From Collaborative RCE Tool Library
PE Executable Editors
| Tool name: | Explorer Suite |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/exsuite.php | |||
| Current version: | III | |||
| Last updated: | March 2, 2008 | |||
| Direct D/L link: | http://ntcore.com/Files/ExplorerSuite.exe | |||
| License type: | Free | |||
| Description: | A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium. Features: * Process Viewer * Windows Viewer * PE and Memory Dumper * Full support for PE32/64 * Special fields description and modification (.NET supported) * PE Utilities * PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) * View and modification of .NET internal structures * Resource Editor (full support for Windows Vista icons) * Support in the Resource Editor for .NET resources (dumpable as well) * Hex Editor * Import Adder * PE integrity checks * Extension support * Visual Studio Extensions Wizard * Powerful scripting language * Dependency Walker * Quick Disassembler (x86, x64) * Name Unmangler * Extension support * File Scanner * Directory Scanner * Deep Scan method * Recursive Scan method * Multiple results * Report generation * Signatures Manager * Signatures Updater * Signatures Collisions Checker * Signatures Retriever | |||
| Also listed in: | .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, Process Dumpers, Protection Identifiers, Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFF Explorer |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://www.ntcore.com/exsuite.php | |||
| Current version: | VII | |||
| Last updated: | January 17, 2008 | |||
| Direct D/L link: | http://www.ntcore.com/Files/CFF_Explorer.zip | |||
| License type: | Freeware | |||
| Description: | The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format. Also includes a cool new scripting engine! | |||
| Also listed in: | .NET Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Ultimate Hooking Engine |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | ||||
| Last updated: | August 10, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine allows anyone to hook APIs very easily using their hooking dll. Each hooking dll might have 3 types of exports: 1. prefixed HOOK 2. prefixed Detoured 3. hookmain (optional) 1. Whenever you want to hook some API you will put this kind of export: HOOK_kernel32_GetModuleHandleA HOOK_user32_MessageBoxA Also note that inline hook will point to this procedure so this procedure will have all of your code responsible for certain API. 2. To be able to call original API from your hook you should export also this variable (in C/C++ it will be function pointer): Note how variables are prefixed with "Detoured_" Detoured_GetModuleHandleA Detoured_MessageBoxA Here is one example from C/C++ code: extern "C" __declspec(dllexport) HMODULE (__stdcall *Detoured_GetModuleHandleA)(LPCTSTR modulename) = NULL; extern "C" HMODULE __declspec(dllexport) __stdcall HOOK_kernel32_GetModuleHandleA(LPCTSTR modulename){ return Detoured_GetModuleHandleA(modulename); } Note also that this is optional, if you don't need to call orignal proc, then you don't need this export. Note that when working with MSVC2005 it will always screw export name for procedures while function pointers are properly exported, so add this line to your .def file: HOOK_kernel32_GetModuleHandleA = _HOOK_kernel32_GetModuleHandleA@4 Detoured_GetModuleHandleA 3. hookmain hookmain is export which has this prototype: void __stdcall hookmain(); This procedure will be called before program jumps to entrypoint of target, here you may add some extra code, it isn't very useful and all initialization you may perfrom in DllEntry, but I leave this here just in case that you want to start your own tracer before code jmps to entrypoint. At least that's why I'm using it. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | .NET Hook Library |
| ||
|---|---|---|---|---|
| Author: | shokshok | |||
| Website: | http://dotnethook.sourceforge.net | |||
| Current version: | 2.1 | |||
| Last updated: | May 30, 2002 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it. The download contains detailed documentation about how it works and what it is. I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies). | |||
| Also listed in: | .NET Code Injection Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CRC Calculator |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.1 | |||
| Last updated: | January 6, 2005 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=14 | |||
| License type: | Free | |||
| Description: | Just drag & drop files to it or use the button to calculate the CRC, then select and paste. Adapted from existing sources, small and easy. History -1.0 initial version -1.1 added command-line support ideal for integration into Total Commander | |||
| Also listed in: | Executable CRC Calculators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CheckSum Fixer |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.0 | |||
| Last updated: | January 5, 2006 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=12 | |||
| License type: | Free | |||
| Description: | The PE files headers include a CheckSum field which is located into the IMAGE_NT_HEADER->IMAGE_OPTIONAL_HEADER->CheckSum This value is an overall checksum of the whole file, often not set and left to 0x0000 by most compilers and thus doesn't happens often to worry about it, but sometimes this value is used to check if there have been alterations in the executable file. There is for example an API, MapFileAndCheckSum(), which calculates the real checksum of a PE file and reports also the value stored into the PE Header. It is then simple for simple protectors to detect alterations of a PE file, even of a single byte. It's a simple technique that advanced protector doesn't use too often and you can of course intercept this API and modify it online or skip its call, but for example with PocketPC smartphones or system drivers this check is done by the operative system, so you simply have no choice to intercept this check and the only way is to fix the value stored in the PE file header. This program simply does this conveniently. Already other tools have this functionality (LordPE for example), but I just wanted a fast program able to fix this checksum in a click (e.g. with LordPE you have to do at least 5, 6 clicks). It is very handy with ring0 drivers which test this checksum value! | |||
| Also listed in: | Executable CRC Calculators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Codename ASLAN (4514N) |
| ||
|---|---|---|---|---|
| Author: | Piotr Bania | |||
| Website: | http://www.piotrbania.com/all/4514N/ | |||
| Current version: | (not yet released) | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | I'm currently working on my masterpiece project (school project), a first gui oriented and the most advanced integrating-metamorphic engine so far. Integration engine allows user to integrate any code to any PE binary file (x86 processors), including device drivers etc. etc. 4514N engine can rebuild all the PE structure, internal offsets (jumps,refferences), any type of PE sections relocs, imports, exports, resources...), moreover it even can keep the align of variables. Integration means that firstly target file is disassembled to pieces (it creates a chain which connects the body of target file), then we move that chain, we do everything we want (i call this step InverseKinematics, just because i'm an 3d graphics hobbyst) and then we compile the chain again. Such horrible modified application runs perfectly, moreover it is almost impossible to disinfect the modified target. So tell me, do you want to compile a rootkit inside of yours ndis.sys? :) I don't want to speak much about the metamorphic engine since it is not 100% ready yet. But the main thing you should know it is mostly based on the emulation process (and as far as i know it is the first metamorphic engine which does so), and many of the muation states are based on the Automaton Theory (which inspired me a lot). Lets consider the rest of the features as an future surprise :) | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DLL Injection Framework |
| ||
|---|---|---|---|---|
| Author: | Admiral | |||
| Website: | http://www.ring3circus.com/downloads/dll-injection-framework | |||
| Current version: | 1.0 | |||
| Last updated: | December 20, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | The process of remote function hooking via a DLL is notoriously messy, so I’ve tried to encapsulate as much of the mess as possible into a C++ class. Here’s an example of some client code that injects a DLL into Windows Calculator, then installs two hooks (one by name and another by address): ----------------------------------------------------------------- // Create the injection object DLLInjection injection("E:/Temp/HookDLL.dll"); // Find Calc.exe by its window DWORD process_id = injection.GetProcessIDFromWindow( "SciCalc", "Calculator"); // Inject the DLL HMODULE remote_module = injection.InjectDLL(process_id); // Hook a DLL function (User32!SetWindowTextW) HDLLHOOK swtw_hook = injection.InstallDLLHook( "C:/Windows/System32/User32.dll", "SetWindowTextW", "SetWindowTextHookW"); // Hook a function manually (Calc!0100F3CF) HDLLHOOK manual_hook = injection.InstallCodeHook( reinterpret_cast (0×0100F3CF), “SomeOtherHook”); // Remove the hooks injection.RemoveHook(swtw_hook); injection.RemoveHook(manual_hook); ----------------------------------------------------------------- Testing has been limited so don’t be surprised to find bugs. If you do find any, please report them. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DetourXS |
| ||
|---|---|---|---|---|
| Author: | Sinner | |||
| Website: | http://forum.gamedeception.net/showthread.php?t=10649 | |||
| Current version: | 1.0 | |||
| Last updated: | June 16, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | DetourXS is a library for function detouring. Example usage code: --------------------------------------------------------- #include <detourxs.h> typedef DWORD (WINAPI* tGetTickCount)(void); tGetTickCount oGetTickCount; DWORD WINAPI hGetTickCount(void) { printf("GetTickCount hooked!"); return oGetTickCount(); } // To create the detour oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP); // ...Or an address oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP); // ...You can also specify the detour len oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5); // To remove the detour DetourRemove(oGetTickCount); --------------------------------------------------------- | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Detours |
| ||
|---|---|---|---|---|
| Author: | Microsoft | |||
| Website: | http://research.microsoft.com/sn/detours | |||
| Current version: | 2.1 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code. Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary. Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software. We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry. Detours 2.1 is now available. Detours 2.1 includes the following new features: * Complete documentation of the Detours API. * Transactional model for attaching and detaching detours. * Support for updating peer threads when attaching or detaching detours. * Unification of dynamic and static detours into a single API. * Support for detection of detoured processes. * Significant robustness improvements in APIs that start a process with a DLL containing detour functions. * New APIs to copy payloads into target processes. * Support for 64-bit code on x64 and IA64 processors (available in Professional edition only). * Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7). | |||
| Also listed in: | API Monitoring Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Direct3D Hooking |
| ||
|---|---|---|---|---|
| Author: | Admiral | |||
| Website: | http://www.ring3circus.com/downloads/direct3d-hooking | |||
| Current version: | 1.1 | |||
| Last updated: | November 27, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | A sample for hooking a Direct3D 9 program and drawing on its viewport. Translating this to Direct3D 8 should be trivial. Notes: * Vista support added with version 1.1 * This is not safe for 64-bit consumption, though that should be obvious. * While there’s no reason it can’t be made to work with Unicode, I’ve written everything in ASCII, for simplicity. * By default, the DLL will increase its own reference count to prevent it being unloaded prior to termination of the host process. This is because there is a small risk of the DLL being unloaded by one thread, while a hooked function in another returns to the now dead memory. I figured that it’s best to waste a little bit of everybody’s memory than to crash unnecessarily. * The d3d9.dll function addresses (and prologues) are hard-coded, or at least their offsets are. While this may look very unprofessional and rather risky, I can assure you that it’s quite safe. The alternative would be to hack up some virtual-function tables and that’s a whole other story for a whole other post. * You may notice that the compiled DLL is dependent upon D3DX. This isn’t necessary for the hook itself, but I used ID3DXFont in my example for demonstrative purposes. The only reason I mention this is that there is no way to guarantee the existence of any D3DX DLLs on a DirectX 9 machine, and distributing them yourself is in violation of the DirectX Runtime EULA. So if you happen to need to distribute this code, you’ll either need to carry the huge runtime installer around, or avoid using D3DX altogether. * The soft-hooks used here will cause problems with PunkBuster if applied to any of its monitored functions. If you need to do this then you’ll have to be a bit cleverer. * The source assumes that the graphics device will never become invalid. If you suspect that this isn’t the case (which will be true for any full-screen game at a minimum) then you’ll need to add the appropriate sanity checks (see IDirect3DDevice9::TestCooperativeLevel) before attempting to render anything, lest you want to crash and burn. | |||
| Also listed in: | DirectX Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DynamoRIO |
| ||
|---|---|---|---|---|
| Author: | Hewlett-Packard Laboratories & MIT | |||
| Website: | http://www.cag.lcs.mit.edu/dynamorio/ | |||
| Current version: | 0.9.4 (beta) | |||
| Last updated: | February 26, 2005 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science. The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications. The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract: In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ERESI Framework |
| ||
|---|---|---|---|---|
| Author: | The ERESI Project | |||
| Website: | http://www.eresi-project.org | |||
| Current version: | 0.8a23 | |||
| Last updated: | November 30, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS. ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information. The ERESI framework includes: * The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files. * The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace). * The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps. * The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language. * The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet). Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program: * libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based. * libe2dbg : the embedded debugger library which operates from inside the debuggee program. * libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands. * libmjollnir : the code fingerprinting and graph manipulation library. * librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library. * libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs. * libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types. | |||
| Also listed in: | Reverse Engineering Frameworks, Linux Debuggers, Linux Disassemblers, Tracers, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | eXeScope |
| ||
|---|---|---|---|---|
| Author: | Toshifumi Yamamoto | |||
| Website: | http://hp.vector.co.jp/authors/VA003525/Eindex.htm | |||
| Current version: | 6.50 | |||
| Last updated: | March 23, 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Shareware | |||
| Description: | Do you want to customize an application? For example, * to change font, * to change menu, * to change an arrangement of dialog, * etc., But you think that it is impossible because you have not source files ? eXeScope can analyze, display various information, and rewrite resources of executable files, that is, EXE, DLL, OCX, etc. without source files. | |||
| Also listed in: | Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Hiew |
| ||
|---|---|---|---|---|
| Author: | Eugene Suslikov | |||
| Website: | http://www.hiew.ru/ | |||
| Current version: | 7.50 | |||
| Last updated: | February 6, 2008 | |||
| Direct D/L link: | http://www.hiew.ru/files/hiew750.zip | |||
| License type: | Shareware | |||
| Description: | * view and edit files of any length in text, hex, and decode modes * x86-64 disassembler & assembler * physical & logical drive view & edit * support for NE, LE, LX, PE, PE32+ and little-endian ELF executable formats * support for Netware Loadable Modules like NLM, DSK, LAN,... * following direct call/jmp instructions in any executable file with one touch * pattern search in disassembler * built-in simple 64bit decrypt/crypt system * built-in powerful 64bit calculator * block operations: read, write, fill, copy, move, insert, delete, crypt * multifile search and replace * keyboard macros * unicode support * Hiew Extrenal Module (HEM) support | |||
| Also listed in: | Disassemblers, Hex Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IIDKing |
| ||
|---|---|---|---|---|
| Author: | SantMat | |||
| Website: | http://www.reteam.org/tools.html | |||
| Current version: | 2.01 | |||
| Last updated: | November 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | IIDKing allows you to add/remove imports to/from ANY PE file's import table, thereby eliminating the need to have to do LoadLibrary then GetProcAddress. Whats New: -Added the ability to add an unlimited number of DLL(s) and their corresponding Function(s) to the target exe. -You can now run IIDKing an unlimited number of times on any given target and IIDKing will only ever use ONE section called ".IIDKING" in your target. Old versions of IIDKing required more. -When you run IIDKing on a target that has already been modified via IIDKing v1/v2 it will notify you of this fact and subsequently load the previously added DLL(s)/Function(s) into the IIDKing dialog. This allows you to re-run IIDKing for the purpose of removing or adding to past import additions to your targets. -Added an easy to use interface for adding DLL(s)/Function(s) in the form of a list dialog. You simply select the DLL filename as you wish and it will list all it's available exports for you to choose from. Leaves no room for case sensitive or spelling errors when adding DLL(s)/Function(s). -IIDKing v2 is much more intuitive in handling user actions and hence can be kept open and used continuously on the same target or any given number of targets. No need to restart IIDKing ever. | |||
| Also listed in: | Import Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ImageRemCert |
| ||
|---|---|---|---|---|
| Author: | Jupiter | |||
| Website: | N/A | |||
| Current version: | 1.02 | |||
| Last updated: | January 4, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | After modifying PE which contains digital signature (security certificate), image may not run under Vista or you'll see warning about incorrect digital signature. This little tool removes certificate from PE image. Written using assembly language. Uses ImageRemoveCertificate API function from ImageHlp.dll. | |||
| Also listed in: | PE EXE Signature Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | LordPE |
| ||
|---|---|---|---|---|
| Author: | y0da | |||
| Website: | N/A | |||
| Current version: | 1.41 (Deluxe b) | |||
| Last updated: | December 31, 2002 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,... Main features: * Task viewer/dumper * Huge PE editor (with big ImportTable viewer, ...) * Break'n'Enter (break at the EntryPoint of dll or exe files) * PE Rebuilder News: * The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.) * New plugin interface added! You can develop LordPE Dump Engines (LDE) now. Look at \Docs\LDE.tXt for more information. * Added LDE: IntelliDump which can dump .NET CLR processes * Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons) * Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer * Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor * TLSTable DataDirectory is now editable * Possibility to increment/decrement the number of DataDirectories added * Etc etc etc... | |||
| Also listed in: | Dump Fixers, Process Dumpers, Memory Dumpers, Import Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Malcode Analysis Pack |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/map/ | |||
| Current version: | ||||
| Last updated: | November 13, 2006 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=8 | |||
| License type: | GPL2 | |||
| Description: | The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are: • ShellExt - 4 explorer shell extensions • socketTool - manual TCP Client for probing functionality. • MailPot - mail server capture pot • fakeDNS - spoofs dns responses to controlled ip's • sniff_hit - HTTP, IRC, and DNS sniffer • sclog - Shellcode research and analysis application • IDCDumpFix - aids in quick RE of packed applications • Shellcode2Exe - embeds multiple shellcode formats in exe husk • GdiProcs - detect hidden processes | |||
| Also listed in: | Malware Analysis Tools, Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, Reverse Engineering Frameworks, API Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Mhook |
| ||
|---|---|---|---|---|
| Author: | Marton Anka | |||
| Website: | http://codefromthe70s.org/mhook2.asp | |||
| Current version: | 2.1 | |||
| Last updated: | October 15, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Mhook is a library for installing API hooks. If you dabble in this area then you’ll already know that Microsoft Research's Detours pretty much sets the benchmark when it comes to API hooking. Why don't we get a comparison out of the way quickly then? Detours vs. Mhook Detours is available for free with a noncommercial license but it only supports the x86 platform. Detours can also be licensed for commercial use which also gives you full x64 support, but you only get to see the licensing conditions after signing an NDA. Mhook is freely distributed under an MIT license with support for x86 and x64. Detours shies away from officially supporting the attachment of hooks to a running application. Of course, you are free to do it - but if you end up causing a random crash here or there, you can only blame yourself. Mhook was meant to be able to set and remove hooks in running applications – after all, that’s what you need it for in the real world. It does its best to avoid overwriting code that might be under execution by another thread. Detours supports transactional hooking and unhooking; that is, setting a bunch of hooks at the same time with an all-or-nothing approach. Hooks will only be set if all of them can be set, otherwise the library will roll back any changes made. Mhook does not do this. Finally, Mhook is pretty lazy when it comes to managing memory for the trampolines it uses. Detours allocates blocks of memory as needed, and uses the resulting data area to store as many trampolines within as will fit. Mhook, on the other hand, uses one call to VirtualAlloc per hook being set. Every hook needs less than 100 bytes of storage so this is very wasteful, since VirtualAlloc ends up grabbing 64K from the process' virtual address space every time Mhook calls it. (Actual allocated memory will be a single page which is also quite wasteful.) In the end though, this probably does not really matter, unless you are setting a very large number of hooks in an application. Also, this is very easy to fix. With that out of the way, if you’re still here, let’s delve into it. Future Improvements Mhook is far from perfect. The following things should be addressed in the future: * Implement a memory allocator so one call to VirtualAlloc can service multiple hooks * Improve the thread-suspension code so it can deal with threads that are spawned during the execution of the thread-suspension process itself * Improve error handling so meaningful failure codes can be retrieved by GetLastError * For the truly paranoid: deal with possible conflicts with other hooking libraries (what if Mhook_SetHook is called on a function that is currently hooked with Detours, etc) * Add support for IA64 (Itanium) | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | NtHookEngine |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://www.ntcore.com/Files/nthookengine.htm | |||
| Current version: | 1.1 | |||
| Last updated: | April 1, 2008 | |||
| Direct D/L link: | http://www.ntcore.com/Files/nthookengine/nthookengine.zip | |||
| License type: | Free / Open Source | |||
| Description: | NtHookEngine is a powerful x86/x64 mini hook-engine I wrote this little hook-engine for a much bigger article. Sometimes it seems such a waste to write valuable code for large articles whose topic isn't directly related to the code. This often leads to the problem that the code won't be found by the people who are looking for it. Personally, I would've used Microsoft's Detour hook engine, but the free license only applies to x86 applications, and that seemed a little bit too restrictive to me. So, I decided to write my own engine in order to support x64 as well. I've never downloaded Detour nor have I ever seen its APIs, but from the general overview given by Microsoft it's easy to guess how it works. As I said, this is only a part of something bigger. It's not perfect, but it can easily become such. Since this is not a beginner's guide about hooking, I assume that the reader already possesses the necessary knowledge to understand the material. If you never heard about this subject, you'd better start with another article. There's plenty of guides out there, no need to repeat the same things here. As everybody knows there's only one easy and secure way to hook a Win32 API: to put an inconditional jump at the beginning of the code to redirect it to the hooked function. And by secure I just mean that our hook can't be bypassed. Of course, there are some other ways, but they're either complicated or insane or both. A proxy dll, for instance, might work in some cases, but it's rather insane for system dlls. Overwriting the IAT is unsecure for two reasons: a) The program might use GetProcAddress to retrieve the address of an API (and in that case we should handle this API as well). b) It's not always possible, there are many cases as for packed programs where the IAT gets built by the protection code and not by the Windows loader. Ok, I guess you're convinced. Let's just say that there's a reason why Microsoft also uses this method. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PE Explorer |
| ||
|---|---|---|---|---|
| Author: | Heaventools Software | |||
| Website: | http://www.heaventools.com/overview.htm | |||
| Current version: | 1.99 R2 | |||
| Last updated: | August 19, 2007 | |||
| Direct D/L link: | http://www.heaventools.com/download/pexsetup.zip | |||
| License type: | Shareware | |||
| Description: | PE Explorer provides powerful tools for disassembly and inspection of unknown binaries, modifying the properties of executable files and customizing and translating their resources. Use this product to do reverse engineering, analyze the procedures and libraries an executable uses. Features include: * Working with PE files - exe, dll, sys, drv, bpl, dpl, cpl, ocx and more. * The ability to open a broken or packed file in Safe mode. * Support for custom plug-ins to perform any startup processing. * Collecting the full information contained in the file header. * Checksum computing and modification. * Review and editing Data Directories. * Review of all the sections and info about their location and size. * Review of contents of section as Raw Data - up to 16 view windows. * Extracting and deleting sections. * Section header recalculation. * Section Editor to modify and repair the damaged section headers. * Resource Editor to view and modify almost any kind of resources. * Saving changes to disk as a new file image. * Full info on exported and imported functions. Review of contents of the base relocation table. * Quick Function Syntax Lookup. Syntax Description Editor. * Source code and package information analyzer. Dependency Scanner. * Built-in Disassembler. * Customize GUI elements of your favorite Windows programs * Special support for Delphi applications * Automatic UPX and Upack unpacking See multiple screenshots at: http://www.heaventools.com/scrshots.htm | |||
| Also listed in: | Resource Editors, Disassemblers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PE1 |
| ||
|---|---|---|---|---|
| Author: | VLaaD | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | Who knows | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Freeware for free people | |||
| Description: | Little GUI tool useful for: - Image rebase (if relocs are present, for now :) - Recalc checksum - Realign sections - Strip section names - Checksum fixing - Excessive image directory cutoff (aggressive) This one is my personal tool, so if something crashes, I have debugger (and you don't :) P.S. This little thing is packed by RLPack by ap0x ("štitimo domaće, koristimo DOMAĆE exe-packere :)") Pozdrav za vrlo talentovanu mladu ekipu koja je već do sada iza sebe ostavila dosta lepih stvari :) | |||
| Also listed in: | Relocation Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PE32 Relocate |
| ||
|---|---|---|---|---|
| Author: | ap0x | |||
| Website: | http://ap0x.jezgra.net/patchers.html | |||
| Current version: | 0.1 | |||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | PE32.Relocate 0.1 -------------------- How to use: reloc.exe -f<FILE> -b<IMAGEBASE> <FILE> = Path to PE32 file to relocate <IMAGEBASE> = New ImageBase for relocated file [hex] Example: reloc.exe -fCrackme.exe -b00410000 | |||
| Also listed in: | Relocation Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PIN |
| ||
|---|---|---|---|---|
| Author: | Intel | |||
| Website: | http://rogue.colorado.edu/pin | |||
| Current version: | 2.3 (rev 18525) | |||
| Last updated: | April 10, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open source | |||
| Description: | Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process. Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well. Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template. | |||
| Also listed in: | Code Injection Tools, Profiler Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Process Inject |
| ||
|---|---|---|---|---|
| Author: | ap0x | |||
| Website: | http://ap0x.jezgra.net/patchers.html | |||
| Current version: | 0.1 | |||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Process.Inject 0.1 -------------------- WARNING: Do not rename inject.exe! How to use: inject.exe -p<PID> -a<ADDRESS> -b<BYTES> -l<LENGTH> inject.exe -p<PID> -a<ADDRESS> -f<FILE> inject.exe -p<PID> -n<ALLOCSIZE> inject.exe -p<PID> -r<THREADSTART> <PID> = ProcessID [hex] <ADDRESS> = Address where to insert bytes [hex] <BYTES> = Patch bytes [hex] <LENGTH> = Number of bytes to write (1..4) <FILE> = Path to file to inject in memory (.bin) <ALLOCSIZE> = Size of memory to allocate in target process [hex] <THREADSTART> = New thread`s start address [hex] Example: inject.exe -p101 -a00401000 -bEBFE -l2 inject.exe -p101 -a00401000 -fC:\inject_me.bin inject.exe -p101 -n1000 inject.exe -p101 -r00830000 | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://radare.nopcode.org | |||
| Current version: | 0.9.3 | |||
| Last updated: | February 19, 2008 | |||
| Direct D/L link: | ||||