From Collaborative RCE Tool Library
Reverse Engineering Frameworks
| Tool name: | Damn Vulnerable Linux |
| ||
|---|---|---|---|---|
| Author: | Zero | |||
| Website: | http://www.DamnVulnerableLinux.org | |||
| Current version: | Strychnine+E605 1.4 | |||
| Last updated: | February 2008 | |||
| Direct D/L link: | http://www.computerdefense.org/dvl/DVL_Strychnine_E605_1_4.iso | |||
| License type: | Creative Commons Attribution-Noncommercial-Share Alike 3.0 License | |||
| Description: | This release contains 99% of all available Linux RCE tools! Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system. The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only! Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de. Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system. | |||
| Also listed in: | Linux Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ERESI Framework |
| ||
|---|---|---|---|---|
| Author: | The ERESI Project | |||
| Website: | http://www.eresi-project.org | |||
| Current version: | 0.8a23 | |||
| Last updated: | November 30, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS. ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information. The ERESI framework includes: * The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files. * The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace). * The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps. * The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language. * The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet). Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program: * libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based. * libe2dbg : the embedded debugger library which operates from inside the debuggee program. * libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands. * libmjollnir : the code fingerprinting and graph manipulation library. * librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library. * libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs. * libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types. | |||
| Also listed in: | Linux Debuggers, Linux Disassemblers, Tracers, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Fenris |
| ||
|---|---|---|---|---|
| Author: | lcamtuf | |||
| Website: | http://lcamtuf.coredump.cx/fenris | |||
| Current version: | 0.07-m2 build 3245 | |||
| Last updated: | July 11, 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are: * Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code. * libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler. * Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure. * nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development). * Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface). * ...and some other companion utilities. | |||
| Also listed in: | Linux Disassemblers, Linux Debuggers, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Malcode Analysis Pack |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/map/ | |||
| Current version: | ||||
| Last updated: | November 13, 2006 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=8 | |||
| License type: | GPL2 | |||
| Description: | The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are: • ShellExt - 4 explorer shell extensions • socketTool - manual TCP Client for probing functionality. • MailPot - mail server capture pot • fakeDNS - spoofs dns responses to controlled ip's • sniff_hit - HTTP, IRC, and DNS sniffer • sclog - Shellcode research and analysis application • IDCDumpFix - aids in quick RE of packed applications • Shellcode2Exe - embeds multiple shellcode formats in exe husk • GdiProcs - detect hidden processes | |||
| Also listed in: | Malware Analysis Tools, Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, API Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PaiMei |
| ||
|---|---|---|---|---|
| Author: | Pedram Amini | |||
| Website: | http://paimei.googlecode.com | |||
| Current version: | 1.1-REV122 | |||
| Last updated: | May 22, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | PaiMei, is a reverse engineering framework consisting of multiple extensible components. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as fuzzer assistance, code coverage tracking, data flow tracking and more. The framework breaks down into the following core components: * PyDbg: A pure Python win32 debugging abstraction class. * pGRAPH: A graph abstraction layer with seperate classes for nodes, edges and clusters. * PIDA: Built on top of pGRAPH, PIDA aims to provide an abstract and persistent interface over binaries (DLLs and EXEs) with separate classes for representing functions, basic blocks and instructions. The end result is the creation of a portable file that when loaded allows you to arbitrarily navigate throughout the entire original binary. A layer above the core components you will find the remainder of the PaiMei framework broken into the following over-arching components: * Utilities: A set of utilities for accomplishing various repetitive tasks. * Console: A pluggable WxPython GUI for quickly and efficiently rolling out your own sexy RE utilities. * Scripts: Individual scripts for accomplishing various tasks. One very important example of which is the pida_dump.py IDA Python script which is run from IDA to generate .PIDA modules. The documentation for the framework is available online at: http://pedram.openrce.org/PaiMei/docs A very informative discussion thread about PaiMei, including a bunch of tutorials on how to use the different aspects of it, can be found at: http://www.woodmann.com/forum/showthread.php?t=10851 | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | pynary |
| ||
|---|---|---|---|---|
| Author: | c1de0x | |||
| Website: | http://code.google.com/p/openrce-snippets/wiki/pynary | |||
| Current version: | 0.0.1 | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Open Source | |||
| Description: | pynary will become a powerful platform independent framework for binary code analysis. The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible. Once the initial goal is achieved, a number of cool features are planned: * stack frame analysis * un-inliner * exception handling parsing/analysis * 'functionally equivalent' matching * c++ template function matching * meta-data transfer between IDBs * c++ class reconstruction (with/without RTTI) * ... This project is still in its infancy, and looking for volunteers. | |||
| Also listed in: | Deobfuscation Tools, Executable Diff Tools, Programming Libraries, Exe Analyzers, Diff Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://radare.nopcode.org | |||
| Current version: | 0.9.3 | |||
| Last updated: | February 19, 2008 | |||
| Direct D/L link: | http://radare.nopcode.org/get/radare-0.9.3.tar.gz | |||
| License type: | GPL | |||
| Description: | The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc. The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls. The debugger and disassembler has a code analysis module for x86, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary. The toolchain provides assemblers and disasemblers for x86, arm and java. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so). The debugger currently works on linux,*bsd x86-32 but it has initial support for x86-64 and linux-ARM, and w32 support is in mind too. But there are IO plugins for debugging windows and DOS applications via wine and dosemu. Initial gxemul support gives us the possibility to also debug ARM, MIPS, SPARC, .. binaries. There are some internal commands to handle memory maps, mount a syscall proxy, inject code, patch data, dump user data sections, step-back, syscall tracing, hardware DRx register manipulation, conditional watchpoints with expressions, signalling manipulation, syscall injection and very early threading support.. Data structures can be parsed with hand-written C programs called as extensions from radare. So the hexadecimal editor comes with a set of views for different bases and print formats like URL-encoding, binary, octal, shellcode, C string-like, which is really useful for developing shellcodes. There's a minimal GUI frontend written in C that interacts directly with an VTE running radare. But I plan to write a new native frontend written in Vala. Current development plugins are: * ewf: EnCase (R) forensic disk images * winedbg: WineDebugger interface ( winedbg://./program.exe ) * haret: Remotely read WindowsCE memory ( haret://host:port ) * ptrace: Debugs or attach to a process ( dbg://file or pid://PID ) * sysproxy: Connects to a remote syscallproxy server * remote: TCP IO ( listen://:port or connect://host:port ) * gdb: Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port) * w32: posix to native w32 api io * posix: plain posix file access The tools provided around the core are: * radare: command line hexadecimal editor with IO plugin extensions * rabin: get info from ELF/MZ/PE/CLASS files * rasc: shellcode generator and tester (outputs in raw, hexpairs or C) * bindiff: binary diffing utilities for raw files, binaries, data blocks, etc * xrefs: find crossed references on raw images for ppc, arm and x86 * hasher: calculate different algorithms over data blocks of a file or stream * rsc: command line helpers written in shellscript or perl * javasm: minimalistic java assembler/disassembler/classdumper * armasm: minimalistic arm assembler * xc: converts between multiple radix numeric bases FMI see the mailing list Have fun! | |||
| Also listed in: | Assemblers, Binary Diff Tools, Code Injection Tools, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
