From Collaborative RCE Tool Library
System Information Extraction Tools
| Tool name: | MemInfo |
| ||
|---|---|---|---|---|
| Author: | Alex Ionescu | |||
| Website: | http://www.winsiderss.com/tools/meminfo/meminfo.htm | |||
| Current version: | 1.11 | |||
| Last updated: | January 2, 2008 | |||
| Direct D/L link: | http://www.winsiderss.com/tools/meminfo/meminfo.zip | |||
| License type: | Free | |||
| Description: | MemInfo is a tool to query information on the state of the memory manager page lists, page frame number (PFN) database entries, per-component and per-process memory usage, and for mapping virtual to physical addresses (for certain kinds of kernel-mode pointers). It can also display the physical memory ranges available for use by Windows and reported by the BIOS and/or ACPI tables. MemInfo can help detect bad or damaged memory sticks by displaying the size of the bad page list, as well as help in detecting certain kinds of malware or rootkits by showing processes that tools other than the kernel debugger may not show as present. It can also be used to diagnose certain situations where the number of memory available to Windows is different from the amount of memory installed on the system. For more info, also see the following blog post: http://www.alex-ionescu.com/?p=51 | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ScTagQuery |
| ||
|---|---|---|---|---|
| Author: | Alex Ionescu | |||
| Website: | http://www.winsiderss.com/tools/sctagquery/sctagquery.htm | |||
| Current version: | 1.12 | |||
| Last updated: | January 21, 2008 | |||
| Direct D/L link: | http://www.winsiderss.com/tools/sctagquery/sctagqry.zip | |||
| License type: | Free | |||
| Description: | ScTagQuery allows you to obtain precise information on which threads in the system are being used by what service, in order to better gauge CPU and resource usage as well as to help in debugging service-related problems. It uses a new mechanism in Windows Vista and later (service tagging) to identify the service tag for each thread, and query the Service Control Manager (SCM) to do a tag-to-service name translation. Service tags are currently present on all RPC and COM worker threads, as well as generic threads created by the main service thread. However, worker pool threads are not yet tagged. ScTagQuery can be used to map service tags to a service either on a live system, or by running the tool on the same system as where a crash dump occurred, since service tags remain the same after reboot. Apart from mapping service tags to services, and querying the service tag for a thread, ScTagQuery can also show system-wide tag information, as well as dump the name of each service associated to any thread on the system (in other words, a system-wide dump of which threads are performing work for a service). Finally, ScTagQuery can also be used to dump the list of services referencing a DLL in a process. Also see the following blog entry, for a more detailed description: http://www.alex-ionescu.com/?p=52 | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | WinObj |
| ||
|---|---|---|---|---|
| Author: | Mark Russinovich | |||
| Website: | http://www.microsoft.com/technet/sysinternals/SystemInformation/WinObj.mspx | |||
| Current version: | 2.15 | |||
| Last updated: | November 1, 2006 | |||
| Direct D/L link: | http://download.sysinternals.com/Files/WinObj.zip | |||
| License type: | Free | |||
| Description: | WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space. Winobj may seem similar to the Microsoft SDK's program of the same name, but the SDK version suffers from numerous significant bugs that prevent it from displaying accurate information (e.g. its handle and reference counting information are totally broken). In addition, our WinObj understands many more object types. Finally, Version 2.0 of our WinObj has user-interface enhancements, knows how to open device objects, and will let you view and change object security information using native NT security editors. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | WinObjEx |
| ||
|---|---|---|---|---|
| Author: | Four-F | |||
| Website: | N/A | |||
| Current version: | 3.2 | |||
| Last updated: | September 23, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | It resembles the functionality of Sysinternals' WinObj, however, it seems that this version is a little bit more on steroids, as well as it has lower tendency to _crash_. Hats off to Mr. Russinowich for his RE capabilities, but because his tools are usually and suddenly crashing on ordinary processes (and we need, of course military grade ammo), his tools could be respected only as the tools of learning... not combat. Argument: Just start "Windows Media Player" and "Proc Explorer". Then slide the scrollbar to the right in order to prevent yourself to see which is which. You will see the same memory and system resources thrashing in both. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
