From Collaborative RCE Tool Library

Jump to: navigation, search

Process Dumpers

Tool name:

Explorer Suite

Currently5/5
1
2
3
4
5

Rating: 5.0 (1 vote)

Author:

Daniel Pistelli

Website:

http://ntcore.com/exsuite.php

Current version:

III

Last updated:

March 2, 2008

Direct D/L link:

http://ntcore.com/Files/ExplorerSuite.exe

License type:

Free

Description:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Also listed in:

.NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Protection Identifiers, Resource Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

AMDUMPV6.2

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

CondZero

Website:

arteam.accessroot.com

Current version:

2.0

Last updated:

April 9, 2008

Direct D/L link:

http://arteam.accessroot.com/releases.html?fid=3

License type:

Free / Open Source

Description:

The archive includes full sources and two tutorials.

Note: the included pdf overview (from previous release).
Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!!

Info:
* New noninvasive loader engine to run & dump activemark v6.2x targets.
* Run program from its own folder, no need to copy Amdumpv62 to target folder to run.
* Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file.

Special note:
* The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically.
* Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding:
(4) .text/.text/.code/.code/etc sections in the executable
For delayed import targets
(3) for non delayed import targets.
If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!!
* Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully!

Limitations:
* In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

History:
--------------------------------------------
Amdumpv62 - version 2.0 (march 2008)
1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug)
2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option
3. New log progress and results of the dump process
4. Separate threads for main gui and process

Also listed in:

(Not listed in any other category)

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

LordPE

Currently4/5
1
2
3
4
5

Rating: 4.0 (1 vote)

Author:

y0da

Website:

N/A

Current version:

1.41 (Deluxe b)

Last updated:

December 31, 2002

Direct D/L link:

Locally archived copy

License type:

Free

Description:

LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Also listed in:

Dump Fixers, Memory Dumpers, Import Editors, PE Executable Editors

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

radare

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

pancake

Website:

http://radare.nopcode.org

Current version:

0.9.3

Last updated:

February 19, 2008

Direct D/L link:

http://radare.nopcode.org/get/radare-0.9.3.tar.gz

License type:

GPL

Description:

The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger currently works on linux,*bsd x86-32 but it has initial support for x86-64 and linux-ARM, and w32 support is in mind too.

But there are IO plugins for debugging windows and DOS applications via wine and dosemu. Initial gxemul support gives us the possibility to also debug ARM, MIPS, SPARC, .. binaries.

There are some internal commands to handle memory maps, mount a syscall proxy, inject code, patch data, dump user data sections, step-back, syscall tracing, hardware DRx register manipulation, conditional watchpoints with expressions, signalling manipulation, syscall injection and very early threading support..

Data structures can be parsed with hand-written C programs called as extensions from radare. So the hexadecimal editor comes with a set of views for different bases and print formats like URL-encoding, binary, octal, shellcode, C string-like, which is really useful for developing shellcodes.

There's a minimal GUI frontend written in C that interacts directly with an VTE running radare. But I plan to write a new native frontend written in Vala.

Current development plugins are:

* ewf: EnCase (R) forensic disk images
* winedbg: WineDebugger interface ( winedbg://./program.exe )
* haret: Remotely read WindowsCE memory ( haret://host:port )
* ptrace: Debugs or attach to a process ( dbg://file or pid://PID )
* sysproxy: Connects to a remote syscallproxy server
* remote: TCP IO ( listen://:port or connect://host:port )
* gdb: Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port)
* w32: posix to native w32 api io
* posix: plain posix file access

The tools provided around the core are:

* radare: command line hexadecimal editor with IO plugin extensions
* rabin: get info from ELF/MZ/PE/CLASS files
* rasc: shellcode generator and tester (outputs in raw, hexpairs or C)
* bindiff: binary diffing utilities for raw files, binaries, data blocks, etc
* xrefs: find crossed references on raw images for ppc, arm and x86
* hasher: calculate different algorithms over data blocks of a file or stream
* rsc: command line helpers written in shellscript or perl
* javasm: minimalistic java assembler/disassembler/classdumper
* armasm: minimalistic arm assembler
* xc: converts between multiple radix numeric bases

FMI see the mailing list

Have fun!

Also listed in: