. The NetAsmDemo sample provides two benchmarks that unveil the power of using native code injection with NetAsm.

For more information about NetAsm, code injection techniques and recommendations, please consult the NetAsm-UserGuide.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: NtHookEngine
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/Files/nthookengine.htm
Current version: 1.1
Last updated: April 1, 2008
Direct D/L link: http://www.ntcore.com/Files/nthookengine/nthookengine.zip
License type: Free / Open Source
Description: NtHookEngine is a powerful x86/x64 mini hook-engine

I wrote this little hook-engine for a much bigger article. Sometimes it seems such a waste to write valuable code for large articles whose topic isn't directly related to the code. This often leads to the problem that the code won't be found by the people who are looking for it.

Personally, I would've used Microsoft's Detour hook engine, but the free license only applies to x86 applications, and that seemed a little bit too restrictive to me. So, I decided to write my own engine in order to support x64 as well. I've never downloaded Detour nor have I ever seen its APIs, but from the general overview given by Microsoft it's easy to guess how it works.

As I said, this is only a part of something bigger. It's not perfect, but it can easily become such. Since this is not a beginner's guide about hooking, I assume that the reader already possesses the necessary knowledge to understand the material. If you never heard about this subject, you'd better start with another article. There's plenty of guides out there, no need to repeat the same things here.

As everybody knows there's only one easy and secure way to hook a Win32 API: to put an inconditional jump at the beginning of the code to redirect it to the hooked function. And by secure I just mean that our hook can't be bypassed. Of course, there are some other ways, but they're either complicated or insane or both. A proxy dll, for instance, might work in some cases, but it's rather insane for system dlls. Overwriting the IAT is unsecure for two reasons:

a) The program might use GetProcAddress to retrieve the address of an API (and in that case we should handle this API as well).
b) It's not always possible, there are many cases as for packed programs where the IAT gets built by the protection code and not by the Windows loader.

Ok, I guess you're convinced. Let's just say that there's a reason why Microsoft also uses this method.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Nucleus Framework
Rating: 0.0 (0 votes)
Author: PAPiLLiON                        
Website: http://www.woodmann.com/forum/showthread.php?t=12009
Current version: 1.0.0028.1059
Last updated: August 18, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Today i decided that it's a good day for the initial release of my nucleus framework.

What you can do with it:

- Inject a specified DLL to a targets' address space

That's it. Extremely minimal usage for the first release but who cares
Would be nice if some would test it and tell me if it works.


USAGE: nucleus <switches> target.exe

--help, --h, -help, -h

display usage help. also displayed if no parameter is selected


--log, --l, -log, -l <logging mode>

select logging mode. 1 = LOG_MODE_STDOUT - log to stdout
2 = LOG_MODE_FILE - log to file
4 = LOG_MODE_NOLOG - log disabled
mode 1 and 2 can be used in combination(expl. 3 for stdout and file
together). if no logging mode selected 1 is default
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PE1
Rating: 0.0 (0 votes)
Author: VLaaD                        
Website: N/A
Current version: 1.0
Last updated: Who knows
Direct D/L link: Locally archived copy
License type: Freeware for free people
Description: Little GUI tool useful for:

- Image rebase (if relocs are present, for now :)
- Recalc checksum
- Realign sections
- Strip section names
- Checksum fixing
- Excessive image directory cutoff (aggressive)

This one is my personal tool, so if something crashes, I have debugger (and you don't :)

P.S. This little thing is packed by RLPack by ap0x ("štitimo domaće, koristimo DOMAĆE exe-packere :)")
Pozdrav za vrlo talentovanu mladu ekipu koja je već do sada iza sebe ostavila dosta lepih stvari :)
Also listed in: Relocation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PE32 Relocate
Rating: 0.0 (0 votes)
Author: ap0x                        
Website: http://ap0x.jezgra.net/patchers.html
Current version: 0.1
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: PE32.Relocate 0.1
--------------------
How to use:
reloc.exe -f<FILE> -b<IMAGEBASE>

<FILE> = Path to PE32 file to relocate
<IMAGEBASE> = New ImageBase for relocated file [hex]

Example:
reloc.exe -fCrackme.exe -b00410000
Also listed in: Relocation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIN
Rating: 0.0 (0 votes)
Author: Intel                        
Website: http://rogue.colorado.edu/pin
Current version: 2.3 (rev 18525)
Last updated: April 10, 2008
Direct D/L link: N/A
License type: Free / Open source
Description: Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors

Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process.

Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.
Also listed in: Code Injection Tools, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.05
Last updated: April 22, 2016
Direct D/L link: Locally archived copy
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
A companion plugin is also provided to take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

In new version:
- .Net assembly VtableFixup support
- Control Flow Guard support
- New highlighting scheme
- Treeview icon added
- Neater Listview
- Major bug fixes


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pestudio
Rating: 0.0 (0 votes)
Author: Marc Ochsenmeier                        
Website: http://www.winitor.com
Current version: 8.51
Last updated: August 1, 2015
Direct D/L link: https://www.winitor.com/tools/pestudio/current/pestudio.zip
License type: Free for private usage.
Description: pestudio is an application that performs Malware Initial Assessment of any executable file.

Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
Also listed in: Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pokas x86 Emulator for Generic Unpacking
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://sourceforge.net/projects/x86emu/
Current version: 1.2.0 and 1.21 visual C++
Last updated: December 28, 2012
Direct D/L link: http://sourceforge.net/projects/x86emu/files/1.2.0/x86emu-1.2.rar/download
License type: GPL
Description: Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon with the help of your feedback.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Inject
Rating: 0.0 (0 votes)
Author: ap0x                        
Website: http://ap0x.jezgra.net/patchers.html
Current version: 0.1
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: Process.Inject 0.1
--------------------

WARNING: Do not rename inject.exe!

How to use:
inject.exe -p<PID> -a<ADDRESS> -b<BYTES> -l<LENGTH>
inject.exe -p<PID> -a<ADDRESS> -f<FILE>
inject.exe -p<PID> -n<ALLOCSIZE>
inject.exe -p<PID> -r<THREADSTART>

<PID> = ProcessID [hex]
<ADDRESS> = Address where to insert bytes [hex]
<BYTES> = Patch bytes [hex]
<LENGTH> = Number of bytes to write (1..4)
<FILE> = Path to file to inject in memory (.bin)
<ALLOCSIZE> = Size of memory to allocate in target process [hex]
<THREADSTART> = New thread`s start address [hex]

Example:
inject.exe -p101 -a00401000 -bEBFE -l2
inject.exe -p101 -a00401000 -fC:\inject_me.bin
inject.exe -p101 -n1000
inject.exe -p101 -r00830000
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PunchIt
Rating: 0.0 (0 votes)
Author: CondZero / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.2
Last updated: January 18, 2011
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.252
License type: Free
Description: It is a program useful to automatically inject into ANY application your sound and music. The music will be played in background when the program runs as before.

The tool comes with a comprehensive help file

Current Release: v1.2 January 2011

+ fix problem when extracting to temp
+ fix dialog repainting issue
+ all PECompact2 c2t*.tmp files (located in your temporary folder) are deleted if the compress option is chosen upon exiting the application
+ extract to temp and overwrite existing options now default
+ add ability to select a custom Icon (*.ico) file
+ latest build of Bass Audio module v2.4.6

Key features

Works with most windows 32 bit executable files (including packed / protected files) via a wrapper program, alternately called a Loader, a small piece of code and data attached to processed modules / music (files) that is responsible for extracting the application / music files and launching the application whilst playing the sound file.
Bass Audio module v2.4.6 (win32 version) capable of playing:
Streamable files:
*.wav;*.aif;*.mp3;*.mp2;*.mp1;*.ogg
MOD music files:
*.mo3;*.xm;*.mod;*.s3m;*.it;*.mtm;*.umx

PECompact2 v2.94.1 (Student build) compresses modules substantially better than that of the common compression software such as RAR and ZIP, and is more reliable in compressing certain types of packed / encrypted executable files than UPX. This is accomplished through advanced techniques of pre-processing a module to make it more compressible when passed to the compression algorithm.
Replaces the icon from either a custom Icon (*.ico) file or the source input executable file (if found) into the new output executable file.
Requires no programming knowledge to use.

Please test and report any probs. As can sometimes happen, if you choose a packed / protected
source executable, you may run into problems compressing and should choose the non compress
option. This is not a fault of the application, but a limitation imposed by compressor programs
such as PECompact2 (Student build) v1.94.1 (latest).
Also listed in: Code Injection Tools, GUI Manipulation Tools, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ReloX
Rating: 0.0 (0 votes)
Author: MackT/uCF2000                        
Website: n/a
Current version: 1.0
Last updated: August 23, 2009
Direct D/L link: Locally archived copy
License type: free
Description: The only relocation tool worth its bytes. Perfect for that 'final step' in unpacking those pesky dynamic link libraries.


{ from included readme.txt }

ReloX v1.0 * by MackT/uCF2000 in 2003

Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use it with caution. (Do not run it 3 hours into an unsaved coding session for example)

I am *NOT* responsible for any damage caused by the use of it.


Purpose:
--------
ReloX is a Win32 relocations rebuilder. It will create a .reloc section from different
based images.


What does it need?
------------------
- At least 2 different based images of a module. The more you have images, the more
your relocations will be reliable.


How does it work?
-----------------
1) - Select the first based image with the "..." button on the "Original" line.

The imagebase will be put automatically. If it is not right, modify it.

2) - Select the second based image with the "..." button on the "Compare to" line.

The imagebase will be put automatically. If it is not right, modify it.

3) - Click on "Select Sections" to select all sections which contain code for
comparison (default is all).

4) - Click on "Compare" to start comparison between the modules.

The result will be in the list control.

5) - If you have other based images, redo the same thing from 2) for all of them

6) - Click on "Fix PE Module" to select a pe file and fix with the new ".reloc" section.

(no backup needed just like ImpREC(tm))


Limitations
-----------
- It will only support 32 bits relocations of type (3).
(IMAGE_REL_BASED_HIGHLOW : The fixup applies the delta to the 32-bit field at Offset)


Thanks to
---------
Muffin and Snacker for testing.


Greetings to
------------
Michelle Branch, Jackie Chan and Jet Li.
Also listed in: Relocation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RelocEditor
Rating: 0.0 (0 votes)
Author: Bitfry & Jupiter                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free/Public Domain
Description: RelocEditor allows you to directly edit the Relocation table inside of the PE file and individual relocations. You can change the VA of individual relocations, edit or delete the whole table, individual blocks, etc.
Also listed in: Relocation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ResFixer
Rating: 0.0 (0 votes)
Author: seeQ                        
Website: N/A
Current version: 1.0 beta 1
Last updated: 2003
Direct D/L link: Locally archived copy
License type: Free/Public Domain
Description: ResFixer v 1.0 beta 1 by seeQ


1. Introduction
*****************
This program resolves a situation when you want to remove unnecessary code from dumped exe, which after unwrapping is no longer needed. ResFixer - is a resource rebuilder which tries to restore the resource section (.rsrc). As you know many protectors/packers move some of resources (Icon, Icon Group, Version inf) to it's own section. In this case you can't remove protectors/packers section(s) after dumping.


2. Usage
*****************
Method 1 - Completely copies resources section from an entrance file, then finishes gluing the displaced resources and corrects resource tree.
Method 2 - Tries completely reconstruct section on the basis of a tree.


3. Tip's
*****************
1. In programs written on Delphi watch for TLS (native place rdata).
2. Do not forget that resources in file should lay directly from beginning of unique section with name ".rsrc", because differently programs can crash under some build's Win9x and resource viewer's.
3. It is also possible to remove Reloc's from EXE.


4. Bugs
*******************
The program does not check if the file is unpacked.
Also listed in: Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resourcer for .NET
Rating: 0.0 (0 votes)
Author: Lutz Roeder                        
Website: http://www.aisto.com/roeder/dotnet/
Current version: 1.0
Last updated:
Direct D/L link: N/A
License type: Free
Description: Resourcer is an editor for .resources binaries and .resX XML file formats used with the .NET platform. Resourcer allows editing of name/string pairs, import of bitmaps/icons and and merging of resources from different sources.
Also listed in: .NET Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SpyStudio
Rating: 0.0 (0 votes)
Author: Nektra                        
Website: http://www.nektra.com/products/spystudio
Current version: 1.0.0b
Last updated: February 2008
Direct D/L link: http://www.nektra.com/products/spystudio/spystudio.exe
License type: Free
Description: SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:

Advapi32.dll
Gdi32.dll
Kernel32.dll
Ntdll.dll
User32.dll
Shell32.dll
Wininet.dll
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: StringEditor
Rating: 0.0 (0 votes)
Author: VLaaD                        
Website: N/A
Current version: 1.0
Last updated: Back in 2005 (but still works!)
Direct D/L link: Locally archived copy
License type: Freeware for Free People
Description: String editor is UNICODE editor for binary string resources.
It is pretty straightforward to use it, so it doesn't have a help (if you press F1, God will help you!)

Besides normal side-by-side expected functionality, and capability of changing the string resource ID, you can also perform a string resource cleanup (messup occurs when buggers are frequently deleting the strings without repacking, so whole string blocks are consuming memory for nothing).

Small and works.
Also listed in: Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Stud_PE
Rating: 0.0 (0 votes)
Author: CGSoftLabs                        
Website: http://www.cgsoftlabs.ro/studpe.html
Current version: 2.6.0.5
Last updated: October 31, 2009
Direct D/L link: http://www.cgsoftlabs.ro/zip/Stud_PE.zip
License type: Freeware
Description: Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)

Features:
* View/edit PE basic Header information (DOS also):
- Header structures to hexeditor;
* View/edit Section Table:
- Add new section;
* View/edit Directory Table:
- Import/Export Table viewer;
- Import adder;
- Resource viewer/editor (save/replace ico/cur/bmp);
PE Scanner (PEiD sig database):
- 400 packers/protectors/compilers;
* Task viewer/dumper/killer;
* PEHeader/Binary file compare;
* RVA to RAW to RVA;
* Drag'nDrop shell menu integration;
* Basic HexEditor;
* Process region dumper/viewer;
Also listed in: Import Editors, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Valgrind
Rating: 0.0 (0 votes)
Author:                         
Website: http://valgrind.org
Current version: 3.2.3
Last updated: January 29, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.
Also listed in: Code Injection Tools, Linux Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Win32 CodeHook
Rating: 0.0 (0 votes)
Author: Wang Qi                        
Website: http://www.kbasm.com/codehook.html
Current version: 1.0.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Win32 CodeHook is an open source library for binary code hook and redirect for Win32 Delphi and C++.

Features and advantages
1. Can hook function that starts with jump instructions.
Most other simple API/code hook technic can not hook functions that first several instructions include jump instructions such like jmp, jcc (jump if condition is met), call, jecxz, etc.
CodeHook can rewrite those instructions in a safe way and continue hooking.
The only instructions that can prevent CodeHook from hooking are ret and iret, which indicate the function end is met and the function is too short to hook.

2. Very easy to use.
CodeHook not only supports raw mode code hooking, it also supports advanced hooking.
CodeHook can generate "bridge code" that connects your hook code to the target code.
Thus you only need to writer hook code in a unique form (unique prototype functions) rather than writting different hook code for different target.
The typical hook prototype is,
Delphi syntax: function HookCallback(AHandle: TCodeHookHandle; AParams: PCodeHookParamAccessor): Cardinal; CallingConvertion;
C++ syntax: DWORD CallingConvertion HookCallback(TCodeHookHandle AHandle, PDWORD AParams);
This feature makes it possible to use one hook function to hook multiple functions. See the Delphi sample code. And this is how I do in the new Denomo package.
And even better, both of the hook and target functions can have various calling conventions. The calling conventions now supported are stdcall (used by Windows APIs), cdecl (used by C), and register call (used by Delphi).

3. Very flexible.
CodeHook separates your hook function from the target function. Your hook function can fully replace the target function, or call old target function in the hook function in any time you want.
And even more flexible, you can easily modify the parameters before passing them to the old target function.

4. Can be used by any program language which can use a DLL.
Though CodeHook is written in Delphi, the CHook.dll can be used by any other languages such like C++. In fact CodeHook has sample code that written in Delphi and C++. The sample C++ code can be compiled by VC6 and Borland C++ 5.5 or C++ Builder (BCB).

5. Free and open source.
The license is MPL.

6. More feature will come soon.
CodeHook was made to use in Denomo (a memory leak detection tool), so it now only supports in-process hooking. But inter-process hooking and DLL injection will be added in the near future versions.

CodeHook itself has been verified that it can be compiled by Delphi 7 and Delphi 2007. It should but not must be able to be compiled by Delphi 6, Delphi 2005, and Delphi 2006.
CHook.dll can be used by any language that supports DLL, pointer, and data structure.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Win32Hook
Rating: 0.0 (0 votes)
Author: Russell Libby                        
Website: http://users.adelphia.net/~rllibby/source.html
Current version:
Last updated: February 14, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Delphi unit that provides IAT updating, code overwriting (uses DISASM32 for this), and library injection. All handling is done using class objects, and should be relatively simple to use.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ZeroAdd
Rating: 0.0 (0 votes)
Author: SantMant                        
Website: [http:// immortal descendents http:// immortal descendents]
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type:
Description: Zero Add is a tool to add a zero padded section to the end of an executable
simply pick and exe give a name and size to add a zero padded section at the end of the executable.
Also listed in: Import Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 8 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)