From Collaborative RCE Tool Library

Jump to: navigation, search

String Finders


Tool name: Codetective Analysis Tool
Rating: 5.0 (1 vote)
Author: Francisco Gama Tabanez Ribeiro                        
Website: https://github.com/blackthorne/Codetective
Current version: 0.8.2
Last updated: September 20, 2014
Direct D/L link: N/A
License type: GPL
Description: Sometimes we run into hashes and other artefacts and can't figure out where did they come from and how they were generated. This tool is able to recognise the output format of many different algorithms in many different possible encodings for analysis purposes. It also infers the levels of certainty for each finding based on traces of its representation .

This may be useful e.g. when you are testing systems from a security perspective and are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory. This may also be useful as a part of a fingerprinting process or simply to verify valid implementations of different algorithms. You may also try running this tool against network traffic captures or large source code repositories to look out for interesting stuff.

You can either use a generic version or as a plugin for the Volatility framework. The usage is similar.
Currently supports:
web-cookie
mssql2000
md5
URL
md4
phone number
credit cards
mssql2005
lm hash
ntlm hash
MySQL4+
MySQL323
base64
SAM(*:ntlm)
SAM(lm:*)
SAM(lm:ntlm)
RipeMD320
sha1
sha224
sha256
sha384
sha512
whirpool
CRC
des-salt-unix
sha256-salt-django
sha256-django
sha384-salt-django
sha384-django
sha256-salt-unix
sha512-salt-unix
apr1-salt-unix
md5-salt-unix
md5-wordpress
md5-phpBB3
md5-joomla2
md5-salt-joomla2
md5-joomla1
md5-salt-joomla1
blowfish-salt-unix
uuid
Also listed in: Crypto Libraries, Data Extraction Tools, Data Search and Extraction Tools, Dongle Analysis Tools, Dongle Crypto Solver Tools, Memory Data Tracing Tools, Memory Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RegexBuddy
Rating: 5.0 (3 votes)
Author: Just Great Software Co.                        
Website: http://www.regexbuddy.com
Current version: 3.3.0
Last updated: April 8, 2009
Direct D/L link: N/A
License type: Commercial
Description: From the website:

"RegexBuddy is your perfect companion for working with regular expressions. Easily create regular expressions that match exactly what you want. Clearly understand complex regexes written by others. Quickly test any regex on sample strings and files, preventing mistakes on actual data. Debug without guesswork by stepping through the actual matching process. Use the regex with source code snippets automatically adjusted to the particulars of your programming language. Collect and document libraries of regular expressions for future reuse. GREP (search-and-replace) through files and folders. Integrate RegexBuddy with your favorite searching and editing tools for instant access"

Note that the developer does not provide any trial or free download of this software. It merits inclusion in the RCE library because it is a very versatile regex builder and pseudo-debugger. For reversers without good regex knowledge this tool is invaluable; it allows point-and-click regex building, and will break a regex down to its individual parts for easier review.

The developer previously released trial versions (version 2.x.x) of this software. These trial versions are perfectly usable and featured for RCE acitivities, therefore you may wish (and find it easier) to locate a 2.x.x trial version.
Also listed in: Regular Expression Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TextScan
Rating: 4.0 (1 vote)
Author: AnalogX                        
Website: http://www.analogx.com/CONTENTS/download/program/textscan.htm
Current version: 1.00
Last updated: 22/12/2001
Direct D/L link: http://www.analogx.com/files/txtscani.exe
License type: Freeware
Description: Quote from website:

"AnalogX TextScan searches any binary file for a minimum and maximum string length, and then returns all occurrences in sorted order... But it doesn't just stop there, it also has the ability to identify most functions and DLL's inside of a file, and even has the ability to extract both char and unichar strings! This is a great first step in getting a better understanding of what's happening inside of a program you're interested in, or even for just looking for the occasional Easter egg!"

TextScan is a reliable tool for extracting ASCII and UNICODE strings from within binaries. Note that the website states version 1.00 for the tool, however the "About" states 1.02.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: The Regex Coach
Rating: 3.0 (1 vote)
Author: Dr. Edmund Weitz                        
Website: http://www.weitz.de/regex-coach
Current version: 0.9.2
Last updated: January 2, 2008
Direct D/L link: http://weitz.de/files/regex-coach.exe
License type: Freeware
Description: The Regex Coach is a graphical application for Windows which can be used to experiment with (Perl-compatible) regular expressions interactively. It has the following features:

* It shows whether a regular expression matches a particular target string.
* It can also show which parts of the target string correspond to captured register groups or to arbitrary parts of the regular expression.
* It can "walk" through the target string one match at a time.
* It can simulate Perl's split and s/// (substitution) operators.
* It tries to describe the regular expression in plain English.
* It can show a graphical representation of the regular expression's parse tree.
* It can single-step through the matching process as performed by the regex engine.
* Everything happens in "real time", i.e. as soon as you make a change somewhere in the application all other parts are instantly updated.
Also listed in: Regular Expression Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Expresso
Rating: 0.0 (0 votes)
Author: Ultrapico                        
Website: http://www.ultrapico.com/Expresso.htm
Current version: 3.0.4750
Last updated: January 2, 2013
Direct D/L link: http://www.ultrapico.com/ExpressoSetup3.msi
License type: Freeware (optional registration)
Description: The award-winning Expresso editor is equally suitable as a teaching tool for the beginning user of regular expressions or as a full-featured development environment for the experienced programmer or web designer with an extensive knowledge of regular expressions.

Registration of Expresso is optional and free of charge. After a trial period you will receive reminders to register your copy. Simply fill out this form and a registration code will be sent to you by email. Once you receive your code, run Expresso and use the "Register" option in the "Help" menu.

If you have not registered, Version 3.0.4750 will expire after 60 days or on January 1, 2016, whichever comes first.
Also listed in: Regular Expression Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.05
Last updated: April 22, 2016
Direct D/L link: Locally archived copy
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
A companion plugin is also provided to take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

In new version:
- .Net assembly VtableFixup support
- Control Flow Guard support
- New highlighting scheme
- Treeview icon added
- Neater Listview
- Major bug fixes


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pev
Rating: 0.0 (0 votes)
Author: Fernando Merc√™s, Jardel Weyrich                        
Website: http://pev.sf.net
Current version: 0.70
Last updated: December 27, 2013
Direct D/L link: http://sourceforge.net/projects/pev/files/pev-0.70/pev-0.70-win32.zip/download
License type: Open Source (GPLv3)
Description: pev is a free and open source multi-platform PE file analysis toolkit,
that provide the following tools:

* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* peres - view and extract PE file resources
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features and certificates in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA

Features include:

* Based on own PE library, called libpe
* Support for PE32 and PE32+ (64-bit) files
* Formatted output in text and CSV (other formats in development)
* pesec: check security features in PE files, extract certificates and more
* readpe: parse PE headers, sections, imports and exports
* pescan: detect TLS callback functions, DOS stub modification,
suspicious sections and more
* pedis: disassembly a PE file section or function with support for
Intel and AT&T syntax
* Include tools to convert RVA from file offset and vice-versa
* pehash: calculate PE file hashes
* pepack: detect if an executable is packed or not
* pestr: search for hardcoded Unicode and ASCII strings simultaneously
in PE files
* peres: show and extract PE file resources
Also listed in: Disassemblers, Entropy Analyzers, Exe Analyzers, Malware Analysis Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PowerGREP
Rating: 0.0 (0 votes)
Author: Just Great Software Co.                        
Website: http://www.powergrep.com
Current version: 3.5.2
Last updated: March 11, 2009
Direct D/L link: N/A
License type: Shareware
Description: PowerGREP is a very powerful Windows grep tool. Quickly search through large numbers of files on your PC or network, including text and binary files, compressed archives, MS Word documents, Excel spreadsheets and PDF files, etc. Find the information you want with powerful text patterns (regular expressions) specifying the form of what you want, instead of literal text. Search and replace with one or many regular expressions to comprehensively maintain web sites, source code, reports, etc. Extract statistics and knowledge from logs files and large data sets.
Also listed in: Data Search and Extraction Tools, Regular Expression Tools, Source Code Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strings2
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.2
Last updated: April 21, 2013
Direct D/L link: http://split-code.com/files/strings2_x86_v1-2.zip
License type: Freeware
Description: Strings2 is a Windows command-line tool for extracting ascii and unicode strings from binary data. On top of the classical Sysinternals strings approach, this improved version is also able to dump strings from process address spaces and also reconstructs hidden assembly local variable assignment ascii/unicode strings.

The Windows 64 bit binary is available here:
http://split-code.com/files/strings2_x64_v1-2.zip

and the Windows 32 bit binary is available here:
http://split-code.com/files/strings2_x86_v1-2.zip


Example Usage:
strings2 malware.exe
strings2 *.exe > strings.txt
strings2 *.exe -nh -f -t -asm > strings.txt
strings2 -pid 419 > process_strings.txt
strings2 -pid 0x1a3 > process_strings.txt
strings2 -system > all_process_strings.txt
cat abcd.exe | strings2 > out.txt
Also listed in: Data Search and Extraction Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Needs New Category  (3)