From Collaborative RCE Tool Library

Jump to: navigation, search

System Information Extraction Tools


Tool name: AMD_dbg
Rating: 0.0 (0 votes)
Author: j00ru                        
Website: http://j00ru.vexillium.org/dump/amd_dbg.zip
Current version: 0.0.1
Last updated: November 28, 2010
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AMD_dbg is a small application for detection of the extended debugging capabilities of some AMD processors (see references below for more info), and is also capable of monitoring and modifying the secret MSRs' values for further testing/exploration of these.

The application targets Microsoft Windows XP - 7, consisting of two major parts: a user-mode client (displaying a simple TUI for user interaction), and a kernel-mode /server/, actually performing the RDMSR and WRMSR operations. Currently, only 32-bit architecture is supported, and there are no plans of porting this one to x86-64. However, as the program is released together with its source code, you're free to introduce your own improvements / ports, as long as it is compliant to the license (check the LICENSE file for details).
Also listed in: Technical PoC Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DeviceTree
Rating: 0.0 (0 votes)
Author: Mark Cariddi                        
Website: http://www.osronline.com/article.cfm?article=97
Current version: 2.19
Last updated: September 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: The greatest utility every written by master toolsmith and driver expert Mark Cariddi. This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else.

It will also find hidden devices/drivers, like e.g. related to rootkits!
Also listed in: Kernel Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MemInfo
Rating: 0.0 (0 votes)
Author: Alex Ionescu                        
Website: http://www.winsiderss.com/tools/meminfo/meminfo.htm
Current version: 2.10
Last updated: July 8, 2009
Direct D/L link: http://www.winsiderss.com/tools/meminfo/meminfo.zip
License type: Free
Description: MemInfo is a tool to query information on the state of the memory manager page lists, page frame number (PFN) database entries, per-component and per-process memory usage, and for mapping virtual to physical addresses (for certain kinds of kernel-mode pointers).

It can also display the physical memory ranges available for use by Windows and reported by the BIOS and/or ACPI tables.

MemInfo can help detect bad or damaged memory sticks by displaying the size of the bad page list, as well as help in detecting certain kinds of malware or rootkits by showing processes that tools other than the kernel debugger may not show as present. It can also be used to diagnose certain situations where the number of memory available to Windows is different from the amount of memory installed on the system.

For more info, also see the following blog post:
http://www.alex-ionescu.com/?p=51
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MemMAP
Rating: 0.0 (0 votes)
Author: a_d_13                        
Website: http://www.kernelmode.info/forum/viewtopic.php?f=11&t=383
Current version: 0.1.2
Last updated: October 9, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: MemMAP is a tool inspired by j00ru's KernelMAP. I've written my own version with a couple more interesting features. A list follows:

* More memory types included (kernel thread stacks and GDI objects)
* Ability to visualize the memory of a user-mode process
* Help dialog with description of memory types
* Refresh feature

When run without arguments, it will display a map of kernel memory. You can visualize a process by running "memmap -p <process id>". To refresh, press F5. To show help, press F1.

The framed area is organized such that the top-left corner is address 0x80000000, and the bottom right corner is 0xFFFFF000 (or, for user-mode processes, 0x00000000 - 0x7FFFF000). Each pixel represents one page of memory (4096 bytes).
Also listed in: Kernel Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Red Gate Memory Tracker
Rating: 0.0 (0 votes)
Author: Red Gate Software                        
Website: http://labs.red-gate.com/index.php/Red_Gate_Memory_Tracker
Current version: 0.2
Last updated: July 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Every so often I find I'm working on an application and my task is to work out why it's using so much memory. I've had this problem at various different companies. "Product X has a massive memory footprint, and we need to reduce it. Find out why it's taking up 1GB of RAM even before we throw real data at it."

With existing tools this can be extraordinarily difficult. Using the Visual Studio debugger doesn't prove to be much help. All you can see are the loaded modules, and you can calculate their sizes by doing a dir at a command prompt, or through Explorer. Windows Task Manager will tell you how much virtual memory your application is using, but not what it's using it for. Process Explorer, from http://www.sysinternals.com, is also very handy, and can save you a bit of trouble; but it still won't tell you where all your memory's going.

Googling has, on numerous occcasions, generally provided nothing of value. The best I've found are applications which will give you a linear, text list of all the virtual memory memory blocks allocated in the process, and how much space each consumes.

Recently I discovered the process was improved somewhat by using WinDbg. For both managed and unmanaged applications, assorted WinDbg extensions prove extraordinarily handy, provided you know the correct mojo to invoke. Even so, you're left with what is basically a highly manual task.

Enter Red Gate's Memory Tracker (a highly provisional name, by the way), which attempts invoke Red Gate's mantra of ingeniously simple tools, and provide you a one-stop, automated, graphical way of solving this problem.

Simply fire up the Memory Tracker and choose a running process from the drop down. Memory Tracker will analyse the process' memory usage, and provide you with a graphical memory map of the entire user address space. You can pan around by clicking the left button and dragging; you can zoom in and out with the mouse wheel.

Memory blocks are colour coded to indicate their content type, and patterned to indicate the access controls on that memory. Mouse over the memory block for more information: a tooltip will describe the memory content type, sub type, and any additional information available.

Take for example the memory occupied by a DLL. PE files (that's DLLs and executables) are split into sections, containing code, read-only data, and writeable data. When the DLL is loaded, those sections are preserved in memory. So in the Memory Tracker, you can see not only which DLLs are loaded, and the relevant product, version and company information for that library, but the size of each individual section in the library. You can visually distinguish between code blocks, static data blocks, and writeable data blocks.

The Memory Tracker doesn't just identify DLLs. It can display memory used by both system (Microsoft) and user (non-Microsoft) DLLs; memory on Windows process heaps, both allocated and free; memory on .NET heaps, both the managed heap and the large object heap; memory consumed by the .NET runtime for other purposes (such as JIT code compilation); and general virtual memory, both reserved and committed. Of course, it also shows you free memory.

Although I'm somewhat biased, I find this a vaguely entertaining tool to use. Run it against SQL Server to see the large memory blocks SQL Server reserves for efficiency purposes (and watch that memory get fragmented over time). Run it against Visual Studio after you've had the application open for a few days on multiple projects, and observe that all those projects' libraries are still in memory. Run it against any application which accesses SQL Server (including some of Red Gate's leading tools) and observe the vast number of DLLs which have to be loaded for this purpose.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ScTagQuery
Rating: 0.0 (0 votes)
Author: Alex Ionescu                        
Website: http://www.winsiderss.com/tools/sctagquery/sctagquery.htm
Current version: 1.12
Last updated: January 21, 2008
Direct D/L link: http://www.winsiderss.com/tools/sctagquery/sctagqry.zip
License type: Free
Description: ScTagQuery allows you to obtain precise information on which threads in the system are being used by what service, in order to better gauge CPU and resource usage as well as to help in debugging service-related problems. It uses a new mechanism in Windows Vista and later (service tagging) to identify the service tag for each thread, and query the Service Control Manager (SCM) to do a tag-to-service name translation. Service tags are currently present on all RPC and COM worker threads, as well as generic threads created by the main service thread. However, worker pool threads are not yet tagged.

ScTagQuery can be used to map service tags to a service either on a live system, or by running the tool on the same system as where a crash dump occurred, since service tags remain the same after reboot.

Apart from mapping service tags to services, and querying the service tag for a thread, ScTagQuery can also show system-wide tag information, as well as dump the name of each service associated to any thread on the system (in other words, a system-wide dump of which threads are performing work for a service). Finally, ScTagQuery can also be used to dump the list of services referencing a DLL in a process.

Also see the following blog entry, for a more detailed description:
http://www.alex-ionescu.com/?p=52
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VMMap
Rating: 0.0 (0 votes)
Author: Mark Russinovich & Bryce Cogswell                        
Website: http://technet.microsoft.com/sv-se/sysinternals/dd535533(en-us).aspx
Current version: 2.3
Last updated: September 17, 2009
Direct D/L link: http://download.sysinternals.com/files/vmmap.zip
License type: Free
Description: VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios.

VMMap is the ideal tool for developers wanting to understand and optimize their application's memory resource usage.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinObj
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/SystemInformation/WinObj.mspx
Current version: 2.15
Last updated: November 1, 2006
Direct D/L link: http://download.sysinternals.com/Files/WinObj.zip
License type: Free
Description: WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space. Winobj may seem similar to the Microsoft SDK's program of the same name, but the SDK version suffers from numerous significant bugs that prevent it from displaying accurate information (e.g. its handle and reference counting information are totally broken). In addition, our WinObj understands many more object types. Finally, Version 2.0 of our WinObj has user-interface enhancements, knows how to open device objects, and will let you view and change object security information using native NT security editors.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinObjEx
Rating: 0.0 (0 votes)
Author: Four-F                        
Website: N/A
Current version: 3.2
Last updated: September 23, 2005
Direct D/L link: Locally archived copy
License type: Free
Description: It resembles the functionality of Sysinternals' WinObj, however, it seems that this version is a little bit more on steroids, as well as it has lower tendency to _crash_. Hats off to Mr. Russinowich for his RE capabilities, but because his tools are usually and suddenly crashing on ordinary processes (and we need, of course military grade ammo), his tools could be respected only as the tools of learning... not combat.

Argument: Just start "Windows Media Player" and "Proc Explorer". Then slide the scrollbar to the right in order to prevent yourself to see which is which. You will see the same memory and system resources thrashing in both.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: XNTSV
Rating: 0.0 (0 votes)
Author: Sergey Perfiliev                        
Website: http://ntinfo.biz/
Current version: 1.5
Last updated: February 17, 2013
Direct D/L link: http://ntinfo.biz/files/xntsv32.rar
License type: Freeware
Description: XNTSV is a utility that displays detailed information about Windows system structurs.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Needs New Category  (3)