From Collaborative RCE Tool Library
Process Dumpers
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://www.radare.org | |||
| Current version: | 0.7 | |||
| Last updated: | March 8, 2011 | |||
| Direct D/L link: | http://www.radare.org/get/radare2-0.7.tar.gz | |||
| License type: | LGPL | |||
| Description: | The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, x86_64, mips, arm, sparc, csr, m68k, powerpc and java. The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls. The debugger and disassembler has a code analysis module for various architectures. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so) and much more. See website for more details | |||
| Also listed in: | .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Explorer Suite |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://www.ntcore.com/exsuite.php | |||
| Current version: | III | |||
| Last updated: | March 12, 2010 | |||
| Direct D/L link: | http://www.ntcore.com/files/ExplorerSuite.exe | |||
| License type: | Free | |||
| Description: | A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium. Features: * Process Viewer * Windows Viewer * PE and Memory Dumper * Full support for PE32/64 * Special fields description and modification (.NET supported) * PE Utilities * PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) * View and modification of .NET internal structures * Resource Editor (full support for Windows Vista icons) * Support in the Resource Editor for .NET resources (dumpable as well) * Hex Editor * Import Adder * PE integrity checks * Extension support * Visual Studio Extensions Wizard * Powerful scripting language * Dependency Walker * Quick Disassembler (x86, x64) * Name Unmangler * Extension support * File Scanner * Directory Scanner * Deep Scan method * Recursive Scan method * Multiple results * Report generation * Signatures Manager * Signatures Updater * Signatures Collisions Checker * Signatures Retriever | |||
| Also listed in: | .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Protection Identifiers, Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | LordPE |
| ||
|---|---|---|---|---|
| Author: | y0da | |||
| Website: | N/A | |||
| Current version: | 1.41 (Deluxe b) | |||
| Last updated: | September 30, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,... Main features: * Task viewer/dumper * Huge PE editor (with big ImportTable viewer, ...) * Break'n'Enter (break at the EntryPoint of dll or exe files) * PE Rebuilder News: * The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.) * New plugin interface added! You can develop LordPE Dump Engines (LDE) now. Look at \Docs\LDE.tXt for more information. * Added LDE: IntelliDump which can dump .NET CLR processes * Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons) * Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer * Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor * TLSTable DataDirectory is now editable * Possibility to increment/decrement the number of DataDirectories added * Etc etc etc... | |||
| Also listed in: | Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ImpREC |
| ||
|---|---|---|---|---|
| Author: | MackT | |||
| Website: | http://www.tuts4you.com/forum/index.php?showtopic=6410 | |||
| Current version: | Official version 1.6 - Unofficial version with misc. fixes 1.7e | |||
| Last updated: | October 1, 2010 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The world's most famous IAT rebuilder tool. NOTE: The last official version from MackT is still 1.6. The 1.7a update is a third-party patched version of 1.6, which contains the following patches: - Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM) - user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM) - Latest version of psapi.dll (6.0.6000.16386) included - Fixed Vista64 crash bug (jstorme) - GUI modified and improved (based upon Fly's modification) - Updated/corrected plugins and deleted dups v. 1.7a added the following fixes: - Misc - Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme) The local download here contains the last unofficial patch, 1.7e. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc). Changes in Version 1.7b: - Misc - Fixed invalid API bug in user32.dll on Windows 98 (jstorme) - Modified code to improve support for discardable/unreadable sections (jstorme) - Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme) - Added an "ImpREC Classic" looking version Changes in 1.7c: - Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme) Changes in 1.7d: - Misc - Fixed bug introduced in 1.7b which destroys IAT Autosearch feature in some packed targets, like eXpressor 1.8 (Newbie_Cracker). - Fixed crash introduced in 1.7b when DLL's PE header has "NO Access" flag (Newbie_Cracker). Changes in Version v1.7e - Misc - Fixed a bug which avoids ImpREC to fix JMP DWORD [...] if it is located at the end of code section (Newbie_Cracker) ( Thanks to Nexus6 for report the bug and provide samples) | |||
| Also listed in: | IAT Restore Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | AMDUMPV6.2 |
| ||
|---|---|---|---|---|
| Author: | CondZero | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 2.2 | |||
| Last updated: | September 18th, 2008 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=3 | |||
| License type: | Free / Open Source | |||
| Description: | The archive includes full sources and two tutorials. Note: the included pdf overview (from previous release). Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!! Info: * New noninvasive loader engine to run & dump activemark v6.2x targets. * Run program from its own folder, no need to copy Amdumpv62 to target folder to run. * Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file. Special note: * The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically. * Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding: (4) .text/.text/.code/.code/etc sections in the executable For delayed import targets (3) for non delayed import targets. If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!! * Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully! Limitations: * In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial Link: http://arteam.accessroot.com/tutorials.html?fid=211 History: -------------------------------------------- Amdumpv62 - version 2.2 (September 2008) 1. Updated arteam import rebuilder v1.2.1 (nacho_dj) for targets that don't use the delayed imports option Amdumpv62 - version 2.0 (march 2008) 1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug) 2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option 3. New log progress and results of the dump process 4. Separate threads for main gui and process | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | AMDUMPV66 V1.0 |
| ||
|---|---|---|---|---|
| Author: | CondZero | |||
| Website: | http://www.accessroot.com/arteam/site/news.php | |||
| Current version: | v 1.0 | |||
| Last updated: | January 18, 2011 | |||
| Direct D/L link: | http://www.accessroot.com/arteam/site/download.php?view.230 | |||
| License type: | Freeware | |||
| Description: | Amdumpv66 v1.0 - CondZero [ARTeam] (see history below for details) Note: This is a complete replacement for former AMDUMPV6.2!! Tested under winxp sp3 Should work under w2k, wxp, Vista, Win 7 32 bit Info: * new noninvasive loader engine to run & dump activemark v6.2x - 6.6x Targets. * Drag & drop capability * run program from its own folder, no need to copy Amdumpv66 to target folder to run. * amdumpv66 will dump activemark v6.2x - v6.6x executables for targets with both delayed and non delayed imports. For targets with non delayed imports, the built-in ARTeam ARImpRec (Import Rebuilder) will automatically fix any imports in the dumped file and append a '_' suffix to the end of the dumped file (i.e. dumped.exe >> dumped_.exe). This program expects this suffix when appending the overlay data automatically for targets that don't use delayed imports. If using a different IAT rebuilding tool, it may be necessary to rename the resultant fixed dump file as described above, or the overlay data will not be appended automatically and you will be required to do this step manually. * sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependent on finding: (4) .text/.text/.code/.code/etc sections in the executable for delayed import targets and, (3) .text/.text/.code/.code/etc sections for non delayed import targets. If (3/4) sections are not found, then the executable may not Be an Activemark v6.2x - 6.6x application!! Limitations: * in order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used by the GetTickCount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial Link: http://arteam.accessroot.com/tutorials.html?fid=211 Disclaimer: Not responsible for any damages that result from using this Tool!! History: -------------------------------------------- Amdumpv66 - version 1.0 (November 2010) 1. Updated ARTeam import rebuilder v1.7.5 (Nacho_dj) for targets that don't use the delayed imports option 2. More elaborate search and replace scheme used for allocated and referenced VM DWORDS used in the target process 3. Drag & drop AM protected executable file to application 4. Log file is saved to your target folder | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CHimpREC |
| ||
|---|---|---|---|---|
| Author: | Sébastien Doucet (TiGa) | |||
| Website: | http://www.iitac.org | |||
| Current version: | ReCon Edition | |||
| Last updated: | June 23rd, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Freeware | |||
| Description: | CHimpREC: The Cheap Imports Reconstructor by TiGa of ARTeam IITAC (http://www.iitac.org) This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal. Made for the best compatibility with WoW64 on x64-based Windows XP or Vista. This is the same version that was used at the conference. The first official release will come soon. +Features The first universal 64-bit imports rebuilder 32-bit version included Interface similar to ImpREC Integrated 32/64-bit process dumper IAT AutoSearch from ImageBase or OEP Unshuffle thunks function Manual imports editor -Limitations No plugin support yet No AutoTrace feature No disassembler The Visual Studio 2005 SP1 redistributable package might be necessary too: x86: http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en x64: http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en | |||
| Also listed in: | Dump Fixers, IAT Restore Tools, Import Editors, Unpacking Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | mdmp |
| ||
|---|---|---|---|---|
| Author: | Vlad-Ioan Topan | |||
| Website: | http://code.google.com/p/mdmp/ | |||
| Current version: | 0.2.2 | |||
| Last updated: | October 28, 2010 | |||
| Direct D/L link: | http://code.google.com/p/mdmp/downloads/detail?name=mdmp-0.2.4-beta-binaries.zip | |||
| License type: | GPL | |||
| Description: | mdmp - open-source x86 memory/process (command-line) dumper with Python bindings libmdmp is a C library designed to dump process memory on Windows. mdmp.exe is a command-line tool exposing most functionality in libmdmp (process/stack/heap/random-mem-address dumping). pymdmp.pyd is a Python wrapper (only built for 2.7 as of now, trivial to adapt to any 2.x) exposing the memory-dumping functionality in Python. Example usage: mdmp: mdmp.exe /n:explo /e:kernel - will dump all modules (DLLs) whose name contains "kernel" from all the processes whose name contains "explo" pymdmp: import pymdmp lst = pymdmp.dump(pymdmp.SEL_BY_NAME, pymdmp.DUMP_IMAGE_BY_NAME, 0, processName="explo", moduleName="kernel") - will return in lst a list of tuples (<process_name>, <PID>, <dump-start-address>, <dump-data>) Delphi bindings are planned. Feedback is welcome @ vtopan/gmail. Requires the VC 2005 runtime. | |||
| Also listed in: | Memory Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | OllyDumpEx |
| ||
|---|---|---|---|---|
| Author: | low_priority | |||
| Website: | http://low-priority.appspot.com/ollydumpex/ | |||
| Current version: | 0.90 | |||
| Last updated: | August 24, 2011 | |||
| Direct D/L link: | http://low-priority.appspot.com/ollydumpex/OllyDumpEx.zip | |||
| License type: | Free | |||
| Description: | This plugin is process memory dumper for OllyDbg and Immunity Debugger. Very simple overview is OllyDumpEx = OllyDump + PE Dumper - obsoluted + useful features Features : - OllyDbg version 2 plugin interface supported (EXPERIMENTAL) - Select to dump debugee exe or loaded dll - Dump any address space as section even if not in original section header - Add dummy section to keep PE format consistency - Fix RVA in DataDirectory to follow ImageBase change - Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...) | |||
| Also listed in: | OllyDbg Extensions | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Scylla |
| ||
|---|---|---|---|---|
| Author: | Aguila | |||
| Website: | http://forum.tuts4you.com/forum/132-scylla-imports-reconstruction/ | |||
| Current version: | 0.5 | |||
| Last updated: | October 17, 2011 | |||
| Direct D/L link: | N/A | |||
| License type: | GNU GPL v3 | |||
| Description: | Scylla is a Windows Import Table Reconstructor. It aims to be a replacement for ImpRec, keeping the best features and removing most of its limitations. Key features: - x64 and x86 support - full unicode support - written in C/C++ - plugin support, legacy support for ImpRec plugins - process dumper, PE rebuilder - dll injection - works great with Windows 7 - open source Current limitations: - no autotrace | |||
| Also listed in: | Dump Fixers, IAT Restore Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
